Re: IP Telephony pen-test and VLAN's
- From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxx>
- Date: Fri, 19 May 2006 11:47:53 +0200 (CEST)
On Wed, 17 May 2006, Chris Serafin wrote:
[snip]
I work exclusively in the Cisco IPT industry and I come from a security
background so I would love to chat about this with you/the community:)
Here's some additional information about Cisco CallManager (verified on
version 4.1.3):
# nmap -sV x.x.x.x
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:31
CEST
Interesting ports on x.x.x.x:
(The 1646 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0
102/tcp open iso-tsap?
135/tcp open msrpc Microsoft Windows msrpc
139/tcp open netbios-ssn
443/tcp open ssl/http Microsoft IIS webserver 5.0
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1433/tcp open ms-sql-s?
1720/tcp open H.323/Q.931?
2000/tcp open callbook?
2001/tcp open dc?
2002/tcp open globe?
3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000
Server)
8009/tcp open ajp13?
[...]
# nmap -sU x.x.x.x
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:40
CEST
Interesting ports on x.x.x.x:
(The 1466 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
67/udp open dhcpserver
68/udp open dhcpclient
69/udp open tftp
123/udp open ntp
137/udp open netbios-ns
138/udp open netbios-dgm
161/udp open snmp
445/udp open microsoft-ds
500/udp open isakmp
1434/udp open ms-sql-m
3456/udp open IISrpc-or-vat
4321/udp open rwhois
Nmap run completed -- 1 IP address (1 host up) scanned in 9.655 seconds
After a very quick analysis on a production system (non-default), the box
seems to be pretty well patched. Of course YMMV;) I found an information
leak on TFTP (port 69/udp), which allows downloading (upload is forbidden)
of some configuration files, like:
/MOH/SampleAudioSource.xml
Annunciator.xml
RingList.xml
(there are also some .wav and .raw sound samples, and so on)
Finally, the web interface can also be accessed at this url (not sure if
it presents any differences from https://10.23.0.254/ccmadmin):
https://10.23.0.254/ccmservice
According to the on-line documentation, the default account should be
CCMAdministrator/ciscocisco, although i've not verified it.
I've not be able to perform a full test on the appliance yet, but i'm
planning to do so in the near future. Stay tuned.
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- Prev by Date: Re: OSSTMM how good is it?
- Next by Date: RE: Download Core Impact
- Previous by thread: Re: IP Telephony pen-test and VLAN's
- Next by thread: Contract drafting for an engagement
- Index(es):
Relevant Pages
|
