Default System Passwords

This section covers default or common passwords used for Communication Manager IP PBXs, supporting systems (such as voicemail), and IP phones.

Attack Default Media Server/Media Gateway Passwords

Popularity:

6

Simplicity:

9

Impact:

8

Risk Rating:

8

For the G350 Media Gateway, the default superuser login is root. The password is also root.

In the legacy telephony world, the person responsible for the administration and maintenance of a telephone switching system is known as a craftsman/craftsperson (craft for short). Perhaps as a consequence of this legacy, the user IDcraftappears to be a common default login for Avaya media server and Avaya gateway products. The default password for this user ID might be some permutation of the following:

  • crftpw

  • craftnn, when nn is 01, 02, 03,

  • craftrn, when n is 1, 2, 3, 4,

For the S8720 Media Server, a possible default login and password is rasaccess and craft, respectively.

Attack Voicemail Passwords

Popularity:

6

Simplicity:

8

Impact:

6

Risk Rating:

7

Each of the following voicemail- related items is excerpted from the Avaya Toll Fraud and Security Handbook. The following is a list of default customer logins for systems in the handbook that provide login capabilities:

AUDIX Voicemail System

cust

AUDIX Voice Power System

audix (or is on the Integrated Solutionequipped system)

DEFINITY AUDIX System

cust

DEFINITY ECS, DEFINITY G1, G3V1, G3V2, and

cust

System 75

rcust

 

bcms1

 

browse*

 

NMS*

Avaya INTUITY System

sa, vm

MERLIN LEGEND Communications System

admin on Integrated Voice Response platformsupported systems

MERLIN MAIL and MERLIN MAIL-ML Voice Messaging Systems

1234

PARTNER MAIL and PARTNER MAIL VS Systems

1234

System 25

systemx5

Bear in mind that some of these are legacy systems and might be more difficult for an attacker to access via the IP network (they might have no or limited IP access).

AUDIX Voicemail System

From the Avaya Toll Fraud and Security Handbook, these are the steps to change default administrator passwords:

  1. To access this screen, with the cursor on the PATH line, type id (identification) and press f8 (enter).

  2. Move the cursor to the New Password field and type the password you have selected.

  3. Move the cursor to the Old Password field and type CUST .

  4. Press f1 (Change or Run) to save the new password.

  5. Press f7 (Exit) to exit this screen.

MERLIN MAIL or MERLIN MAIL-ML

Following are instructions from the Avaya Toll Fraud and Security Handbook for changing the default administrator passwords.

Note 

No default password is initially assigned for the system administrator, system administration password, or a new user. When prompted for the password, press # . After you have successfully logged in, the system will prompt you to change the password. Follow the prompts to change the password.

  1. Dial the MERLIN MAIL or MERLIN MAIL-ML Voice Messaging System or press a programmed button.

  2. Enter the system administrator mailbox number (initially 9997 ) and press #.

  3. Enter the system administrator password (initially 1234 ) and press #.

  4. Press 5 and follow the prompts to change the password.

PARTNER MAIL System

Also from the Avaya Toll Fraud and Security Handbook are instructions for changing default administrator passwords for the PARTNER MAIL System. Change your password by means of the Voicemail menu:

  1. To access this menu, press Intercom 777 or a programmed button.

  2. Enter your mailbox number (initially 9997 ) and press #.

  3. Enter your password (initially 1234 ) and press #.

  4. Press 5 and follow the prompts to change your password.

PARTNER MAIL VS System

Also from the Avaya Toll Fraud and Security Handbook are instructions for changing default administrator passwords for the PARTNER MAIL VS System. Change your password by means of the Voicemail menu.

  1. To access this menu, press Intercom 777 or a preprogrammed button.

  2. Enter 99# .

  3. Enter your password and press #. (The factory-set password is 1234 .)

  4. Press 5 and follow the prompts to change your password.

This exchange is from an Avaya Community Forum regarding a PARTNER Voicemail System card. This exchange indicates that some Avaya systems may have widely known backdoor passwords:

  • Q   We have a customer with a large pvm cardr3Lthey changed [the] system admin password and don't remember it. I tried the typical backdoor password with no luck. Is it possible to disable this or did that code not work on the pvm card??

  • A   I don't think you can block the backdoor . Where would Avaya be then? Did you try 2537?

  • Q   Yep 2537 doesn't work. Seems to me that it did work before on this same customerwould be curious to hear any other thoughts from anyone .

  • A   Are you trying this onsite?? You need to be onsite or conf called in!! It will not work if you dial in with *7 and trans yourself.

  • A    2537 will work instead of the current admin password and get you into the admin menu, but you must do it onsite.

Other Adjunct Systems

The Avaya Toll Fraud and Security Handbook also makes recommendations for improving adjunct system security. Because system adjuncts can be used to log in to otherwise "protected" systems, you should also secure access to the following products:

  • G3 Management Applications (G3-MA)

  • Centralized System Management (CSM)

  • Call Management System (CMS)

  • Manager III/IV

  • Trouble Tracker

  • VMAAP

It is reasonable to presume that adjunct systems that have not been properly secured represent an avenue by which access might be gained to the core call processing and gateway resources. For example, AIM Technology (www.aimtechnology.com) is a company that provides a third-party application for Avaya Call Center telephony solutions. From an Avaya Community Forum post regarding AIM, we discovered "the defaults for [AIM] IMD are user=admin and pswd=admin123."

This is not to state definitively that the user ID and password remain the defaults to the AIM application, nor that the AIM application can indeed be used to compromise an Avaya Call Center deployment. It's simply illustrative of the fact that default user IDs and passwords of adjunct systems may be "out there."

Default Password Lists

Several default password lists can be found on the Web. These links include Avaya systems as well as many others:

  • http://www.searchlores.org/defpasslist1.htm

  • http://www.e-tech.ca/017-Default_Passwords_ad.asp

  • http://www.phenoelit.de/dpl/dpl.html

  • http://www.hackers-news.com/hn_passwd.php

Countermeasurs Replace Default Passwords

For the Avaya Communication Manager system, when you've loaded a valid production license and password file, replace these passwords. Avaya recommends installation instructions that allow a technician to change these passwords, and future versions of the software will prompt the technicians for a new password during installation.

All passwords used for access to Communication Manager and adjunct systems should be changed from their defaults, and you should check your systems for accidental use of default or well-known passwords. Also, require that passwords be "strong," meaning at least eight characters with mixed alphanumeric and symbol characters. Where possible, use password aging to make sure passwords are changed periodically.

Attack Default IP Phone User Passwords

Popularity:

8

Simplicity:

9

Impact:

6

Risk Rating:

8

The following text is from the IP Endpoint Installation Help for the Avaya Installation Wizard, which suggests it is "customary" to configure a phone's password to be the reverse of its extension:

"For extensions 47 digits in length, it's customary to set the password to the reverse of the extension number. For example, if the extension number is 5441234, set the password to 4321445. However, if the extension length is 3, then you must add a trailing 0. For example, if the extension number is 123, set the password to 3210."

Avaya then suggests following these steps to install the IP endpoint:

  1. Plug the IP endpoint (telephone) into the Ethernet wall jack.

  2. The endpoint detects and displays the speed of the Ethernet interface in Mbps (that is 10 or 100) The message No Ethernet is displayed until the software determines whether the interface is 10 Mbps or 100 Mbps. The following is then displayed:

     DHCP: s secs, * to program 
    Caution 

    Do not press * unless you want to program the IP phone manually.

  3. Enter the extension followed by the # key:

     Extension=nnnnnn, #=OK NEW=_ 
  4. Enter the password followed by the # key:

     Password=_ #=OK 

The following is a post from a user on an Avaya Community forum (http://www.avayausers.com/showthread.php?s=9c4f7f3d6e55fd0cdc16396f06c01078&threadid=168 5&highlight=password):

"Thanks for the reply.
In our office the extensions are used for different areas of our business. Everyone has cell phones for personal messages.
I don't really understand the bottom part of your reply but I will pass it on to the guys who did the programming for us and see if they understand it.
All of our extensions are all set up with 1234 as the password ."

It is not hard to imagine that many deployments might follow the same convention, at least until VoIP infrastructure attacks become commonplace.

Countermeasurs Default Password Countermeasures

There are several countermeasures you can employ to address the problem of default passwords. These are covered next .

Change Default Passwords

All passwords used for access to IP phones should be changed from their defaults, and check your systems for accidental use of default or well-known passwords. Avaya plans to improve the wording in the Avaya Installation Wizard to emphasize the need to select a difficult-to-guess station security code.

Use Strong Passwords

All passwords should be "strong," which means difficult to guess, unrelated to the extension or some other known value, and containing mixed alphanumeric and symbol characters wherever possible.

Future versions of the firmware will allow for longer passwords.



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net