Default System Passwords
 | ||
| | ||
| | ||
This section covers default or common passwords used for Asterisk, supporting systems (such as voicemail), and IP phones.
Attack Default Asterisk Passwords
| Popularity: | 7 |
| Simplicity: | 8 |
| Impact: | 4 |
| Risk Rating: | 6 |
With the exception of voicemail, there are no default passwords per se in the Asterisk IP PBX deployment. Digium provides paid support for the Asterisk Business Edition (see http://www.digium.com). That edition includes binaries, an installer, and scripts that are not freely available. It is entirely possible there are default passwords, barrier codes, and authorization codes provisioned in some component of the Asterisk Business Edition (for example, in the AstDB delivered with that edition).
With the free version of Asterisk installed, you have the option of producing sample configuration files. These files have examples of secrets and password parameters within some of the *.conf files, but they are intentionally silly and commented out (for example, blah, password, mypass).
There is an Asterisk version available called Asterisk@Home that was developed by Andrew Gillis. If you search the Web for
+asterisk +default +password
you'll receive many hits for Asterisk@Home. At the time this book was written, there was a wiki about Asterisk@Home at http://www.voip- info .org/wiki. Several default passwords were listed on the site, and one default password was simply
password
Attack Voicemail Passwords
| Popularity: | 6 |
| Simplicity: | 8 |
| Impact: | 4 |
| Risk Rating: | 6 |
It is expected that a new voicemail user is configured with a voicemail context and an initial password equal to the extension. voicemail.conf context parameters can be set to force a new user to perform certain actions such as recording their name and a greeting. For example, the forcename parameter forces new users to record their names , and new users are recognized by their password being equal to their mailbox number. However, there is no mechanism that forces an administrator to provision a voicemail box initially with the password equal to the box ID.
Attack Default IP Phone User Passwords
| Popularity: | 8 |
| Simplicity: | 9 |
| Impact: | 6 |
| Risk Rating: | 7 |
The Snom and Grandstream SIP phones both support nonsecure (port 80) web-based access. The Snom SIP phone also supports secure (port 443) web-based access. We did not identify any default passwords for these SIP phones. The Cisco SIP phone does not support web access. This is perhaps in response to vulnerabilities found several years ago; see http://www.securityfocus.com/bid/4798/ for more information.
Sensitive SIP and network configuration parameters may be modified through the keypad if the configuration can be unlocked, however. Software releases prior to v4.2 simply required the entry of the following key sequence to unlock the phone: **#. Releases 4.2 and later require the user to navigate to the phone's Settings menu and scroll to the Unlock Config submenu item. Selecting that submenu item provokes the phone to prompt for a password. The default password is cisco , which also serves as the default telnet password.
There are several IDs and passwords associated with the 4602 phone running a SIP load:
-
SIP username or extension and password
-
The phone's web interface has both admin level and user level IDs/passwords
The SIP username or extension and password are used to register with the SIP proxy/ registrar serving the phone. The IP Endpoint Installation help for the Avaya Installation Wizard suggests it is "customary" to configure a phone's password to be the reverse of its extension.
Regarding the phone's web interface:
-
Default administrator level ID, password admin, barney
-
Default user ID, password See the information in the following table (from 4602 SIP Telephone, SIP Release 1.0, User's Guide ), which suggests that you use the last four characters of the SIP phone's MAC address:
| If | Then |
|---|---|
| You already have a web interface username and password | Enter your password. Your password is the last four characters of your MAC address, unless you changed it. |
| You do not have a username or a password | Press Mute, then enter 4 6 3 6 (I N F O). Press the # key until the phone displays a MAC address on the top line and a number similar to 00-09-6E-03-85-FB on the bottom line. Leave the User Name field blank. Enter the last four characters of your MAC address without hyphens as a default password. In the example shown, you would enter 85FB. |
Countermeasurs Password Countermeasures
All passwords used for access to Linux, Asterisk, its voicemail system, and the SIP phones should be changed from their defaults, and you should check your systems for accidental use of default or well-known passwords. Also, require that passwords be "strong," meaning at least eight characters with mixed alphanumeric and symbol characters. Where possible, use password aging to make sure passwords are changed periodically.
EAN: 2147483647
Pages: 158