voip router hacking

No replies
Joined: 2017/04/19

So i figured out a good formula for hacking voip routers made by edgewater networks. As far as i can tell these havent been sucked into any huge botnets even though logging in is pretty easy. This account is a throwaway so make what you will of this post.

Anyway most of these things have custom firmware for a company that runs a bunch and gives them out to customers, like Shoretel, Cox, AT&T, Comcast, so what youll find depends on how hard you look. But most companies just look about the same. Optimum Cablevision will sometimes put the http server on some weird port like 81 or 8081 instead of the normal one though.

Most will have a http server open on port 80 that has an authentication realm of System. So if you wanted to look for one on something that crawls for http headers, you'd search for WWW-Authenticate: Basic realm="System". From the http server, the user/pass is usually a straightforward enough root/default or rouser/default. These mostly just let you configure the router but theyre most useful than they might seem so dont discount them too much if you find them. On some models the ping test function will let you inject shell commands. So in the box where it asks you for a ping address you can put say " ; cat /etc/shadow" and itll print out the shadow file into where the ping results would be.

More to the point and more ignored usually, the default root ssh password is shift+2345678109. So if you type it out its @#$%^&*!)( . Not a bad default right? Sometimes admin/default also works on ssh for some dumbass reason. Once you're in the /etc/config directory has most everything you might want to figure out about the device. This would be a good time to say that the passwords are almost always just des. If you need to brute them it can usually be done in about a day.

On the generic routers if someone changed all the root passwords you can get into the web interface and download the config file with all the DES hashes and stuff with the rouser user.

But like I was saying they're not all the same. AT&T has special firmware on theirs that makes them weird. They're special and use TACACS+ to log you in most of the time. Youll know these right away because they fit a hugeass warning message into the http server where it would just say System on the normal routers:

WARNING NOTICE: Access to this system is restricted solely to AT&T authorized personnel and is limited to use for legitimate business purposes only. This system is not permitted to be accessed by AT&T users, customers, or other personnel, unless specifically authorized in writing by AT&T. If you have accessed this system in error, please terminate your access immediately.

So instead of WWW-Authenticate: Basic realm="System", you'd look for WWW-Authenticate: Basic realm="(that whole damn warning)". Sometimes it cant access the TACACS+ server so itll just use the local passwords (usually its custadmin/admin and root/biabatt for the web interface and root/vapidesi for telnet. If you pound a router with enough logins (bots do this all day so you won't stand out by doing it at least as root. You can tell when there's more because there's a longer pause before it validates a password) eventually it will fall back to using local auth on the ones where TACACS+ works and vapidesi will get you in. Even if you dont get access though the AT&T routers are special and will usually let you dump all the config info like private keys and shit. All you need to do is find the hostname for the device. First thing you can do is just open a telnet connection to it if it has it open. Itll give you its usual long banner but then at the end it says "USxxxxxxxxxxx login:". Thats the hostname and its important because there's usually a config file with the same name you can grab. So lets say its using the ip and the hostname for it is USEAST01PALCM01A. What you do is you go to . Just remember to make it lowercase. It will prompt you for a username and password like it usually does. DO NOT give it a username like any of the ones I just gave you. If you do, it will actually check the password. What you do is you give it some retarded random username like skills and if you do ANY PASSWORD WILL WORK. This is because Edgwater is stupid. Note that you can't use this to log in. Just to do this. If the telnet port isnt open then what you can do is do an snmp query to get the hostname. The snmp community name is gps21P28S19J17JH on all of these but its read only sorry. This will give you all the local passwords on the system and the ssl and ssh private keys and the sip ip username and password.

Have fun!