Friday, May 28, 2010

New tool in the works: TFTPTheft

Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.
My introduction to TFTP
The TFTP protocol typically runs over port 69, and the above image shows a rather insecure doll. The TFTP protocol is rather simple and lightweight:
  • Runs on top of UDP
  • Does not support authentication
  • Only supports pulling and pushing (GET and PUT) of files (no directory listing)
New tools?
    So to retrieve a file from a reachable tftp server, one only needs to know or guess the correct filename. There are a couple of tools which do this already including a Metasploit module. However what I wanted was more specific:
    • A tool that's fast like SIPVicious
    • Which allows me to brute-force ranges of Cisco phone filenames (say SEP[mac-address].cnf.xml)
    • And one which just downloads the guessed files as the TFTP server is being scanned
    Therefore I'm releasing a new set of tools called TFTPTheft which includes 2 new tools:
    •, which does what I just described (guess filenames and download files)
    •, which searches for TFTP servers on the network
    To give it a try, the code is currently in a mercurial repo and you can pull it by:
    hg clone tftptheft
    I am releasing this code so that you can send me feedback. So please go forth and give this a try, run it against your VoIP system (it's likely that the PBX / Call manager will have a TFTP server running). Then send me an email with your experience: sandro at

    Wednesday, May 19, 2010

    SIPVicious 0.2.5 out

    Latest SIPVicious. It has been a while since I released an update to SIPVicious. It is mostly a bug-fix and "play nice" update. Download it from here.

    v0.2.5 (20100519)

    • Feature: has "scan for default / typical extensions" option. This option tries to guess numeric extensions which have certain patterns such as 1212 etc. Option is -D, --enabledefaults
    • General: and now have a new option which allows you to see how long the tools will scan without receiving any response back. This allows us to prevent flooding the target. Some PBX servers now have built-in firewalls / intrusion prevention systems which will blacklist the IP address of anyone using svwar or svcrack. Therefore if the IP is blacklisted it makes sense to stop scanning the target. The default for this option is 10 seconds. Set this option by using --maximumtime [seconds]
    • Removed: is now discontinued. The tool is still included for historic reasons but disabled.
    • Feature: now includes the following new features:
                --debug - shows messages as they are received (useful for developers)
                --first - scans the first X number of hosts, useful for random or large address pool scanning
                --inputtext - scans IP ranges taken from a text file
                --fromname - sets the from header to something specific useful for abusing other security issues or when svmap is used in a more flexible way then usual ;-)
    • Feature: now has two new modes:
                - stats, which lists some statistics
                - search, allows you to search through logs looking for specific user agents
    • Bug fix: now by default does not send ACK messages (was a buggy feature that did not follow the standard) 
    • Bug fix: - the template passed through --template option is now checked sanity.