Friday, May 28, 2010

New tool in the works: TFTPTheft

Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.
My introduction to TFTP
The TFTP protocol typically runs over port 69, and the above image shows a rather insecure doll. The TFTP protocol is rather simple and lightweight:
  • Runs on top of UDP
  • Does not support authentication
  • Only supports pulling and pushing (GET and PUT) of files (no directory listing)
New tools?
    So to retrieve a file from a reachable tftp server, one only needs to know or guess the correct filename. There are a couple of tools which do this already including a Metasploit module. However what I wanted was more specific:
    • A tool that's fast like SIPVicious
    • Which allows me to brute-force ranges of Cisco phone filenames (say SEP[mac-address].cnf.xml)
    • And one which just downloads the guessed files as the TFTP server is being scanned
    Therefore I'm releasing a new set of tools called TFTPTheft which includes 2 new tools:
    •, which does what I just described (guess filenames and download files)
    •, which searches for TFTP servers on the network
    To give it a try, the code is currently in a mercurial repo and you can pull it by:
    hg clone tftptheft
    I am releasing this code so that you can send me feedback. So please go forth and give this a try, run it against your VoIP system (it's likely that the PBX / Call manager will have a TFTP server running). Then send me an email with your experience: sandro at

    No comments: