New tool in the works: TFTPTheft

Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.

My introduction to TFTP
The TFTP protocol typically runs over port 69, and the above image shows a rather insecure doll. The TFTP protocol is rather simple and lightweight:

• Runs on top of UDP
• Does not support authentication
• Only supports pulling and pushing (GET and PUT) of files (no directory listing)

New tools?

So to retrieve a file from a reachable tftp server, one only needs to know or guess the correct filename. There are a couple of tools which do this already including a Metasploit module. However what I wanted was more specific:

• A tool that’s fast like SIPVicious
• Which allows me to brute-force ranges of Cisco phone filenames (say SEP[mac-address].cnf.xml)
• And one which just downloads the guessed files as the TFTP server is being scanned

Therefore I’m releasing a new set of tools called TFTPTheft which includes 2 new tools:

• thief.py, which does what I just described (guess filenames and download files)
• finder.py, which searches for TFTP servers on the network

To give it a try, the code is currently in a mercurial repo and you can pull it by:

hg clone https://tftptheft.googlecode.com/hg/ tftptheft

I am releasing this code so that you can send me feedback. So please go forth and give this a try, run it against your VoIP system (it’s likely that the PBX / Call manager will have a TFTP server running). Then send me an email with your experience: sandro at enablesecurity.com