Compromising Domain Admin in VOIP Pentest

In the VOIP internal assessment, we port scan for ports 5060 and 5061 across the network to find the IP enabled phones over network. Then we found the range and started connecting to web page of the each phone running on port-80.

Checking the Status Message of one VOIP Phone, we found one file not getting updated on phone i.e.; SEPDC*****90.cnf.xml.sgn


Note :- All the VOIP phones download the latest config and all changes from the TFTP server running on call manager in the network.

Now lets find out the call manager running TFTP service, which can be easily found from phone Settings menu.


Then we TFTP the call manager and download the SEPDC*****90.cnf.xml.sgn file

Inside the downloaded file we found one more file existing on the TFTP sever. i.e.; SPDefault.cnf.xml

Download the SPDefault.cnf.xml file from TFTP. We found domain credentials of ‘***mmunicatio*’ user used to connect to LDAP.
Using the above found credentials we were able to successful connect to Domain Controller and Enumerate all users on domain. This user was only allowed to query and provide information, he don’t have privileges to RDP, Add user, etc.

Then from all enumerated users we tried targeting all commonly used/generic accounts like mcafee*****n, sql-****n, etc. Trying out the default credentials on sql-****n worked for us ;)

Then using netscan we found where all Administrator user is logged-in. And using the sql-****n user we RDP the box. Luckily we found one box where our credentials of sql-****n worked.

Then RDP the box with sql-****n credentials -> Stop Antivirus -> Download Mimikatz -> Get all password in file -> Finding Administrator credentials in file -> PWNED ;)


Then we RDP the Domain Controller with Administrator Creds -> Add ***-voip user to Domain Admin group. Game Over.

Comments

  1. This domain seems interesting to work with it. I actually dont know much about this domain thing but I am very well aware of C language programes.Therefore I will try to get this asap.

    ReplyDelete

Post a Comment

Popular Posts