Compromising Domain Admin in VOIP Pentest

In the VOIP internal assessment, we port scan for ports 5060 and 5061 across the network to find the IP enabled phones over network. Then we found the range and started connecting to web page of the each phone running on port-80.

Checking the Status Message of one VOIP Phone, we found one file not getting updated on phone i.e.; SEPDC*****90.cnf.xml.sgn

Note :- All the VOIP phones download the latest config and all changes from the TFTP server running on call manager in the network.

Now lets find out the call manager running TFTP service, which can be easily found from phone Settings menu.

Then we TFTP the call manager and download the SEPDC*****90.cnf.xml.sgn file

Inside the downloaded file we found one more file existing on the TFTP sever. i.e.; SPDefault.cnf.xml

Download the SPDefault.cnf.xml file from TFTP. We found domain credentials of ‘***mmunicatio*’ user used to connect to LDAP.
Using the above found credentials we were able to successful connect to Domain Controller and Enumerate all users on domain. This user was only allowed to query and provide information, he don’t have privileges to RDP, Add user, etc.

Then from all enumerated users we tried targeting all commonly used/generic accounts like mcafee*****n, sql-****n, etc. Trying out the default credentials on sql-****n worked for us ;)

Then using netscan we found where all Administrator user is logged-in. And using the sql-****n user we RDP the box. Luckily we found one box where our credentials of sql-****n worked.

Then RDP the box with sql-****n credentials -> Stop Antivirus -> Download Mimikatz -> Get all password in file -> Finding Administrator credentials in file -> PWNED ;)

Then we RDP the Domain Controller with Administrator Creds -> Add ***-voip user to Domain Admin group. Game Over.


  1. VoIP is a very fast-developing technology however, not everyone's aware of it. VoIP providers all across the globe are trying to help prospects make the most out of it and let go off of PSTN.
    Cebod Telecom

  2. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    Network security training in coimbatore
    IT security training in coimbatore

  3. The points that you've got mentioned those are attention-grabbing to utilize in sensible method. It’s a awfully abundant advantageable to everybody...thanks for providing such types of valuable data.

    Offshore dedicated hosting

  4. I really thank you for the valuable info this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good luck to the author! All the best!wholesale voip termination

  5. This comment has been removed by the author.

  6. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article Wholesale VoIP Provider


Post a Comment

Popular Posts