Compromising Domain Admin in VOIP Pentest

In the VOIP internal assessment, we port scan for ports 5060 and 5061 across the network to find the IP enabled phones over network. Then we found the range and started connecting to web page of the each phone running on port-80.

Checking the Status Message of one VOIP Phone, we found one file not getting updated on phone i.e.; SEPDC*****90.cnf.xml.sgn

Note :- All the VOIP phones download the latest config and all changes from the TFTP server running on call manager in the network.

Now lets find out the call manager running TFTP service, which can be easily found from phone Settings menu.

Then we TFTP the call manager and download the SEPDC*****90.cnf.xml.sgn file

Inside the downloaded file we found one more file existing on the TFTP sever. i.e.; SPDefault.cnf.xml

Download the SPDefault.cnf.xml file from TFTP. We found domain credentials of ‘***mmunicatio*’ user used to connect to LDAP.
Using the above found credentials we were able to successful connect to Domain Controller and Enumerate all users on domain. This user was only allowed to query and provide information, he don’t have privileges to RDP, Add user, etc.

Then from all enumerated users we tried targeting all commonly used/generic accounts like mcafee*****n, sql-****n, etc. Trying out the default credentials on sql-****n worked for us ;)

Then using netscan we found where all Administrator user is logged-in. And using the sql-****n user we RDP the box. Luckily we found one box where our credentials of sql-****n worked.

Then RDP the box with sql-****n credentials -> Stop Antivirus -> Download Mimikatz -> Get all password in file -> Finding Administrator credentials in file -> PWNED ;)

Then we RDP the Domain Controller with Administrator Creds -> Add ***-voip user to Domain Admin group. Game Over.


  1. I really thank you for the valuable info this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good luck to the author! All the best!wholesale voip termination

  2. This comment has been removed by the author.

  3. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article Wholesale VoIP Provider

  4. Very informative blog... This blog share valuable information on IT security training. Thanks for sharing

  5. Some genuinely superb info, Glad I found this. After reading this remarkable piece of writing i am also delighted to share my knowledge about VoIP providers

  6. Wonderful post and such fantastic information that you gave to us thank you so much. I suggested the VoIP Office for VoIP Service Providers In Bangalore.

    VoIP Office Telecommunications Pvt Ltd | VoIP Service Providers In Bangalore
    No 354/428, 1st Floor 27th Main
    1st Sector, HSR Layout
    Bangalore KA – 560 102

  7. Thanks for this blog. I have found some interesting blogs on google. You can check these blogs also which are related to technologies…..
    Avast Login support number


Post a Comment

Popular Posts