Compromising Domain Admin in VOIP Pentest

In the VOIP internal assessment, we port scan for ports 5060 and 5061 across the network to find the IP enabled phones over network. Then we found the range and started connecting to web page of the each phone running on port-80.

Checking the Status Message of one VOIP Phone, we found one file not getting updated on phone i.e.; SEPDC*****90.cnf.xml.sgn

Note :- All the VOIP phones download the latest config and all changes from the TFTP server running on call manager in the network.

Now lets find out the call manager running TFTP service, which can be easily found from phone Settings menu.

Then we TFTP the call manager and download the SEPDC*****90.cnf.xml.sgn file

Inside the downloaded file we found one more file existing on the TFTP sever. i.e.; SPDefault.cnf.xml

Download the SPDefault.cnf.xml file from TFTP. We found domain credentials of ‘***mmunicatio*’ user used to connect to LDAP.
Using the above found credentials we were able to successful connect to Domain Controller and Enumerate all users on domain. This user was only allowed to query and provide information, he don’t have privileges to RDP, Add user, etc.

Then from all enumerated users we tried targeting all commonly used/generic accounts like mcafee*****n, sql-****n, etc. Trying out the default credentials on sql-****n worked for us ;)

Then using netscan we found where all Administrator user is logged-in. And using the sql-****n user we RDP the box. Luckily we found one box where our credentials of sql-****n worked.

Then RDP the box with sql-****n credentials -> Stop Antivirus -> Download Mimikatz -> Get all password in file -> Finding Administrator credentials in file -> PWNED ;)

Then we RDP the Domain Controller with Administrator Creds -> Add ***-voip user to Domain Admin group. Game Over.


  1. This comment has been removed by the author.

  2. Very informative blog... This blog share valuable information on IT security training. Thanks for sharing

  3. This information is meaningful and magnificent which you have shared here about the Business VoIP Phone Service. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here.

  4. I admire this article for the well-researched content which you have shared here about the Business VoIP Phone Service, thanks for sharing.

  5. Nice article, Which you have shared here . Your article is very informative and useful to know more about domain-admin-in-voip. If anyone looking Small Business Hosted VoIP, is the best choice.

  6. It's exceptionally easy to discover any point on web when contrasted with course readings, as I discovered this article at this site. voip phones for small business

  7. your blog is amazing and I am impressed with it.It is informative and helpful. and If you want to get more knowledge about Small Business Hosted VoIP, then visit

  8. I was surfing the Internet for information and came across your blog. I am impressed by the information you have on this blog. It shows how well you understand this subject. asterisk based phone systems

  9. The details you have shared here about VOIP Phone is very instructive as it contains some best knowledge which is very helpful for me. VoIP Provider For Business in USAThanks for posting it.

  10. You have Shared great content here about domain. I am glad to discover this post as I found lots of valuable data in your post. Thanks for sharing a post like this.domain hosting


Post a comment

Popular posts