Compromising Domain Admin in VOIP Pentest

In the VOIP internal assessment, we port scan for ports 5060 and 5061 across the network to find the IP enabled phones over network. Then we found the range and started connecting to web page of the each phone running on port-80.

Checking the Status Message of one VOIP Phone, we found one file not getting updated on phone i.e.; SEPDC*****90.cnf.xml.sgn

Note :- All the VOIP phones download the latest config and all changes from the TFTP server running on call manager in the network.

Now lets find out the call manager running TFTP service, which can be easily found from phone Settings menu.

Then we TFTP the call manager and download the SEPDC*****90.cnf.xml.sgn file

Inside the downloaded file we found one more file existing on the TFTP sever. i.e.; SPDefault.cnf.xml

Download the SPDefault.cnf.xml file from TFTP. We found domain credentials of ‘***mmunicatio*’ user used to connect to LDAP.
Using the above found credentials we were able to successful connect to Domain Controller and Enumerate all users on domain. This user was only allowed to query and provide information, he don’t have privileges to RDP, Add user, etc.

Then from all enumerated users we tried targeting all commonly used/generic accounts like mcafee*****n, sql-****n, etc. Trying out the default credentials on sql-****n worked for us ;)

Then using netscan we found where all Administrator user is logged-in. And using the sql-****n user we RDP the box. Luckily we found one box where our credentials of sql-****n worked.

Then RDP the box with sql-****n credentials -> Stop Antivirus -> Download Mimikatz -> Get all password in file -> Finding Administrator credentials in file -> PWNED ;)

Then we RDP the Domain Controller with Administrator Creds -> Add ***-voip user to Domain Admin group. Game Over.


  1. I really thank you for the valuable info this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good luck to the author! All the best!wholesale voip termination

  2. This comment has been removed by the author.

  3. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article Wholesale VoIP Provider

  4. Very informative blog... This blog share valuable information on IT security training. Thanks for sharing

  5. Some genuinely superb info, Glad I found this. After reading this remarkable piece of writing i am also delighted to share my knowledge about VoIP providers


Post a Comment

Popular Posts