It's interesting, and scary, if you are on a system's network, wouldn't be hard to get people's passwords.
I did confirm that I have access to about 20 different AD passwords from just 1 cluster. Thanks for the info Anthony On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway < [email protected]> wrote: > I don't know about any of those additional files, and the FileList one was > something I was looking for. > > Today's goal will be to write a Python script to: grab that file, then > grab all phone configs, then auth against CUCM, and finally, store the > credentials that worked. > > It might even be worth looking at the credentials which don't work, > because it might tell you something about password habits, allowing you to > predict future passwords. Eg Summer2010 > > On Mar 15, 2018 2:34 AM, "Stephen Welsh" <[email protected]> > wrote: > >> While we are on the subject here are some other non encrypted TFTP server >> items: >> >> >> - ConfigFileCacheList.txt >> - FileList.txt >> - BinFileCacheList.txt >> - PerfMon.txt >> - ParamList.txt >> - lddefault.cfg >> >> So you could use the following to get a list of all the device MAC >> addresses anonymously from the TFTP server: >> >> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt> >> >> So with the scenario you describe and just the TFTP Server IP Address you >> could scan all the device configs on the cluster to see if even just one of >> them has the admin credentials saved accidentally on the SSH User/Password >> field. >> >> I suspect this may apply to most clusters.... >> >> Kind Regards >> >> Stephen Welsh >> CTO >> UnifiedFX >> >> On 15 Mar 2018, at 07:25, Stephen Welsh <[email protected]> >> wrote: >> >> Hi Anthony, >> >> Yes, the SSH credentials saved on the device page are available in clear >> text in the phone XML config, it’s not just your environment unfortunately. >> Also I believe the same thing applies for the Telepresence endpoints >> (anything running CE including the DX) for the web page admin credentials >> that are saved in the vendor config section. >> >> We noticed this a little while ago but given most people did not populate >> it did not consider as a serious issue, however the auto-population of >> credentials is not something we considered. So yes this does look like a >> serious problem when you combine those two together. >> >> Kind Regards >> >> Stephen Welsh >> CTO >> UnifiedFX >> >> On 15 Mar 2018, at 01:50, Anthony Holloway < >> [email protected]> wrote: >> >> I'm working on something, and was wondering if you could check something >> for me, so I can better understand why and how often this is happening. >> >> So, I was looking at phone config file today, and I noticed the ccmadmin >> username and password was in the XML, and in plain text nonetheless. >> >> I found out that the browser, when told to remember your credentials, >> will treat the SSH username/password fields as login fields whenever you >> modify a phone, and you might be unknowingly save your credentials for >> clear text view by unauthenticated users. >> >> Is anyone already aware of this? >> >> You could you run the following command on your clusters: >> >> *run sql select name, sshuserid from device where sshuserid is not null >> and sshuserid <> ""* >> >> Then in the output, if there are any hits, look at the config XML file >> for the phone and see if the passwords are there. >> >> E.g., >> >> output might be: >> >> *SEP6899CD84B710 aholloway* >> >> So then you would navigate your browser to: >> >> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml* >> >> You then might have to view the HTML source of the page, because the >> browser might mess up the output. >> >> You're then looking for the following two fields, your results will vary: >> >> *<sshUserId>aholloway</sshUserId>* >> *<sshPassword>MyP@ssw0rd</sshPassword>* >> >> Then, since we now know it's happening, get list of how many different >> usernames you have with this command: >> >> *run sql select distinct sshuserid from device where sshuserid is not >> null and sshuserid <> "" order by sshuserid* >> >> This could also be happening with Energy Wise settings, albeit not on the >> same web pages. >> >> I'm curious about two things: >> >> 1) Is it even happening outside of my limited testing scenarios? >> 2) How many different usernames and passwords were there? >> >> If the answers are yes, and 1 or more, then this is an issue Cisco should >> address. >> >> The reason it's happening is because the way in which browsers identify >> login forms, is different from the way in which web developers understand >> it to work. Cisco uses the element attribute on these fields "autocomplete >> = false" and unfortunately, most browser ignore that directive. >> >> I have noticed that this does not happen, if you have more than 1 saved >> password for the same site, rather it will only happen if you use the same >> login for the entire site. Our highest chance of seeing this happen are >> for operations teams where they login with their own accounts, and do not >> use DRS or OS Admin. >> >> _______________________________________________ >> cisco-voip mailing list >> [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> _______________________________________________ >> cisco-voip mailing list >> [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip >
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
