Skip to main content

Posts

Showing posts from October, 2012

Cisco Unified Communications Manager (Call Manager) PIN brute force attack

During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (CallManager). A quick google "callmanager brute force" didn't bring any relevant results, so I thought to share the simple technique I have used. When looking at the phone handset configuration, some URLs are set to allow the handset to retrieve Personal Address Book details or access the Fast Dials. That caught my attention and I immediately pointed my web proxy to those URLs, forgetting about the handset interface. What happens when using the handset is that the handset itself performs HTTP requests to the CallManager. A simple HTTP GET request is performed by the handset to initiate the login sequence with a request as the one below: 1) GET - https://x.x.x.x/ccmpd/pdCheckLogin.do?name=undefined The response contains a reference to the login.do page along with a "sid" token, which is used