iCULeak (iCULeak.py) is a tool to find and extract credentials from phone configuration files in environments managed by Cisco’s CUCM (Call Manager).
When using Cisco’s CUCM (Call Manager), phone configuration files are stored on a TFTP server. These VoIP phone configuration files quite frequently contain sensitive data, including phone SSH/admin credentials.
There is also an issue with how some browsers autofill fields such as the SSH Username & Password fields with their CUCM credentials (commonly their AD credentials), if the administrator has saved the credentials in their browser.
This issue has also been faced by administrators using password managers that automatically plug in credentials, where they found that their credentials were being automatically inputted into the SSH Username & Password fields, and then being saved (and stored in plaintext in the configuration files).
While the issue was fixed in CUCM 12.0, credentials stored in the past may still be discoverable. The issue can be somewhat mitigated by the following actions:
This tool utilises a lot of code from Dirk-jan’s tool adidnsdump to extract a list of phone hostnames from ADIDNS over LDAP.
To read more aboout the technique and tool, you can read the associated blog post. So credit goes to him for a lot of the code.
Also Read – 10minutemail : Python Temporary Email
Installation
To install the tool:
git clone https://github.com/llt4l/iCULeak.py
cd iCULeak.py
pip install -r requirements.txt
Usage
Run iCULeak.py against phones with hostnames found in the DNS zone
python iCULeak.py -u domain\llt4l -c 10.100.1.29 10.100.1.1
Run iCULeak.py against a list of phones provided in a file
python iCULeak.py -l phones_hostnames -c 10.100.1.29 10.100.1.1
Flags
-h
or --help
-u
or --user
flags. The user should be preceded by the user’s domain, so it should look something like this: domain\\llt4l
. This flag is optional if a list is passed instead.-p
or --password
flag. If you do not pass it as an argument, but do pass a username, then the program will prompt for a password when run .-c
or --cucm-server
flag. If, for any reason, the TFTP server being used by CUCM to store phone configuration files is found on another host, please provide that address.-l
or --list
flag. The file should just be a list of phone hostnames, such that each line would look something like SEP112233445566
.-s
or --save
flag along with the filename to be saved to.-nA
or --no-authentication
flag.-O
or --out-dir
flag, along with the name of the folder you want to save it to.-v
or --verbose
flag.-z
or --zone
flag.Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…