Brandon McCrillis - Internet of Terrible

[Music]

e

okay and say something something some something all right do that

thank you thank you uh Jake wouldn't do a uh a talk with no shoes this year I don't know why but so I'm going to do it for you Jake Winer ah nail um so yeah hey thanks for uh wrapping up your Saturday a beautiful day out what's it 4:00 um the the fact that you stuck around I appreciate uh um hopefully you won't be too disappointed yeah you're goingon to be disappointed um but uh yeah we we we'll we'll go on with it so internet of terrible uh can you hear me meow so a little bit about me uh yes Brandon mcris rendition infos SEC um we're hiring if have we said that we're

hiring yet yeah we're hiring yeah we're hiring we're hiring I need a break uh so contact information all right so we're going to discuss case stud studies of conducting Network enumeration using Voiceover IP infrastructure and other embedded devices I'm also going to highlight attack methodologies used for credential harvesting enumeration denial of service and persistence uh practical defensive techniques for the Defenders uh in real world attack or mitigations um via who knew monitoring and secure configuration which uh you know still tends to be a thing I don't know how they got in there yeah just ignore that so times have changed you know check out this um Texas Instruments uh advertisement from 1982 uh you know look at the specs

uh on the computer uh you know itself um more than one thing has changed about that app yeah if anyone knows anything else that's changed uh you know maybe it's it's worth a drone I don't know um but yeah you know times have changed we're we're increasingly more connected uh we're more uh we're more out there on the interwebs uh and you know that that's a problem uh it pays uh Jake's daughter's College Bill uh tuition bill but you know hey uh you know times have been changing um so even though they canell this I was like man I really need to reuse this slide from my uh usma talk uh back in March cyber talks Atlanta

um yeah the internet of terrible the internet's going to kill you um spacebar beb Bop click.com you can read um man it's it's a Scary Scary World out there next slide um so damn internet you scary man you scary there's there's a lot of stuff out there I'm just like wow why why are you even doing this uh it's just what slow on the uptake slow on the uptake right right R SP on you Barbie there is nothing creepy about this picture uh though others have told me that there is uh this is you know I was dismantling Barbie I took a picture of it um yeah I'm not sure where her head is now it might be on C of seen

place in the office and that's all I'm saying is it still on your desk it is still on the desk that's that's even that's equally creepy equally you know sping you Barbie so uh just real quick uh rendition uh jumped on uh on on hello Barbie uh purchased one of these things um took it apart uh you know at its core um Mike Banks you helped with this huh remember that Barbie's kind of dumb I mean a lot of her processing and intelligence was all Cloud um so Barbie herself uh I guess if we're you know um humanizing a toy is uh you know kind of kind kind of dumb um you know we could still do some things

like uh you know let's hot mic it it can be uh you know throw it in back at Dad's car um you know hot miked and uh you know kind of see what happens over the weekend but uh you know hey uh embedded devices uh doing things with stuff so we have more of these embedded devices uh as uh Jake was talking about earlier in his talk which is fantastic a lot of embedded devices out there uh a lot of things that are running web servers and and web services that are easily exploitable um not secure by any stretch of the imagination uh and it's it's getting worse um this was a picture I apologize if you can't

see it so great this was a Delta Airline uh and it's a little inflight Entertainment System booting up uh a Linux kernel why why not um you probably can't see some of these dates in here you know 2002 2001 uh you know some how are they patching these things I mean we still see Delta with uh you know Windows 2000 computers um you know keeping the plane in the air so uh I pathetically um uh so yeah this is my point uh more more embedded devices out there many services much lulls I said that backwards but you get my point uh living off the land I mean what are their thing what are what can we do um what what do

we see in real world penetration testing uh and vulnerability assessments um first one these are all real world uh engagements rendition is done uh this is a air magnet whips uh Wireless intrusion uh prevention system um default credentials um I was showing to the client that uh oops I logged because I tried admin first uh instead of uh air magnet sensor as the user oops um but you know in a in a regulated environment you know everyone's cons uh constantly thinking secure the endpoint secure my windows box secure my server secure this but something that's supposed to be filling a a security uh a security role for you um let's just keep that default um not not so much uh this is a a web

goey uh level 15 exec on a uh on a router uh in the same network um you know hey uh little command box let me you know do some do some clicking um definitely things that you don't want accessible to your internal [Music] users the quintessential webcam so you know we see all the time uh default creds um and it's it's cool to show to a client uh you know you add a password in there uh kind of can zoom in and see what's possibly on that gentleman's screen um I actually uh you know because I don't have much of a life uh just kind of sat there and watched video for a while um one of the things I showed to

the client was uh I I turned I turned off a lot of their video logging which is definitely bad if you know you're you're hoping to have that in your call center or whatever this uh you know I I I hoped it was the IT department um this uh so I'm watching videos and I see these two ladies like just setting up this this you know banner and taping it uh and then as I'm going through video all of a sudden a little bit a little bit gone right so I was like all right I'll I'll isolate that exact moment in time where that fell um and you know maybe they'll catch the the culprit that

ripped this thing down I don't know again I was bored um so around 2 2 amm uh the wind blew and uh and and you know it came down a little bit here um I thought that was great um and you know yeah like I said I know I need help um uh so this one all right so we have a we have an FTP server running on a APC UPS device okay uh let's say rather large APC UPS device uh in your rack in your data center um and uh instead of one we'll say I don't know it doesn't um all uh default uh credentialed um FTP server running I grabbed a config in

this uh particular shot so I mean hey who cares okay so you can grab my config for my UPS okay well what can I do with your config um let's see I can uh re-upload a new config to you uh I can enable SSH uh you I can change your DNS server I can enable uh telnet I can do all kinds of crazy stuff with it uh and uh you know because I have your default credentials I'll I'll throw that thing back up on there uh maybe take it out of bypass mode uh remove all your thresholds um maybe it's it's not really serving at an ups at that point and you're not going to find

out until it's too late uh full disclosure this was a uh a credit card environment uh credit card processor we'll say uh hypothetically um and uh you know what what is one minute of downtime to a international credit card processor probably probably a lot of freaking money right um this screenshot here they had their uh their read and WR SNMP uh Community names um sitting in there uh blacked them out to protect the innocent um but you know things like that that's another breadcrumb where I can now start targeting more of your core infrastructure yes sir you in the back how many devices were those lenal shared with on the network how many devices were the SNMP credential share well we

own their solar wind box so I guess we could go figure that out and see yeah pretty much yeah pretty much all um and and typing your company name and then putting priv and typing your company naming putting Pub um isn't really obscuring or or making this uh Community string um any any harder to guess uh just saying uh so the bread and butter of this one so I can go in as administrator uh and I can I you reboot the UPS I'll put it to sleep put it to bypass I'll just turn the whole damn thing off um and and the client's like well how does this affect me and uh we said well

we'll go and shut them all off and they're like no uh so yeah hopefully get my point uh getting on to the voice over IP infrastructure stuff uh a shortel ip800 phone laughing at my um the the host name's called mistake uh it had default creds that was a mistake um yeah so what can I do from here all right well I I'll check out the numbers you've been calling just so happens this is in an executive conference room we find out after the fact uh this is one of three devices that we located all default creds for shortell um so at 3: in the morning I'm like me I'll just call somebody uh so I don't know whose

phone rang but uh you know demonstrating you know you know could I could I hook up a little headset could I reroute that traffic could I do some uh redirect Direction stuff uh you know can I call the CEO at home and say there's an emergency can I uh call the IT department and say you know hey don't come in until 10: tomorrow uh who knows uh can I call your mom and say you're going to be late for dinner I'll probably do that one of the coolest things built into this CU why not you know you have your little web goey uh for this for this device that's really just enabling you to conference with other entities um

there's a little utility in there it had a ping trace route some other kind of things um I'm not even going to speculate what privilege level on the actual uh device uh ping was running as uh you know I'll let Jake fill in the blanks or or please review his talks and you can kind of figure it out but uh I started mapping the network uh in a rudimentary fashion from an IP phone using default creds okay so they had a security Operation Center um as a sock analyst and if you start seeing traffic from this IP phone are you going to instantly say oh it's an attacker be like that's short tell device it's a

piece of junk it's uh pinging all the devices in the network um I don't need to be on your endpoint I don't need to mess with uh emit I don't need to mess with your anti virus IP tables I don't need to mess with any of your other kind of catch the bad guy techniques uh or or counter measures um I can just hang out here and kind of get a good uh initial Baseline of what your network looks like so AA this is a uh a big uh call call manager uh this does everything from voice over IP a little bit of switching stuff it does some conferencing uh another default credentials sitting on the trusted Lan

uh in a uh in a in a PCI environment so I found out well this thing's got SSH going uh so it only took me two two sets of creds uh and and then that's because I Googled uh AP uh sorry AA Aura uh default creds they had to the second one got me in uh you know hey welcome to your new account so I'm like all right that's cool so so now we're sitting here uh at as as the user cust which is a a via hardcoded user uh that is you know for for support of of the device itself uh the does the client know that hopefully uh hopefully that's in your um kind of in your in your lay

of the land uh knowing your network but uh yeah uh cust and then cust1 as a password uh I'm on SSH so didn't really show you in that screenshot but uh if you again if you saw Jake's talk earlier that that thing was running uh Linux 2.6 so uh yeah so I get on there as a user um how how quickly can I get to root what can I do at that point um I pretty much own all of your VoIP infrastructure at that point um I can mess with your phones I can mess with your traffic I can do all kinds of sort of Nefarious things um and this thing's also storing backups I was actually kind

of freaked out I thought that was a social security number when I just put that slide up and I was like oh crap uh but it's not I swear no one write that down but uh up here you see IP phone backup so you know I grab my IP phone backup I I unzip that uh I'm getting all kinds of uh enumeration of users some of them had titles in there uh you know this one's pretty pretty benign but they were you know CEO's office things like that hey now I have another breadcrumb uh on my trail to owning all of your infrastructure so um being 2.6 uh Linux uh compiled a a log rotate uh exploit or

sorry uh uh VI threw it into exploit. C uh I needed a compiler uh because there wasn't one on the device uh the device was configured so it could not talk out to the internet but cool I just threw a compiler on my redirector uh Cali box and just did a w get locally to that and there you go I now have a compiler um you fill in the rest of the blanks um you know it it's owned so voice over IP so I did a talk for uh the US Military Academy um and I discussed how one of our largest incident responses uh that that I was a part of when I joined rendition um the the head of the

incident response said uh hey if uh if you were in the network and you were tipped off that we're going to start this incident response and and try to remediate things uh what would you do and I was like I'd be in your vo phones I'd be in your infrastructure I would be embedded so deep in places that you're not even to to look for me um so after that talk I was like well I should probably do another talk of what I meant by that and here it is what is VoIP definitely not that um that's one of the first hits I'm like what is VoIP uh yeah there's too much to say about

that that's not what VoIP is um so asteris asterisk is a uh let's say we'll say it's we'll say it's a PBX right it's a a public Branch exchange uh it it handles your um it handles your your public switch telephone Network traffic your Void net traffic basically your phones are talking through this thing where it's at two turn tables in a polycom phone um if anyone's a Beck fan hopefully you got that what's in the box um sorry uh so in the Box um after this talk I flew up to Columbus uh another guy that works for addition Jeff he owns a PC Recycling Company does a little eBay uh and he's like hey I have a whole

uh a whole pallet of these polycom phones do you want one I was like sure I I'll definitely take one um this is kind of how it

came let's move on um so factory reset these damn things right um you know the boot server address is in there uh I found some other interesting information that was kind of just sitting in on the phone uh there's actually a factory reset me button um or in the menu it's not that hard uh especially if you're changing out devices now this this polycom uh sound Point 501 phones probably era 2006 2007 at $200 plus doar a piece are they probably still doing their job in large environments or any corporate environment yeah heck yeah uh if they're working and they're doing their thing uh I'm sure they're still around just trace the IP it came out

somewhere around Washington DC we'll leave it at that uh so pulling up the polycom menu uh sorry polycom uh uh provisioning documents um it was like Hey if you want to make your local machine the uh provisioning server for all these phones just do it and I was like oh awesome uh also found out that anything that you uh that you change or modify on the phone itself where you can set your uh your your boot server your provisioning server uh CIS log server anything like that uh hardcoded on the phone or or entered on the phone overrides anything that's provisioned over the network so okay so you have a physical access there but I really don't need to

do that um if you see in this other slide you know it's looking for phone one config and sip config uh tftp so I can change that to FTP I'll do a little FTP server on my local box I'll throw a uh default or modified phone one config and a sip config in there uh the phone um just kind of reaches out with default FTP credentials and says hey do you have these files if you do it sucks them up it consumes them it reboots and it runs like that um there's no hey I don't think you really my provisioning server uh the phone just does what you tell it to do cuz it's dumb like

Barbie default creds actually Mike's talk earlier that uh plcm spip uh I saw I saw in your in your top C like number 11 right um so I thought that was kind of interesting uh default user pass two3 default admin pass 456 uh considering that these phones were not factory reset uh can you guess what the what the Recycled phones credentials were oh yeah the default credits um not not a good thing not a good thing uh the phone itself a little web gooey um and it asks for authentication so I'm like cool I'll bite um authenticate over HTTP uh I mean we're dealing with default creds so I was like okay not a huge deal right but uh let's say you're

like a man I'm really gonna I'm really going to go in and and secure my secure my uh void phones after this talk know that uh it's still sending creds in the clear so in the packet we see a little Bas 64 encoded string we throw that in some Powershell and comes out polycom 456 uh easy um one of the F first things I do when I get in a net any net is I just run a run a wire shark for a while uh or pcap capture uh and kind of Baseline the net you can capture those creds plain text uh all day uh depends what you're going at um so to kind of continue my research I had to get a

PBX or at least I felt like I wanted to mess with PBX uh asteris now is digi's um free Linux drro uh of free PBX um it sucks to configure uh anyone that does that for a living uh configures these phones man I I really uh I applaud you because uh that the thing just sucks especially in a VM um it did not want to play well uh installing into VMware whatsoever uh but we got it done one of the cool things and this kind of goes to the defensive side um you know you try to put in a password on there for root and it's like Ah that's a dictionary word I mean it's doing some

rudimentary analysis on what you're typing in there uh and you know like a good user I'm like yeah use anyway cool I don't care where I you know it's an IP phone I mean who would who would Target my IP phone and why the asteris now goey also comes up saying that we have uh default admin password default uh asterisk manager password you know um hopefully uh people that are configuring these things uh you know don't think that this was built into the web guey to kind of alert you to these things uh for for no reason at all um you know obviously it's screaming at you to change things so calling your mom I think your mom's nice I like

talking to her on the phone um common attack vectors historically uh for uh Voiceover IP infrastructure is uh you know enumeration and ga uh information gathering enumeration monitoring EES dropping uh vland hopping attacking authentication which kind of already did a little bit um denial Service uh flooding and spoofing caller IDs all awesome things to do and we're going to do some oh we're going to do some sexy things with these phones so when an attacker owns your voy one of the coolest things things that for me uh and this isn't just um polycom specific uh Cisco also does this some snom phones um you know kind of pick your pick your vo IP phone vendor uh and

and and check this out um there's a sip notify packet uh that has a check sync in there um and basically what this does is it goes to the phone the phone responds with a 200 okay uh and the phone reboots and then grabs a new config it doesn't say who are you sending me this packet it just says sure I'll reboot um so you know if I have one taken over your provisioning server at this point uh or two masqueraded as your provisioning server um and kind of pointed you to my direction to grab your config I can you know widespread just reboot all these phones have them suck up my new config and uh and I

win it actually uh actually says in here remotely rebooting the phone you know in the the polycom uh uh manual like this is an everyday thing yeah extraordinary uh ad admin task I'm sure this saves many many manh hours but an attacker can use this to uh his or her Advantage um and uh you know own your Void there you go so Force consumption of a tampered configuration to the phone completely unauthenticated so let's think of a check sync dos or dos sorry um I'm in your network uh you know let's say my purposes uh aren't for xfill of data or signant collection so I've heard same this just there to wreak havoc uh maybe I start um dossing all of

your it Department phones right I have these things just constantly just in Loop rebooting over and over and over again um and at the same time I'm powering off all the ups in your data center uh I'm crushing some of your servers uh what's your incident response really to look like you know you're relying on this kind of stuff uh maybe you can like tie a note to a rat and kind of like kick it down the hall and and hope hopefully you know you get some help um interesting interesting things here so uh what's it tight the cat yep TI the cat hurting the cats you know with all the notes on them is hard

but uh so there's a an awesome uh python based SI packet forging tool so I'm sitting there with with scapy and I'm like all right I'm going to capture one of these check sync packets uh and then I'm going to replay it maliciously and wrap that into a loop uh good thing uh this guy nice Italian gentleman uh Mr Bera made this uh siping uh python Tool uh which basically lets you craft zip packets whether it be a specific message that you want sent to the phone uh or to push a new config to have it reboot um I used it for the the check sync packets and it worked like a charm uh you know a

couple switches uh Tac s for Source Tac D for Destination t p for Port uh type in 5060 for sip hit the make go now button and your phone reboots another cool one I found special extensions so if your CEO's phone is extension 3000 right I can add an extension called we'll name it 3001 it's hard for me to think of 3001 um now what I can also do is I can set how the phone answers that right uh so when I dial 3001 it goes to the COO CEO's phone I can set that thing to auto answer with no user notification at all uh and turn on the mic uh you know that's a great way to

kind of monitor uh you know think of the an attacker hot miking a bunch of uh phones in your security operations center to kind of see uh you know what what what what they're scrambling after uh how you're trying to get me uh what you're trying to find next uh maybe I just want to hot mic some of your sea level X if I'm trying to steal proprietary information maybe I'm a competing business who knows uh the fact that this does uh that this happens um that you can just have this phone not even not even ring once and just go into hot mic just blew me away um yeah so you know guilty knowledge now uh you know

please use it for good only you can also do the same thing with a group of extensions right so I can say all right extension 9,000 it's going to ring these 40 phones uh I can do the same thing have it auto answer I can have it hot mic I can have it do all kinds of stuff I can lock out the user um just by setting how I want this phone to respond when called on this other extension now to the user I'm not messing with their normal extension I'm adding something that is uh you know uh not not not known to them uh they don't know this is happening their phone still responds and does all everything it's

supposed to do uh except for uh when I want it to do something special it will do it if you're curious the VoIP Pro sip Alert info one class you set it to a value of three uh and uh yeah it auto answers without any ringing uh very easy like I said this is your sip config if you remember before your polycom phone by default was looking for phone one. config and sip config so uh I make this little modification in my sip config I host it locally on my FTP or tftp server um uh I send a checks sync packet to your phone it reboots there you go uh I'm I'm good to go the most scary in my opinion VLAN

hopping right vlans what V vlans that's that's excellent Network segmentation until you plug uh it into the other Port uh and then you're writing a trusted um a trusted VLAN for your voice Voiceover IP phones which likely bypass firewalls and proxies uh maybe you have some content filter at your place of employment that doesn't like you to go to XYZ website um you know as most uh administrators and most uh configurations we see you know the the voice over IP VLAN is explicitly trusted rock on how does this work so you have two ports on the back of your phone right uh we'll say VLAN 20 uh is for the is for the voice over IP traffic directly to

the phone uh and then VLAN 10 is computer traffic right um if you didn't know uh if you have one of these kind of uh IP phones let's say you have a Cisco IP phone sitting next to your desk or one on each side of your monitor I don't know I'm speaking hypothetically here uh it's your gateway your traffic from your computer goes to the phone first and there's a little like I said it's like Barbie phone's not very smart uh no offense to Barbie I'm sure she's really smart in real life I never met her but but uh you know it it's not too hard to trick this thing and say well I'm going to plug

into uh my my network port instead of the PC port on the phone uh and then most of these phones you know Cisco support CDP um spoiler alert the VLAN ID is actually hard-coded into the phone uh so if you go through the menu and you type your 456 uh crazy admin password to get into the thing you can actually see your VLAN tag maybe I add that to my traffic uh add that over here uh maybe I just start sniffing for cdb traffic and and I see my uh you know uh voice um voice VLAN ID there you go rock on I am now sitting on your uh on your on your vo VLAN uh

instead of being uh directed through your monitoring devices firewalls what have you don't try that at home don't try that at home so there's some ways around this um you can you can Google uh you know pretty much how to uh you can syn hole your IP right so if you're uh if you're on your voice over IP VLAN let's say uh extension 3000 that phone is disconnected you can then say anything that connects uh on that interface we'll just black hole that until we figure it out um that kind of gets around people doing the whole plug-and playay grabbing a new IP address on this uh voice over IP VLAN and rocking on um that that's

one way to to mitigate this stuff um also uh Mr Bera who does the siping also has a great blog post about how to uh how to block and filter uh sip traffic using IP tables so two different ways there so Cali met met exploit old versions of Cali and we'll even say let's say backtrack uh we'll say backrack 45 um you had a lot of a lot more robust uh Voiceover IP tools um current Cali dros let's say two um you're going to see a lot of this under met exploit in uh auxiliary VoIP and auxiliary scanner sip um it's mostly enumeration scripts uh and then a little bit of uh funky um Voiceover IP uh

exploit Tools in there for uh you know a client based like a Windows Voiceover IP application things like that um the old versions of uh of Cali or if you're going to go uh back backport to back backtrack uh you'll see uh the Sip VIs sip dump zip crack uh tool Suites and that does everything from man- in-the middle your authentication between uh between your your phones uh can dump creds you can uh mess with configs uh do all kinds of uh do all kinds of cool stuff there future development uh sip tunneling I mean that's that's not too hard um uh exploit and ex exfiltration FL uh exfiltration framework I think would be awesome to

see um you know if you can ride through a whole network uh through your scanning enumeration your recon your exploitation your persistence phases uh using nothing but this sort of infrastructure and then hopping between these embedded devices and the call manager and all that do you really need to be on a Windows box no I mean you know if I if I have your a via a call management system um can I just map a share to your file server and start sucking things out that way yeah is your sock analyst going to say wow this this call manager is uh is doing some weird SMB traffic now maybe maybe they'd be like huh that's weird

right more cat videos uh enumeration of trusted devices within the information system I I think uh I think that's great I'd like to see some more robust tools um from the uh Voiceover IP side uh to be able to just enumerate your windows boxes uh you know an end map for we devices uh so to speak and then flashing custom firmware so these things run a little um you know lightweight embedded kernel uh Linux kernel um you know flashing it like you would an access point or something like that um sorry the uh the avaa um the Ava and and some asteris asterisk dros actually are are so lightweight that uh that you can throw these things on on

pretty much pretty much anything it's it's not uh an incredible amount of space uh maybe you could repurpose some of this stuff what have you just wrapping it up trusted can't be trusted right um you you'll see it all over the place hopefully you don't see it in your own networks uh former employer yeah their their voiceover ipv land was trusted uh and then simply um removing the plug from your PC port and putting into your network Port allowed you to uh bypass blue coat proxy um and uh you know kind of hang out over there trusted can't be trusted you have to don't trust anything uh and then kind of uh and then kind of um allow more things

uh more things out lock it down first secure monitoring um secure configuration monitoring for the win monitor your network know what things look like uh know what your traffic looks like configure your devices securely nothing should be default even if it's something as as simple as uh a defibrillator uh or a uh or an IV pump um you know make sure that it's configured securely that services are running in the least uh least amount of privilege and uh and that you're changing these default passwords know your network better than I will you know you do this for a while and you can very quickly Baseline a network um you know every everyone that's involved uh in the configuration

and administration of the information system as a whole uh should should know that Network uh way better than than I can in 10 minutes uh you know pinging and doing some sniffing from a uh from a from a call manager box man I don't know how these got in there um I cut a little early thank you so much I appreciate it any questions I'll take some I know we have some swag stuffs yes sir so with the recent black energy hack that hit out in I was curious I heard that they were doing dossing of the phone systems is that related to the same methodology that you uh described in your slides uh so I

don't have any firsthand knowledge on exactly how they were uh um doing a deny service on phones I would expect that it's a very same kind of way I mean you can flood these things with packets um I still I mean the the check sync packet the fact that I can just send that to any phone um and and have the thing reboot uh you know and loop is is just is just crazy to me um I can speculate and say yeah you know that that that's a way that I would do it if I wanted to you know lock out phones did you check out any of the call recording uh features builted askis so uh yeah like I said asri a pain

in the butt uh excuse me um asri a pain in the butt uh yes um I I I was researching some uh some ways to to kind of suck that traffic out uh I believe it's called the Name Escapes me now there is actually a tool that's in uh that's in Metasploit or uh or in the Cali dros uh that that's what it does um is it it grabs uh uh Cisco VoIP traffic and some other um vendor VoIP traffic and converts it into wave audio files okay um so is there any way to uh make is there any firware that's like a dwrt for phones to secure the war or is it mostly just for an exploitation of these

customers interest interesting you say that so I was actually uh reading just before um you know because obviously I've been geeking out on this for a little bit uh uh there's actually an open open work uh PBX type drro which open w has its own kind of vulnerabilities there um is there is there kind of like an open source open word type Dro for that I mean uh free PBX comes in very different flavors uh you have um the the digium version asterisk now uh which has all of your uh features of free PBX which is distro uh distributed under the ganu uh public license uh however digium likes to charge you for other things they have

some very cool endpoint manager plugins and modules and uh it's you know they're nickeling and diming you um nickel and diming you there's uh free PBX it's um the main uh project of free PBX also puts out a kind of more lightweight um free BX uh free PBX drro that's uh more I guess uh configurable is that does that answer kind of what you're guess okay so so coming back to the question about the firmware for the phones the answer is not yet standby yeah not yet standby that's why I invited you Jake that's why I invited you so when you're hot miking the phone is there any type of indication for your new room the end point or the

administrator going through blocks so on my polycom uh and again this is just the polycom 501 you know free recycled phone here uh you know um uh we stay pretty busy at rendition so uh I I do have and my wife will uh will back me up on this uh just a pile of of of phones that I haven't messed with yet specifically for the polycom uh the red light turned on um would a user be able to distinguish that from you know uh it's also the same light that alerts you to a voicemail uh you know a lot of people never check their voicemail and I'm sure at their desk it's just a red light always right

would you be able to tell I don't know uh it's far as logging logging on the phone itself I mean they're they're they're pretty dumb I mean it will log to a sis log server I uh in the default configuration there was no syis log server setup um so on the phone itself not so much uh on the PBX side more so um however uh like specific tasks I haven't seen logged uh granularly if that makes sense um and now I got another question just one I got one question can anyone tell me what the default polycom web credentials are uh for a drone I saw you what's the username what polycon po what's it what's it

creds polyc polycom password is I'm just messing with you uh George you had a question about I'm just curious said like I don't know every phone in the network with packes the fact that those phones Rebo is that audited did that Lo somewhere does that go back to the manager I mean you would you would yeah you would hope um you know some some vendors have it uh that that checks syncs they they'll support checks sync with reboot but only if the config is changed on the provisioning server um so it depends on kind of how you're doing that attack um you know if if if I'm if I'm becoming the provisioning server then obviously my modified times of my

configs and stuff would make the phone think that they're brand new if I'm just trying to get it to reboot um in that kind of environment yeah that would have to be an extra step I'd have to actually find the provisioning server do some modifications over there in order to trick the phone to just reboot without check not that I not that I saw on the PBX side no no not that I saw um you know again uh for a uh 35 45 minute talk you know there's there's this could be uh this could be an incredible Workshop I'd love to to get a bunch of uh you know 20 phones out and we can just go to

town uh however you know this isn't quite the format for that uh but no haven't seen any explicit logging for that uh I would say uh full take uh packet capture or or even limited packet capture inside your network is a is a useful thing uh very easily you can look at a a sip packet uh sip notify packet with a with a check sync message in there uh and be able to you know block that or redirect that or or or do whatever uh inside your network and hopefully uh that would be your best mitigation there I mean how often in in this scenario thank you in the scenario where I was on the

Ava right um I was the the first time I was the first user to ever log into that thing via SSH right how often are you checking logs on the PBX um probably not so much right uh and again if if your phone starts acting weird and your phone's rebooting I think most people are going to say this phone's a piece of crap let's get a new one uh not uh an attacker on here trying to trying to mess with me so anything else some prizes more question um first thanks thanks thanks for