TFTP Commands

[PaulMcGuinness]

Hi All,

Ok... I've managed to packet-sniff the Manager software and work out how to :

a) Get a list of all IP Offices (from a Cybergear Gold updwards!) to say "Woo Hoooo... I'm Heeeaaaarrrr"
b) Download the ENTIRE configurations without providing a password or username!

My questions now are:-

1. Does anyone have a faintest idea how to decode the .cfg file?
2. What other TFTP commands are there which are not readily documented?

Regards,

Paul

 

[intrigrant]

There is no list of tftp commands. There is no explanation of the lay-out of the config file, basically it is just a memory dump of IP Office and it has a dynamic size.
However, as you are hacking the software already...
Manager is build with .NET and there are some real good disassemblers on the net, maybe you can use the Avaya dll's for your own purpose... the software IS copyrighted and may NOT be altered etc... without written permission by Avaya.



NIHIL NOVI SUB SOLE

 

[PaulMcGuinness]

Many thanks....

NIHIL NOVI SUB SOLE?

 

[intrigrant]

Nothing new under the sun?
Everything has been done once, like disassembling, i have done that but the big disadvantage is that everytime there is a new version with new features and thus a different lay-out of the database. I surrendered and don't work on that anymore...

NIHIL NOVI SUB SOLE

 

[IPGuru]

Decoding the CFG file is easy :-

start manager
file/ofline open file



how are you extracting the cfg?
I have done somthing similar that enables me to reveal the system password but most of the actual configuration is empty.

 

[robboardman]

what do you actually want from the config file?

there could be a better way of getting the information!!

Robb

 

[PaulMcGuinness]

Ok,

We have an automated PABX auditing tool that I have jointly developed. It basically dials in (via Modem, RAS, VPN or Tracker) to the switch and downloads the entire config and stores it in a SQL database. Users can then perform reports on a PABX, groups of PABX's or an entire estate of clients.

The advantages are;

1. Its automated - no human intervention
2. Its accurate - no human mistakes
3. You don't need to know anything about PABX's to use it
4. All the reports are the same regardless of PABX vendor
5. All the reports run from a standard web browser in a point-n-click drill-down fashion.

What I need to get (without using the Manager software) is a list of;

a. Cabinets & Cards (physical or virtual)
b. Handsets + type + features
c. Trunks + routing
d. Software options
e. Anything else that might be useful!

Regards,

Paul

 

[robboardman]

try doing a ethereal/wireshark trace of a phone manager session, and a monitor trace give a bit of info when it first logs on

Robb

 

[PaulMcGuinness]

Robb,

I have... that's how I worked out how to get a full config dump without logging in.

It doesn't actually log in to get the .cfg file, it simply uses TFTP but with a malformed filename that you can't use with the command line TFTP program.

If you are interested, the filename it requests is:-

config/$t%$'~ q

Regards,

Paul

 

[PaulMcGuinness]

For anyone who is interested, this is exactly what happens:-

Manager > Send "nasystem/who_is" to port 69 at 255.255.255.255 as a UDP datagram in TFTP format.

IP Office(s) > Send back to requesting port details about yourself

Manager > Send to port 69 at IP address of one of the acknowledging switches "config/$t%$'~ q" as a UDP datagram in TFTP format.

IP Office > Send Config file in 512 byte chunks

Manager > Send TFTP Ack for each block received (e.g. &H00 &H04, &H00 &H05 0405 -> Ack, Block 5)

Repeat until block size received <512

Easy really, and highlights that there is zero security on the configuration, other than the fact that each switches config file looks slightly different...

 

[robboardman]

config/$t%$'~ q

this is the hashed manager password for the system you'll need to make sure you know how to create a hash of the manager password to enable you to do it on all systems.

Robb

 

[PaulMcGuinness]

Ah...

Mmmm....

Ok - Need to work on that then!

 

[intrigrant]

I have a C++ routine for that:

main(int argc,char **argv)
{
int i;
unsigned char buf[32];
strcpy(&buf,argv[1]);
for (i=0;i<strlen(argv[1]);i++);
printf("0x%2.2X ",buf+0x11-i);
printf("\n");
}

But with 3.2+ version i don't think it will work because of the security? Never tried it.

The config/$t%$'~ q can be used from the DOS prompt:

tftp -i 192.168.42.1 get "config/$t%$'~ q" c:\config.cfg

The following will reboot the IP Office:
tftp -i 192.168.42.1 get "/nasystem/reboot/$t%$'~ q"

There is a lot more to get out of the IP Office but is it usefull? I don't know.

NIHIL NOVI SUB SOLE

 

[PaulMcGuinness]

Ok,

Here is the 3.2 algorithm in VB6;

Private Function Encrypt(ByVal a As String) As String
Dim N, L, C

For N = 1 To Len(a)
L = Asc(Mid$(a, N, 1)) + (12 + Len(a)) - (N - 1)
If L > 127 Then L = L Mod 96
C = C & Chr(L)
Next
Encrypt = C

End Function


The important difference is;

a) The offset (11 in your example) is dependant on the length of the password

and

b) You have to limit the range if the ascii code exceeds 127 (modding it with 96)


Now that we have password hashing sorted, what useful commands can I issue other than getting the .cfg file and rebooting it?

I'm after the config in a 'readable' form if possible!

Regards,

Paul

 

[PaulMcGuinness]

Ok,

My "Probe" program is now starting to get somewhere...

These are the command's I have managed to get working (password obviously replaced with the 'hash' one);

nasystem/config/password
Returns the .cfg config file

nasystem/who_is
Returns MAC, Type ("IP 403"), class ("CPU"), Version ("3.0 (578)") Name and State ("3" - whatever that means)

nasystem/hunt_list
Returns all the hunt groups

nasystem/user_list2
Returns the telephone directory with what appears to be MAC addresses?

Any more that anyone knows about?

Regards,

Paul

 

[ronromano]

Wow, this is really useful stuff!

Not.

 

[PaulMcGuinness]

ronromano - Maybe not to you, but then again... you don't have to read it or waste valuable seconds of your life replying either...

 

[ronromano]

Lighten up sport, just having some fun with you. You're right, I should get back to business and let you get back to banging your head against the wall.