Open-AudIT
https://www.open-audit.org/phpBB3/

VoIP equipment
https://www.open-audit.org/phpBB3/viewtopic.php?f=9&t=2456
Page 1 of 2

Author:  timhillu03 [ Sat Nov 03, 2007 4:38 am ]
Post subject:  VoIP equipment

Have you guys considered including support for VoIP equipment (servers, phones, etc.)?

We run Cisco VoIP in our office, and the phones don't really get picked up well. There's no snmp support, but they do each have their own web server running on port 80.

If you're interested in following up, let me know and I can work with you on it.


Thanks,
Tim

Author:  A_Hull [ Sat Nov 03, 2007 6:02 am ]
Post subject:  Re: VoIP equipment

What does the nmap script reveal about this equipment?

Author:  timhillu03 [ Sat Nov 03, 2007 6:48 am ]
Post subject:  Re: VoIP equipment

[color=#000080]# Nmap 4.20 scan initiated Fri Nov 02 15:41:47 2007 as: C:\Program Files\Nmap\nmap.exe -O -v -oN temp.txt 10.0.7.0112
Warning: OS detection for 10.0.7.112 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on 10.0.7.112:
Not shown: 1696 filtered ports
PORT STATE SERVICE
80/tcp open http
Device type: VoIP phone
Running: Cisco embedded
OS details: Cisco IP Phone 7960
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
# Nmap run completed at Fri Nov 02 15:42:22 2007 -- 1 IP address (1 host up) scanned in 35.171 seconds[/color]


It sees the phone type correctly, but it doesn't really grab any other information. There isn't a good way to get a UUID from this device since there is no domain\systemname, it's difficult to get motherboard information, and the MAC isn't valid if it's on a different subnet.

Each phone does have its own web server, from which all relevant information is available if the HTML is parsed.

Author:  A_Hull [ Sun Nov 04, 2007 6:02 am ]
Post subject:  Re: VoIP equipment

Good start :D We should be able to ask the NMAP script to do most of the hard work. We can ask it to read and parse all of the web pages it finds on cisco IP phones, but since I dont have a phone to play with I am shooting in the dark a bit. Will have a play next week, I'm sure we can do this quite easily, and furthermore the same techniques can be applied to pretty much anything which has port 80 open. Basically we need to ask the nmap script to parse the index page of any web server for versions etc.

Author:  timhillu03 [ Tue Nov 06, 2007 3:17 am ]
Post subject:  Re: VoIP equipment

I'm posting the HTML code from the phone's webpage. Is this a good way to do this, or should I attach a file?

[code]<HTML>
<HEAD>
<TITLE>Cisco Systems, Inc.</TITLE>
</HEAD>
<BODY bgcolor="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF" alink="#FFFFFF" text="#003031">
<TABLE BORDER="1" WIDTH="100%" HEIGHT="100%" CELLSPACING="0" CELLPADDING="0" bordercolor="#003031">
<TR>
<td WIDTH="200" HEIGHT="100" ALIGN=center><A HREF="http://www.cisco.com"><IMG SRC="/Images/Logo"</A></TD>

<td HEIGHT="50" bgcolor="#003031"><p ALIGN=center><B><font color="#FFFFFF" size="6">Device Information</FONT></B><p ALIGN=center><B><font color="#FFFFFF" size="4">Cisco Systems, Inc. IP Phone CP-7960G ( SEP0123456789AB ) </FONT></FONT></B></TD>
</TR>
<TR>

<td WIDTH="200" ALIGN=center VALIGN=top bgcolor="#003031">
<TABLE BORDER="0" CELLSPACING="10" CELLPADDING="0">
<TR><TD><B><a href='/DeviceInformation'>Device Information</A></B></TD>
</TR>
<TR><TD><B><a href='/NetworkConfiguration'>Network Configuration</A></B></TD>
</TR>

<TR><TD><B><font color='#FFFFFF'>Network Statistics</FONT></B></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/EthernetInformation'>Ethernet</A></TD>

</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?1'>Port 1 (Network)</A></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?2'>Port 2 (Access)</A></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?3'>Port 3 (Phone)</A></TD>
</TR>
<TR><TD><B><font color='#FFFFFF'>Device Logs</FONT></B></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?0'>Debug Display</A></TD>

</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?1'>Stack Statistics</A></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?2'>Status Messages</A></TD>
</TR>
<TR><TD><B><font color='#FFFFFF'>Streaming Statistics</FONT></B></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/StreamingStatistics?1'>Stream 1</A></TD>
</TR>
<TR><TD>&nbsp;&nbsp;&nbsp;<a href='/StreamingStatistics?2'>Stream 2</A></TD>

</TR>
</TABLE>
</TD>
<td VALIGN=top>
<DIV ALIGN=center>
<TABLE BORDER="0" CELLSPACING="10" CELLPADDING="0">

<TR><TD><B>MAC Address</B></TD>
<td width=20></TD>
<TD><B>0123456789AB</B></TD>
</TR>

<TR><TD><B>Host Name</B></TD>
<td width=20></TD>
<TD><B>SEP0123456789AB</B></TD>
</TR>
<TR><TD><B>Phone DN</B></TD>
<td width=20></TD>
<TD><B>7635551212</B></TD>
</TR>
<TR><TD><B>App Load ID</B></TD>

<td width=20></TD>
<TD><B>P00308000400</B></TD>
</TR>
<TR><TD><B>Boot Load ID</B></TD>
<td width=20></TD>
<TD><B>PC0303010200</B></TD>
</TR>
<TR><TD><B>Version</B></TD>
<td width=20></TD>
<TD><B>8.0(4.0)</B></TD>

</TR>
<TR><TD><B>DSP</B></TD>
<td width=20></TD>
<TD><B>4.0(2.0)[A0]</B></TD>
</TR>
<TR><TD><B>Expansion Module 1</B></TD>
<td width=20></TD>
<TD><B></B></TD>
</TR>
<TR><TD><B>Expansion Module 2</B></TD>

<td width=20></TD>
<TD><B></B></TD>
</TR>
<TR><TD><B>Hardware Revision</B></TD>
<td width=20></TD>
<TD><B>4.5</B></TD>
</TR>
<TR><TD><B>Serial Number</B></TD>
<td width=20></TD>
<TD><B>FCH09499C2T</B></TD>
</TR>

<TR><TD><B>Model Number</B></TD>
<td width=20></TD>
<TD><B>CP-7960G</B></TD>
</TR>
<TR><TD><B>Codec</B></TD>
<td width=20></TD>
<TD><B>ADLCodec</B></TD>
</TR>
<TR><TD><B>Amps</B></TD>

<td width=20></TD>
<TD><B>5V Amp</B></TD>
</TR>
<TR><TD><B>C3PO Revision</B></TD>
<td width=20></TD>
<TD><B>2</B></TD>
</TR>
<TR><TD><B>Message Waiting</B></TD>
<td width=20></TD>
<TD><B> NO</B></TD>

</TR>

</TABLE>
</DIV>
</TD>
</TR>
</TABLE>

</BODY>
</HTML>
[/code]

Author:  mikeyrb [ Tue Nov 06, 2007 3:35 am ]
Post subject:  Re: VoIP equipment

Any inkling of snmp support? That would be ideal. Otherwise it could become a burden to support all the various html pages...

Author:  timhillu03 [ Tue Nov 06, 2007 3:39 am ]
Post subject:  Re: VoIP equipment

: ) SNMP support was the first thing I checked. There is none.

At least for the various models of Cisco phones the webpages seem to be pretty similar. If somebody can get the code working to add the 7940 correctly, I can modify it to meet all the models we have (7940, 7941, 7942, 7945, 7960, 7961, 7970, 7975).

Is this something that you guys want to support or is this outside the scope of open-audit?

Author:  mikeyrb [ Tue Nov 06, 2007 3:54 am ]
Post subject:  Re: VoIP equipment

I don't mind supporting it. If people want it and they write the code for it, it's relatively trivial :)

Author:  A_Hull [ Tue Nov 06, 2007 3:59 am ]
Post subject:  Re: VoIP equipment

That looks good, however, did you have to login to the web site to see this info or is this the default web page from this host?

BTW If you look at the audit.vbs file in svn at the moment you will see something like the pseudocode the section outlined below. This does pretty much what we need to do to read in a web page from a host, and could easily be adapted to our needs. The reason I asked whether the page you sent is the default index page is simply because if it is not, we may need to pass credentials to the page, and this makes life more complicated.

[code]
this_config_url = "http://localhost/openaudit/list_export_config.php" << change this to something like http://the_host_in_question/index.html

..
..
..
'
' (AJH) Moved the file read-write-append constants to here, they were defined much later.
'
Const ForReading = 1, ForWriting = 2, ForAppending = 8

form_total = ""
this_config = "audit.config"
'
' This takes no account of the command line switches added to a forked version, but in principal
' The logic should be...
' look for audit.config and use that, if it doesn't exist, grab it from
' the web server, if we cant do that, then use the internal defaults.
' Finally modify the defaults depending on any command line switches
'
'
' First check to see if we have no config file, if so lets see if we can grab one from the server
'
dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")

If filesys.FileExists(this_config) then
' Do nothing
else
'wscript.echo("Creating new config")
'
' This section takes a look at the local audit.config, and if there is none, it makes one from the server URL
' The idea is to allow us to throw the audit.vbs file to a browser and have it grab the config it needs.
' We should only need to set one thing, namely the URL from which we will grab the remainder of the config.
'
'
' (FIXME) We assume the local config file will always be audit.config but there may be a Command Switch to modify this.
' logically this is not a problem, we will try to grab a config and put it in audit.config
' If there is a command switch specifying a different file name we wont use audit.config anyway so it matters not
' if we fail to create one.
'

' Now we open the web page where the remote config lives
Set WshShell = WScript.CreateObject("WScript.Shell")

Set http = CreateObject("Microsoft.XmlHttp")
' ...and we grab it..
http.open "GET",this_config_url, FALSE
http.send ""
'
Set config_file = CreateObject("Scripting.FileSystemObject")
Set our_config = config_file.OpenTextFile( this_config, ForWriting, True)
'... and post it to our local config.
our_config.write http.responseText
End If
' End of web config script.
'
...
...

Then parse the returned page for whatever text we are looking for....

'
[/code]

You see the idea...

Author:  mikeyrb [ Tue Nov 06, 2007 4:11 am ]
Post subject:  Re: VoIP equipment

My guess it there is no authentication. I have experience with one cisco voip phone, and the main page is not restricted.

Author:  timhillu03 [ Tue Nov 06, 2007 4:54 am ]
Post subject:  Re: VoIP equipment

No authentication required. Just browse to the IP address.

I'll have more freetime after December (I graduate then), otherwise I'd just do this myself and post code. By the way, what are the procedures for posting patches/features/etc?

Author:  mikeyrb [ Tue Nov 06, 2007 6:57 am ]
Post subject:  Re: VoIP equipment

No procedure really, just add it to a thread or make a new one... If we see it and remember, we add it to SVN :) I like patch files, but if you give just the code, perhaps Andy will add it :lol:

Author:  seraphielx [ Wed Sep 30, 2009 3:38 am ]
Post subject:  Re: VoIP equipment

how about this

[code]
function get_cisco_phone_data($ip){
//start with the phones IP address
$baseconfig = "http://".$ip;
//open the site up
$fp = fopen($baseconfig,"r");
if (!$fp) {
echo "unable to open phone website..<br />\n";
}else {
fputs($fp, "GET /".$ip."/ HTTP/1.0\r\n".
"Host: \r\n".
"User-Agent: ; \r\n\r\n");
$data = '';
while(!feof($fp)) {
$data .= fgets($fp);
}
fclose($fp);
}
//convert the data to make a better match

//start with the html tags so we can get those out of the way
$converteddata = str_replace("</B></TD><td width=20></TD><TD><B>","",$data);
$converteddata = str_replace("</B></TD></TR>","<end><br>",$converteddata);

//now lets do something about the data that we want to get
$converteddata = str_replace("<TR><TD><B> MAC Address","<start>MAC:1:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Host Name","Host:2:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Phone DN","Phone:3:",$converteddata);
$converteddata = str_replace("<TR><TD><B> App Load ","AppL:4:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Boot Load ","BootL:5:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Version","Ver:6:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Hardware Revision","HardwareR:7:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Serial Number","Serial:8:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Model Number","Model:9:",$converteddata);
$converteddata = str_replace("<TR><TD><B> Message Waiting","message:10:",$converteddata);

//filter out the data and make a match
$mac = preg_match('/(?P<name>\w+):1:(?P<val>\w+)/', $converteddata, $macout);
$macaddress = $macout['val'];

$host = preg_match('/(?P<name>\w+):2:(?P<val>\w+)/', $converteddata, $hostout);
$hostname = $hostout['val'];

$phone = preg_match('/(?P<name>\w+):3:(?P<val>\w+)/', $converteddata, $phoneout);
$phonedn = $phoneout['val'];

$serial = preg_match('/(?P<name>\w+):8:(?P<val>\w+)/', $converteddata, $serialout);
$serial = $serialout['val'];

$model = preg_match_all('/:9:([^<end>"]+)/i', $converteddata, $modelout);
$model = $modelout['1']['0'];

//now for the networking info from http://$ip/CGI/Java/Serviceability?adapter=device.statistics.configuration
$networklocation = "http://".$ip."/CGI/Java/Serviceability?adapter=device.statistics.configuration";
$networkinfo = fopen($networklocation,"r");
if (!$networkinfo) {
echo "unable to open phone website..<br />\n";
}else {
fputs($networkinfo, "GET /".$ip."/ HTTP/1.0\r\n".
"Host: \r\n".
"User-Agent: ; \r\n\r\n");
$networkdata = '';
while(!feof($networkinfo)) {
$networkdata .= fgets($networkinfo);
}
fclose($networkinfo);
}

//start with the html tags so we can get those out of the way
$convertedndata = str_replace("</B></TD><td width=20></TD><TD><B>","",$networkdata);
$convertedndata = str_replace("</B></TD></TR>","<end><br>",$convertedndata);

//now lets do something about the data that we want to get
$convertedndata = str_replace("<TR><TD><B> IP Address","IP:1:",$convertedndata);
$convertedndata = str_replace("<TR><TD><B> Default Router 1","Router:2:",$convertedndata);

//now get that info
$ipaddress = preg_match_all('/:1:([^<end>"]+)/i', $convertedndata, $ipout);
$ipfin = $ipout['1']['0'];

$router = preg_match_all('/:2:([^<end>"]+)/i', $convertedndata, $routerout);
$routerfin = $routerout['1']['0'];


//now to make the return of the data
$enddata=array('macaddress'=>$macaddress,'host'=>$hostname,'phonedn'=>$phonedn,'serial'=>$serial,'model'=>$model,'ip'=>$ipfin,'router'=>$routerfin);

return $enddata;
}
[/code]

Usage
[code]
$phone = get_cisco_phone_data("xxx.xxx.xxx.xxx");
[/code]

Returns

[code]
Array ( [macaddress] => 001AA2969767 [host] => SEP001AA2969767 [phonedn] => 2046 [serial] => FCH1051AK99 [model] => CP-7941G [ip] => xxx.xxx.xxx.xxx [router] => xxx.xxx.xxx.xxx )
[/code]

Todo
Convert Mac address to add in the .'s
Test on more than a 7941g system as I may need to rethink the muxing of the html for the matching

Author:  seraphielx [ Wed Sep 30, 2009 3:51 am ]
Post subject:  Re: VoIP equipment

working on the following systems:
CP-7941G
CP-7961G
CP-7942G

Author:  seraphielx [ Wed Sep 30, 2009 4:21 am ]
Post subject:  Re: VoIP equipment

mac converted

[code]
function convert_mac_address($mac){
//mac address should be like this 0024C4BF5D0B 12 chars
$mac = str_split($mac, 2);
$convertedmac = implode(":", $mac);
return $convertedmac;
}
[/code]

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/