Open-AudIT

What's on your network?
It is currently Wed Jan 17, 2018 5:21 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: VoIP equipment
PostPosted: Sat Nov 03, 2007 4:38 am 
Offline
Newbie

Joined: Thu Nov 01, 2007 1:13 am
Posts: 6
Have you guys considered including support for VoIP equipment (servers, phones, etc.)?

We run Cisco VoIP in our office, and the phones don't really get picked up well. There's no snmp support, but they do each have their own web server running on port 80.

If you're interested in following up, let me know and I can work with you on it.


Thanks,
Tim


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Sat Nov 03, 2007 6:02 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
What does the nmap script reveal about this equipment?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Sat Nov 03, 2007 6:48 am 
Offline
Newbie

Joined: Thu Nov 01, 2007 1:13 am
Posts: 6
# Nmap 4.20 scan initiated Fri Nov 02 15:41:47 2007 as: C:\Program Files\Nmap\nmap.exe -O -v -oN temp.txt 10.0.7.0112
Warning: OS detection for 10.0.7.112 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on 10.0.7.112:
Not shown: 1696 filtered ports
PORT STATE SERVICE
80/tcp open http
Device type: VoIP phone
Running: Cisco embedded
OS details: Cisco IP Phone 7960
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
# Nmap run completed at Fri Nov 02 15:42:22 2007 -- 1 IP address (1 host up) scanned in 35.171 seconds



It sees the phone type correctly, but it doesn't really grab any other information. There isn't a good way to get a UUID from this device since there is no domain\systemname, it's difficult to get motherboard information, and the MAC isn't valid if it's on a different subnet.

Each phone does have its own web server, from which all relevant information is available if the HTML is parsed.


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Sun Nov 04, 2007 6:02 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Good start :D We should be able to ask the NMAP script to do most of the hard work. We can ask it to read and parse all of the web pages it finds on cisco IP phones, but since I dont have a phone to play with I am shooting in the dark a bit. Will have a play next week, I'm sure we can do this quite easily, and furthermore the same techniques can be applied to pretty much anything which has port 80 open. Basically we need to ask the nmap script to parse the index page of any web server for versions etc.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 3:17 am 
Offline
Newbie

Joined: Thu Nov 01, 2007 1:13 am
Posts: 6
I'm posting the HTML code from the phone's webpage. Is this a good way to do this, or should I attach a file?

Code:
<HTML>
<HEAD>
<TITLE>Cisco Systems, Inc.</TITLE>
</HEAD>
<BODY bgcolor="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF" alink="#FFFFFF" text="#003031">
<TABLE BORDER="1" WIDTH="100%" HEIGHT="100%" CELLSPACING="0" CELLPADDING="0" bordercolor="#003031">
  <TR>
    <td WIDTH="200" HEIGHT="100" ALIGN=center><A HREF="http://www.cisco.com"><IMG SRC="/Images/Logo"</A></TD>

<td HEIGHT="50" bgcolor="#003031"><p ALIGN=center><B><font color="#FFFFFF" size="6">Device Information</FONT></B><p ALIGN=center><B><font color="#FFFFFF" size="4">Cisco Systems, Inc. IP Phone CP-7960G ( SEP0123456789AB ) </FONT></FONT></B></TD>
</TR>
<TR>

    <td WIDTH="200" ALIGN=center VALIGN=top bgcolor="#003031">
      <TABLE BORDER="0" CELLSPACING="10" CELLPADDING="0">
<TR><TD><B><a href='/DeviceInformation'>Device Information</A></B></TD>
</TR>
<TR><TD><B><a href='/NetworkConfiguration'>Network Configuration</A></B></TD>
</TR>

<TR><TD><B><font color='#FFFFFF'>Network Statistics</FONT></B></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/EthernetInformation'>Ethernet</A></TD>

</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?1'>Port 1 (Network)</A></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?2'>Port 2 (Access)</A></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/PortInformation?3'>Port 3 (Phone)</A></TD>
</TR>
<TR><TD><B><font color='#FFFFFF'>Device Logs</FONT></B></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?0'>Debug Display</A></TD>

</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?1'>Stack Statistics</A></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/DeviceLog?2'>Status Messages</A></TD>
</TR>
<TR><TD><B><font color='#FFFFFF'>Streaming Statistics</FONT></B></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/StreamingStatistics?1'>Stream 1</A></TD>
</TR>
      <TR><TD>&nbsp;&nbsp;&nbsp;<a href='/StreamingStatistics?2'>Stream 2</A></TD>

</TR>
      </TABLE>
</TD>
<td VALIGN=top>
      <DIV ALIGN=center>
      <TABLE BORDER="0" CELLSPACING="10" CELLPADDING="0">

      <TR><TD><B>MAC Address</B></TD>
<td width=20></TD>
<TD><B>0123456789AB</B></TD>
</TR>

      <TR><TD><B>Host Name</B></TD>
<td width=20></TD>
<TD><B>SEP0123456789AB</B></TD>
</TR>
      <TR><TD><B>Phone DN</B></TD>
<td width=20></TD>
<TD><B>7635551212</B></TD>
</TR>
      <TR><TD><B>App Load ID</B></TD>

<td width=20></TD>
<TD><B>P00308000400</B></TD>
</TR>
      <TR><TD><B>Boot Load ID</B></TD>
<td width=20></TD>
<TD><B>PC0303010200</B></TD>
</TR>
      <TR><TD><B>Version</B></TD>
<td width=20></TD>
<TD><B>8.0(4.0)</B></TD>

</TR>
      <TR><TD><B>DSP</B></TD>
<td width=20></TD>
<TD><B>4.0(2.0)[A0]</B></TD>
</TR>
      <TR><TD><B>Expansion Module 1</B></TD>
<td width=20></TD>
<TD><B></B></TD>
</TR>
      <TR><TD><B>Expansion Module 2</B></TD>

<td width=20></TD>
<TD><B></B></TD>
</TR>
      <TR><TD><B>Hardware Revision</B></TD>
<td width=20></TD>
<TD><B>4.5</B></TD>
</TR>
      <TR><TD><B>Serial Number</B></TD>
<td width=20></TD>
<TD><B>FCH09499C2T</B></TD>
</TR>

      <TR><TD><B>Model Number</B></TD>
<td width=20></TD>
<TD><B>CP-7960G</B></TD>
</TR>
      <TR><TD><B>Codec</B></TD>
<td width=20></TD>
<TD><B>ADLCodec</B></TD>
</TR>
      <TR><TD><B>Amps</B></TD>

<td width=20></TD>
<TD><B>5V Amp</B></TD>
</TR>
      <TR><TD><B>C3PO Revision</B></TD>
<td width=20></TD>
<TD><B>2</B></TD>
</TR>
      <TR><TD><B>Message Waiting</B></TD>
<td width=20></TD>
<TD><B> NO</B></TD>

</TR>

      </TABLE>
</DIV>
</TD>
</TR>
</TABLE>

</BODY>
</HTML>


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 3:35 am 
Any inkling of snmp support? That would be ideal. Otherwise it could become a burden to support all the various html pages...


Top
  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 3:39 am 
Offline
Newbie

Joined: Thu Nov 01, 2007 1:13 am
Posts: 6
: ) SNMP support was the first thing I checked. There is none.

At least for the various models of Cisco phones the webpages seem to be pretty similar. If somebody can get the code working to add the 7940 correctly, I can modify it to meet all the models we have (7940, 7941, 7942, 7945, 7960, 7961, 7970, 7975).

Is this something that you guys want to support or is this outside the scope of open-audit?


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 3:54 am 
I don't mind supporting it. If people want it and they write the code for it, it's relatively trivial :)


Top
  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 3:59 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
That looks good, however, did you have to login to the web site to see this info or is this the default web page from this host?

BTW If you look at the audit.vbs file in svn at the moment you will see something like the pseudocode the section outlined below. This does pretty much what we need to do to read in a web page from a host, and could easily be adapted to our needs. The reason I asked whether the page you sent is the default index page is simply because if it is not, we may need to pass credentials to the page, and this makes life more complicated.

Code:
this_config_url = "http://localhost/openaudit/list_export_config.php" << change this to something like http://the_host_in_question/index.html

..
..
..
'
' (AJH) Moved the file read-write-append constants to here, they were defined much later.
'
Const ForReading = 1, ForWriting = 2, ForAppending = 8

form_total = ""
this_config = "audit.config"   
'
' This takes no account of the command line switches added to a forked version, but in principal
' The logic should be...
' look for audit.config and use that, if it doesn't exist, grab it from
' the web server, if we cant do that, then use the internal defaults.
' Finally modify the defaults depending on any command line switches
'
'
' First check to see if we have no config file, if so lets see if we can grab one from the server
'
dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")

If filesys.FileExists(this_config) then
' Do nothing
else
'wscript.echo("Creating new config")
'
' This section takes a look at the local audit.config, and if there is none, it makes one from the server URL
' The idea is to allow us to throw the audit.vbs file to a browser and have it grab the config it needs.
' We should only need to set one thing, namely the URL from which we will grab the remainder of the config.
'
'
' (FIXME) We assume the local config file will always be audit.config but there may be a Command Switch to modify this.
' logically this is not a problem, we will try to grab a config and put it in audit.config
' If there is a command switch specifying a different file name we wont use audit.config anyway so it matters not
' if we fail to create one.
'

' Now we open the web page where the remote config lives
Set WshShell = WScript.CreateObject("WScript.Shell")

Set http = CreateObject("Microsoft.XmlHttp")
' ...and we grab it..
http.open "GET",this_config_url, FALSE
http.send ""
'
Set config_file = CreateObject("Scripting.FileSystemObject")
Set our_config = config_file.OpenTextFile( this_config, ForWriting, True)
'... and post it to our local config.
our_config.write http.responseText
End If
' End of web config script.
'
...
...

Then parse the returned page for whatever text we are looking for....

'


You see the idea...

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 4:11 am 
My guess it there is no authentication. I have experience with one cisco voip phone, and the main page is not restricted.


Top
  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 4:54 am 
Offline
Newbie

Joined: Thu Nov 01, 2007 1:13 am
Posts: 6
No authentication required. Just browse to the IP address.

I'll have more freetime after December (I graduate then), otherwise I'd just do this myself and post code. By the way, what are the procedures for posting patches/features/etc?


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Tue Nov 06, 2007 6:57 am 
No procedure really, just add it to a thread or make a new one... If we see it and remember, we add it to SVN :) I like patch files, but if you give just the code, perhaps Andy will add it :lol:


Top
  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Wed Sep 30, 2009 3:38 am 
Offline
Newbie

Joined: Tue Sep 08, 2009 10:52 pm
Posts: 11
how about this

Code:
function get_cisco_phone_data($ip){
//start with the phones IP address
$baseconfig = "http://".$ip;
//open the site up
$fp = fopen($baseconfig,"r");
if (!$fp) {
    echo "unable to open phone website..<br />\n";
}else {
  fputs($fp, "GET /".$ip."/ HTTP/1.0\r\n".
      "Host: \r\n".
      "User-Agent: ; \r\n\r\n");
  $data = '';
  while(!feof($fp)) {
    $data .= fgets($fp);
  }
  fclose($fp);
  }
  //convert the data to make a better match
 
  //start with the html tags so we can get those out of the way
   $converteddata = str_replace("</B></TD><td width=20></TD><TD><B>","",$data);
   $converteddata = str_replace("</B></TD></TR>","<end><br>",$converteddata);
   
   //now lets do something about the data that we want to get
   $converteddata = str_replace("<TR><TD><B> MAC Address","<start>MAC:1:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Host Name","Host:2:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Phone DN","Phone:3:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> App Load ","AppL:4:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Boot Load ","BootL:5:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Version","Ver:6:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Hardware Revision","HardwareR:7:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Serial Number","Serial:8:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Model Number","Model:9:",$converteddata);
   $converteddata = str_replace("<TR><TD><B> Message Waiting","message:10:",$converteddata);
   
  //filter out the data and make a match
  $mac = preg_match('/(?P<name>\w+):1:(?P<val>\w+)/', $converteddata, $macout);
  $macaddress = $macout['val'];
 
  $host = preg_match('/(?P<name>\w+):2:(?P<val>\w+)/', $converteddata, $hostout);
  $hostname = $hostout['val'];
 
  $phone = preg_match('/(?P<name>\w+):3:(?P<val>\w+)/', $converteddata, $phoneout);
  $phonedn = $phoneout['val'];
 
  $serial = preg_match('/(?P<name>\w+):8:(?P<val>\w+)/', $converteddata, $serialout);
  $serial = $serialout['val'];
 
  $model = preg_match_all('/:9:([^<end>"]+)/i', $converteddata, $modelout);
  $model = $modelout['1']['0'];
 
  //now for the networking info from http://$ip/CGI/Java/Serviceability?adapter=device.statistics.configuration
  $networklocation = "http://".$ip."/CGI/Java/Serviceability?adapter=device.statistics.configuration";
  $networkinfo = fopen($networklocation,"r");
if (!$networkinfo) {
    echo "unable to open phone website..<br />\n";
}else {
  fputs($networkinfo, "GET /".$ip."/ HTTP/1.0\r\n".
      "Host: \r\n".
      "User-Agent: ; \r\n\r\n");
  $networkdata = '';
  while(!feof($networkinfo)) {
    $networkdata .= fgets($networkinfo);
  }
  fclose($networkinfo);
  }
 
  //start with the html tags so we can get those out of the way
   $convertedndata = str_replace("</B></TD><td width=20></TD><TD><B>","",$networkdata);
   $convertedndata = str_replace("</B></TD></TR>","<end><br>",$convertedndata);
   
   //now lets do something about the data that we want to get
   $convertedndata = str_replace("<TR><TD><B> IP Address","IP:1:",$convertedndata);
   $convertedndata = str_replace("<TR><TD><B> Default Router 1","Router:2:",$convertedndata);
   
   //now get that info
   $ipaddress = preg_match_all('/:1:([^<end>"]+)/i', $convertedndata, $ipout);
   $ipfin = $ipout['1']['0'];
   
   $router = preg_match_all('/:2:([^<end>"]+)/i', $convertedndata, $routerout);
   $routerfin = $routerout['1']['0'];
   

  //now to make the return of the data
  $enddata=array('macaddress'=>$macaddress,'host'=>$hostname,'phonedn'=>$phonedn,'serial'=>$serial,'model'=>$model,'ip'=>$ipfin,'router'=>$routerfin);

return $enddata;
}


Usage
Code:
$phone = get_cisco_phone_data("xxx.xxx.xxx.xxx");


Returns

Code:
Array ( [macaddress] => 001AA2969767 [host] => SEP001AA2969767 [phonedn] => 2046 [serial] => FCH1051AK99 [model] => CP-7941G [ip] => xxx.xxx.xxx.xxx [router] => xxx.xxx.xxx.xxx )


Todo
Convert Mac address to add in the .'s
Test on more than a 7941g system as I may need to rethink the muxing of the html for the matching


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Wed Sep 30, 2009 3:51 am 
Offline
Newbie

Joined: Tue Sep 08, 2009 10:52 pm
Posts: 11
working on the following systems:
CP-7941G
CP-7961G
CP-7942G


Top
 Profile  
Reply with quote  
 Post subject: Re: VoIP equipment
PostPosted: Wed Sep 30, 2009 4:21 am 
Offline
Newbie

Joined: Tue Sep 08, 2009 10:52 pm
Posts: 11
mac converted

Code:
function convert_mac_address($mac){
//mac address should be like this 0024C4BF5D0B 12 chars
$mac = str_split($mac, 2);
$convertedmac = implode(":", $mac);
return $convertedmac;
}


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group