Attacks to Polycom devices
Default username passwords:
admin:456
admin:
user:123
Polycom:456
Polycom:SpIp
Polycom:123
Polycom:Polycom
POLYCOM:POLYCOM
root:default
If you have the SNMP community string you can retrieve the device Serial Number and use such serial number to login with the credentials admin:.
Another good thing to do is to try to to telnet the device and login in it.
What you want to do in both web and telnet interface is to enable "autoanswer" so that you can then spy the meeting rooms with ekiga (h323:).
A good exploit to run for bypassing the telnet authentication can be found in metaploit (Polycom Command Shell Authorization Bypass) or here . Since for me the metasploit payload was not working properly, I had to run the python script to exploit the vulnerability. Once downloaded the script, put in order the indentation, understand the exploit, and run:
>python 57911.py
One you have the command prompt run the following (other commands available here):
>autoanswer get
>autoanswer yes
>autoanswer get
And then call the target with ekiga to see and potentially listen the meeting room
Other references:
http://securitytracker.com/id/1028305
admin:456
admin:
user:123
Polycom:456
Polycom:SpIp
Polycom:123
Polycom:Polycom
POLYCOM:POLYCOM
root:default
If you have the SNMP community string you can retrieve the device Serial Number and use such serial number to login with the credentials admin:
Another good thing to do is to try to to telnet the device and login in it.
What you want to do in both web and telnet interface is to enable "autoanswer" so that you can then spy the meeting rooms with ekiga (h323:
A good exploit to run for bypassing the telnet authentication can be found in metaploit (Polycom Command Shell Authorization Bypass) or here . Since for me the metasploit payload was not working properly, I had to run the python script to exploit the vulnerability. Once downloaded the script, put in order the indentation, understand the exploit, and run:
>python 57911.py
One you have the command prompt run the following (other commands available here):
>autoanswer get
>autoanswer yes
>autoanswer get
And then call the target with ekiga to see and potentially listen the meeting room
Other references:
http://securitytracker.com/id/1028305