Iculeak - Tool To Detect Together With Extract Credentials From Call Upwards Configuration Files Hosted On Cisco Cucm


Tool to respect as well as extract credentials from telephone configuration files inwards environments managed past times Cisco's CUCM (Call Manager).
When using Cisco's CUCM (Call Manager), telephone configuration files are stored on a TFTP server. These telephone configuration files quite oft incorporate sensitive data, including telephone SSH/admin credentials.
There is also an number amongst how closed to browsers autofill fields such every bit the SSH Username & Password fields amongst their CUCM credentials (commonly their AD credentials), if the administrator has saved the credentials inwards their browser. This number has also been faced past times administrators using password managers that automatically plug inwards credentials, where they flora that their credentials were beingness automatically inputted into the SSH Username & Password fields, as well as thence beingness saved (and stored inwards plaintext inwards the configuration files).

While the number was fixed inwards CUCM 12.0, credentials stored inwards the past times may withal travel discoverable.
The number tin flame travel somewhat mitigated past times the next actions:
  1. Regularly purging existing configuration files from leaked credentials.
  2. Blocking autosave/autofill on CUCM.
  3. Enabling encryption of telephone configuration files. Read to a greater extent than on that here. Note that this doesn't completely mitigate the issue, every bit the encryption password could travel obtained from the phones' retention or through administrative access of CUCM.
This tool utilises a lot of code from Dirk-jan's tool adidnsdump to extract a listing of telephone hostnames from ADIDNS over LDAP. To read to a greater extent than aboout the technique as well as tool, yous tin flame read the associated weblog post. So credit goes to him for a lot of the code.

Installation
To install the tool:
git clone https://github.com/llt4l/iCULeak.py cd iCULeak.py pip install -r requirements.txt

Usage:
Run iCULeak.py against phones amongst hostnames flora inwards the DNS zone
python iCULeak.py -u domain\\llt4l -c 10.100.1.29 10.100.1.1
Run iCULeak.py against a listing of phones provided inwards a file
python iCULeak.py -l phones_hostnames -c 10.100.1.29 10.100.1.1
Flags:
  • View the assistance page amongst -h or --help
  • Pass the username of the user that volition authenticate to ADIDNS amongst the -u or --user flags. The user should travel preceded past times the user's domain, thence it should expect something similar this: domain\\llt4l. This flag is optional if a listing is passed instead.
  • Pass the password to the computer programme amongst the -p or --password flag. If yous create non operate past times it every bit an argument, but create operate past times a username, thence the computer programme volition prompt for a password when run .
  • The IP address or hostname of the CUCM server should travel passed to the computer programme amongst either the -c or --cucm-server flag. If, for whatever reason, the TFTP server beingness used past times CUCM to shop telephone configuration files is flora on closed to other host, delight furnish that address.
  • Provide a file that contains a listing of telephone hostnames amongst the -l or --list flag. The file should only travel a listing of telephone hostnames, such that each draw of piece of job would expect something similar SEP112233445566.
  • If you'd similar to save the results to a CSV file, operate past times the -s or --save flag along amongst the filename to travel saved to.
  • By default iCULeak.py checks credentials leaked for validity inwards the AD. To disable authentication attempts beingness made to verify the leaked credentials, operate past times the -nA or --no-authentication flag.
  • To save all the telephone configuration files dumped to a directory, operate past times the -O or --out-dir flag, along amongst the lift of the folder yous desire to salve it to.
  • For increased verbosity, yous tin flame operate past times the -v or --verbose flag.
  • If the DNS entries for the phones are inwards a different DNS zone to the default zone of the domain yous are authenticating against, yous tin flame operate past times the zone along amongst the -z or --zone flag.