HellBound Hackers
Join us at IRC!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Wednesday, May 23, 2012
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Additional:
Shop
Learn
Communicate
Submit
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Interact
Other
HellBoundHackers Executive:
HellBoundHackers Leisure:
Members Online
Total Online: 36
Web Spiders: 15
Guests Online: 34
Members Online: 2
Jet1992, shadow_lady

Registered Members: 70160
Newest Member: Furtif
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general
Author

ACN IRIS 3000 SIP Phone
FluffyMittens
Member

Posts: 1
Location:
Joined: 27.08.11
Rank: Newbie
Posted on 27-08-11 06:14
I'm coming to this forum after a week or so of trying to get into this device. I'm trying to gain access to change the SIP settings to use with my PBoxes account.

What I have tried:
1: telnet and SSH into each open port on both the LAN and WAN physical port over multiple clients.
2: Used LOIC to try to get the system to crash to dump files onto the flash drive.
3: Dictionary/brute attack on the webpanel.
4: Physically trying to short out the RJ45 ports with a screwdriver to induce a system crash.
5: Opened the unit to see if there was a JTAG connector, master reset button, etc.
6: Performed factory reset through GUI - Password 7517517
7: Pushing a bunch of buttons out of frustration to get the system to crash. The device lags with each button press, which will continue to go to that area of the phone after buttons are pressed.

I have a few sources saying that there is a telnet daemon running and that it was as simple as connecting. However, this isn't the case for me.

Here are the ONLY reference links on what others have done / doing that I can find..
http://pbxinaflash.com/forum/showthread.php?t=8620&highlight=iris+3000
http://jackassofalltrades.org/2011/05/exploration-of-a-acn-iris-3000/
http://dijitltoiz.livejournal.com/2473.html


This device is also known as a CU-776.

Here is how my IRIS3000 is responding to scans and other attempts at accessing telnet/ssh.

Here are the ports Zenmap gave me when using -sV from WAN (192.168.1.120)
21/tcp open tcpwrapped
79/tcp open tcpwrapped
113/tcp open tcpwrapped
513/tcp open tcpwrapped
514/tcp open tcpwrapped
554/tcp open rtsp?
5060/tcp open sip?
8080/tcp open http Mbedthis-Appweb 2.4.0

I've looked up what tcpwrapped meant, and from what I can gather, hosts.allow is set. Does this mean I have to find which "host IP" I need to be to access this device?

Scan from LAN (10.100.4.1)
21/tcp open ftp
79/tcp open finger
113/tcp open auth
513/tcp open login
514/tcp open shell
554/tcp open rtsp
5060/tcp open sip
8080/tcp open http-proxy


This device DOES have a GUI and there is an administrator section, but does not ask for a password when I try to enter, so maybe when it's hilighted you enter the password without prompt.

The device DOES have a USB slot, so when the system crashes, logs and all those goodies are put on the flash drive. I've only gotten it to crash once, and that was accidental.

System Version: 20.6.31

I'm looking for ideas on how to get this to either crash and dump files on the flash drive, let me connect with either SSH or telnet, or just let me in the administration GUI. I'm at a loss and half tempted to solder what I believe is a JTAG connector on and attempt telnet that way.

Edited by FluffyMittens on 27-08-11 06:24
Guest
Username

Password

Remember Me


Bookmark This Page
Affiliates
Adverts

 

 

Links

Anime Wallpaper Site
By using, viewing or obtaining any information contained on this site, you agree to the disclaimer.

© HellBound Hackers 2008- 2009. Since 3rd December 2004.

20598753 Unique Visits

Powered by HBH-Fusion