Follow us on Twitter!
Imagination is more valuable than knowledge - Albert Einstein
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 22
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

ACN IRIS 3000 SIP Phone


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-08-11 06:14
I'm coming to this forum after a week or so of trying to get into this device. I'm trying to gain access to change the SIP settings to use with my PBoxes account.

What I have tried:
1: telnet and SSH into each open port on both the LAN and WAN physical port over multiple clients.
2: Used LOIC to try to get the system to crash to dump files onto the flash drive.
3: Dictionary/brute attack on the webpanel.
4: Physically trying to short out the RJ45 ports with a screwdriver to induce a system crash.
5: Opened the unit to see if there was a JTAG connector, master reset button, etc.
6: Performed factory reset through GUI - Password 7517517
7: Pushing a bunch of buttons out of frustration to get the system to crash. The device lags with each button press, which will continue to go to that area of the phone after buttons are pressed.

I have a few sources saying that there is a telnet daemon running and that it was as simple as connecting. However, this isn't the case for me.

Here are the ONLY reference links on what others have done / doing that I can find..
Code
http://pbxinaflash.com/forum/showthread.php?t=8620&highlight=iris+3000
http://jackassofalltrades.org/2011/05/exploration-of-a-acn-iris-3000/
http://dijitltoiz.livejournal.com/2473.html




This device is also known as a CU-776.

Here is how my IRIS3000 is responding to scans and other attempts at accessing telnet/ssh.

Here are the ports Zenmap gave me when using -sV from WAN (192.168.1.120)
Code
21/tcp   open  tcpwrapped
79/tcp   open  tcpwrapped
113/tcp  open  tcpwrapped
513/tcp  open  tcpwrapped
514/tcp  open  tcpwrapped
554/tcp  open  rtsp?
5060/tcp open  sip?
8080/tcp open  http       Mbedthis-Appweb 2.4.0



I've looked up what tcpwrapped meant, and from what I can gather, hosts.allow is set. Does this mean I have to find which "host IP" I need to be to access this device?

Scan from LAN (10.100.4.1)
Code
21/tcp   open  ftp
79/tcp   open  finger
113/tcp  open  auth
513/tcp  open  login
514/tcp  open  shell
554/tcp  open  rtsp
5060/tcp open  sip
8080/tcp open  http-proxy




This device DOES have a GUI and there is an administrator section, but does not ask for a password when I try to enter, so maybe when it's hilighted you enter the password without prompt.

The device DOES have a USB slot, so when the system crashes, logs and all those goodies are put on the flash drive. I've only gotten it to crash once, and that was accidental.

System Version: 20.6.31

I'm looking for ideas on how to get this to either crash and dump files on the flash drive, let me connect with either SSH or telnet, or just let me in the administration GUI. I'm at a loss and half tempted to solder what I believe is a JTAG connector on and attempt telnet that way.

Edited by on 27-08-11 06:24