Roberto Suggi Liverani, founder of the OWASP (Open Web Application Security Project) New Zealand chapter discover a vulnerability in Cisco CallManager AKA Unified Communications Manager. It is a software-based call-processing system developed by Cisco Systems.
He described on his blog "During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (CallManager)."
Researcher target the HTTP GET requests used by CallManager to initiate the login process. :
He Demonstrated the idea with Burp Suite (Penetration testing Framework). He showed the html form parameter used for login as shown below:
The sid token is required to perform the PIN brute force attack. So first get a valid sid token value and then you can brute force userid and pin using dictionary attack or Combination attack.
Others can use HYDRA(most powerful bruteforce tool) , which is capable of brute forcing HTTP web requests.
Want more Interesting News like this? Sign up here to receive the best of 'The Hacker News' delivered daily straight to your inbox.
Subscribe for Updates