Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

ACN IRIS 3000 SIP Phone

  1. Home
  2. Forum
  3. Hacking in general
  4. ACN IRIS 3000 SIP Phone

ghost's Avatar

ghost

0 0

I'm coming to this forum after a week or so of trying to get into this device. I'm trying to gain access to change the SIP settings to use with my PBoxes account.

What I have tried: 1: telnet and SSH into each open port on both the LAN and WAN physical port over multiple clients. 2: Used LOIC to try to get the system to crash to dump files onto the flash drive. 3: Dictionary/brute attack on the webpanel. 4: Physically trying to short out the RJ45 ports with a screwdriver to induce a system crash. 5: Opened the unit to see if there was a JTAG connector, master reset button, etc. 6: Performed factory reset through GUI - Password 7517517 7: Pushing a bunch of buttons out of frustration to get the system to crash. The device lags with each button press, which will continue to go to that area of the phone after buttons are pressed.

I have a few sources saying that there is a telnet daemon running and that it was as simple as connecting. However, this isn't the case for me.

Here are the ONLY reference links on what others have done / doing that I can find..

http://jackassofalltrades.org/2011/05/exploration-of-a-acn-iris-3000/
http://dijitltoiz.livejournal.com/2473.html```

This device is also known as a CU-776.

Here is how my IRIS3000 is responding to scans and other attempts at accessing telnet/ssh.

Here are the ports Zenmap gave me when using -sV from WAN (192.168.1.120)
```markup21/tcp   open  tcpwrapped
79/tcp   open  tcpwrapped
113/tcp  open  tcpwrapped
513/tcp  open  tcpwrapped
514/tcp  open  tcpwrapped
554/tcp  open  rtsp?
5060/tcp open  sip?
8080/tcp open  http       Mbedthis-Appweb 2.4.0```
I've looked up what tcpwrapped meant, and from what I can gather, hosts.allow is set. Does this mean I have to find which "host IP" I need to be to access this device?

Scan from LAN (10.100.4.1)
```markup21/tcp   open  ftp
79/tcp   open  finger
113/tcp  open  auth
513/tcp  open  login
514/tcp  open  shell
554/tcp  open  rtsp
5060/tcp open  sip
8080/tcp open  http-proxy```

This device DOES have a GUI and there is an administrator section, but does not ask for a password when I try to enter, so maybe when it's hilighted you enter the password without prompt.

The device DOES have a USB slot, so when the system crashes, logs and all those goodies are put on the flash drive. I've only gotten it to crash once, and that was accidental.

System Version: 20.6.31

I'm looking for ideas on how to get this to either crash and dump files on the flash drive, let me connect with either SSH or telnet, or just let me in the administration GUI. I'm at a loss and half tempted to solder what I believe is a JTAG connector on and attempt telnet that way.