Skip to main content

New tool in the works: TFTPTheft

Published on May 28, 2010 in ,

Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.

My introduction to TFTP
The TFTP protocol typically runs over port 69, and the above image shows a rather insecure doll. The TFTP protocol is rather simple and lightweight:

  • Runs on top of UDP
  • Does not support authentication
  • Only supports pulling and pushing (GET and PUT) of files (no directory listing)

New tools?

So to retrieve a file from a reachable tftp server, one only needs to know or guess the correct filename. There are a couple of tools which do this already including a Metasploit module. However what I wanted was more specific:

  • A tool that’s fast like SIPVicious
  • Which allows me to brute-force ranges of Cisco phone filenames (say SEP[mac-address].cnf.xml)
  • And one which just downloads the guessed files as the TFTP server is being scanned

Therefore I’m releasing a new set of tools called TFTPTheft which includes 2 new tools:

  •, which does what I just described (guess filenames and download files)
  •, which searches for TFTP servers on the network

To give it a try, the code is currently in a mercurial repo and you can pull it by:

hg clone tftptheft

I am releasing this code so that you can send me feedback. So please go forth and give this a try, run it against your VoIP system (it’s likely that the PBX / Call manager will have a TFTP server running). Then send me an email with your experience: sandro at