Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

New tool in the works: TFTPTheft

Published on May 28, 2010 in ,

Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.

My introduction to TFTP
The TFTP protocol typically runs over port 69, and the above image shows a rather insecure doll. The TFTP protocol is rather simple and lightweight:

  • Runs on top of UDP
  • Does not support authentication
  • Only supports pulling and pushing (GET and PUT) of files (no directory listing)

New tools?

So to retrieve a file from a reachable tftp server, one only needs to know or guess the correct filename. There are a couple of tools which do this already including a Metasploit module. However what I wanted was more specific:

  • A tool that’s fast like SIPVicious
  • Which allows me to brute-force ranges of Cisco phone filenames (say SEP[mac-address].cnf.xml)
  • And one which just downloads the guessed files as the TFTP server is being scanned

Therefore I’m releasing a new set of tools called TFTPTheft which includes 2 new tools:

  •, which does what I just described (guess filenames and download files)
  •, which searches for TFTP servers on the network

To give it a try, the code is currently in a mercurial repo and you can pull it by:

hg clone tftptheft

I am releasing this code so that you can send me feedback. So please go forth and give this a try, run it against your VoIP system (it’s likely that the PBX / Call manager will have a TFTP server running). Then send me an email with your experience: sandro at

Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.