[cisco-voip] Extracting the EndUser PIN From CUCM Database

Wes Sisk wsisk at cisco.com
Wed Feb 8 15:37:57 EST 2012


>From Cisco Unified Communications Manager 8.6(1) Database Dictionary

2.3.54 credential (TI-446)
Description:
Authentication information and policies for App and End Users Records may be modified only by installation and/or DB triggers.
Fields:
2.3.54.1 cantchange (FI-3349)
Type:
bool (Not Modifiable) FALSE A flag indicating whether the user can set this credential.
Default Value:
Remarks:
Cisco Unified Communications Manager Data Dictionary, Release 8.6(1)	91	OL-24613-012.3.54.2 credentials (FI-3358)
Type:
string [288] (Not Modifiable, Null OK) NULL Binary in CUC; encrypted string App/EndUser.password or PIN The PIN or password, for a user. The credentials are stored in an encrypted format.

...
fkenduser (FI-3346)
...

storing or allowing export of user password or pin is very bad and should be avoided. at bare minimum it should always be stored as a hash.  a sufficiently motivated entity could still brute force hashes.  a sufficiently motivated hacker could also reverse engineer the hashing algorithm.  That said storing authentication information as a hash is bare minimum security feature.

/wes



On Feb 8, 2012, at 11:56 AM, <James.Brown at barclayswealth.com> <James.Brown at barclayswealth.com> wrote:

Thanks for the suggestion Stephen. I tried a user export on a test environment and as you mentioned, found a PIN hash. This hash is not importable via BAT.

Looking at the AXL route for import, the "enduser" table doesn't appear to contain a PIN field and a search of the data dictionary didn't reveal anything. There's an AXL updateUser method, but like BAT, it seems to need the real PIN rather than the hash.

I guess changing domain means a PIN change is necessary.

Regards

James.

-----Original Message-----
From: Stephen Welsh [mailto:stephen.welsh at unifiedfx.com] 
Sent: 08 February 2012 16:18
To: Brown, James : Barclays Wealth
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Extracting the EndUser PIN From CUCM Database

Hi James,

I was under the impression that a Bulk Export will pull a hashed version of the password (I suspect the password is never stored and just compared to the hash for validation), I'm guessing you could perform an import update with the hashed PIN (or other form of import, i.e. AXL/SQL).

However it may be that the hash includes some other information such as the userid, if that was the case it would obviously not work in your scenario.

Thanks

Stephen

On 8 Feb 2012, at 15:50, <James.Brown at barclayswealth.com> <James.Brown at barclayswealth.com> wrote:

> All,
> 
> Does anyone know if there is any way of extracting an end user's PIN from the CUCM Database.
> 
> The rationale is that we are migrating to a new domain with new Samaccount names and wanted to preserve PINs.
> 
> Regards
> 
> James.
> Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
> 
> The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
> 
> This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
> 
> Internet communications are not guaranteed to be secure or without viruses. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
> 
> Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
> 
> Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
> 
> Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip





More information about the cisco-voip mailing list