IPT Buzz: How to SSH into a Cisco IP Phone

Here are the steps to let you SSH into a Cisco IP Phone. In this example, the phone model is a 7961.

On the phone's device page in ccmadmin, scroll down to the Secure Shell Information section and type in a username and password for the Secure Shell User and Secure Shell Password. I simply used cisco and cisco.

Then, scroll down to the bottom and set the SSH Access drop-down box to Enabled. Don't forget to Save and Apply Config.

Scroll back up to the top of the page and get the phone's IP address.

Open an SSH session to the phone's IP address. You will probably get a typical key message window that you will have to accept.

Enter the username and password that you specified in the Secure Shell User and Secure Shell Password boxes on the phone's device page in ccmadmin.

You will then be prompted for another login and pasword from within your SSH session window. Enter default for the login and user for the password and press enter. You should then be at a $ dollar sign prompt.

Now that you are in, let's see what you can do!

$ ping 10.10.10.1

ping: reply received from 10.10.10.1, time = 1ms

ping: reply received from 10.10.10.1, time = 0ms

ping: packets - sent = 4, received = 4, lost = 0, ( 0 % lost )

time - total = 10 msec, avg = 2 msec/pkt

OK, what about the file and folder structure?

$ cd /

$ ls

bin dev flash0 home root tmp usr

cnu etc flash1 modules sbin ubin var

Let's see what's in the the flash0 directory.

$ cd flash0

$ ls

Monospace.font apps home sc-font.xml syslog

RMS bin local sec ubin

Unicode.font etc modules ssh

How about the bin directory?

$ cd /

$ cd bin

$ ls -l

total 5983

-rwxr-xr-x 1 root sys 260 Jul 11 2005 AUTH.png

-rwxr-xr-x 1 root sys 1738 Dec 06 2006 BGRND.png

-rwxr-xr-x 1 root sys 218 Jul 11 2005 BLANK.png

-rwxr-xr-x 1 root sys 252 Jul 11 2005 DOWNL.png

-rwxr-xr-x 1 root sys 258 Jul 11 2005 ERROR.png

-rwxr-xr-x 1 root sys 250 Jul 11 2005 NETWK.png

-rwxr-xr-x 1 root sys 204 Dec 05 2006 P2P.png

-rwxr-xr-x 1 root sys 280 Jul 11 2005 WAIT.png

-rwxr-xr-x 1 root sys 225 Jul 11 2005 WRITE.png

-rwxr-xr-x 1 root sys 13188 Nov 13 2008 cat

-rwxr-xr-x 1 root sys 24496 Nov 13 2008 chmod

-rwxr-xr-x 1 root sys 23704 Nov 13 2008 chown

-rwxr-xr-x 1 root sys 5002 Jan 11 2007 ciscoerror.png

-rwxr-xr-x 1 root sys 5014 Jan 11 2007 ciscoreboot.png

-rwxr-xr-x 1 root sys 5055 Jan 11 2007 ciscostart.png

-rwxr-xr-x 1 root sys 13052 Nov 13 2008 cmp

-rwxr-xr-x 1 root sys 88092 May 11 13:10 cnush

-rwxr-xr-x 1 root sys 26248 Nov 13 2008 cp

-rwxr-xr-x 1 root sys 39724 Nov 13 2008 cvw

-rwxr-xr-x 1 root sys 20540 Mar 28 19:55 date

-rwxr-xr-x 1 root sys 141936 May 11 13:10 debugsh

-rwxr-xr-x 1 root sys 24936 Nov 13 2008 df

-rwxr-xr-x 1 root sys 23160 Nov 13 2008 du

-rwxr-xr-x 1 root sys 5564 Nov 13 2008 echo

-rwxr-xr-x 1 root sys 8636 Nov 13 2008 ethmibs

-rwxr-xr-x 1 root sys 8300 Nov 13 2008 ethstats

-rwxr-xr-x 1 root sys 87860 May 11 13:09 ewCmd

-rwxr-xr-x 1 root sys 26 May 31 2005 groups

-rwx--x--x 1 root sys 6836 Nov 13 2008 halt

-rwxr-xr-x 1 root sys 10636 Nov 13 2008 head

-rwxr-xr-x 1 root sys 28404 Nov 13 2008 hexdump

-rwxr-xr-x 1 root sys 15504 Nov 13 2008 id

-rwxr-xr-x 1 root sys 19572 Mar 28 19:57 imgui

-rwxr-xr-x 1 root sys 15400 Mar 28 19:56 ipcstat

-rwxr-xr-x 1 root sys 15136 May 11 13:08 ipv6

-rwxr-xr-x 1 root sys 10136 Nov 13 2008 kill

-rwxr-xr-x 1 root sys 9248 Nov 13 2008 kldstat

-rwxr-xr-x 1 root sys 10644 Nov 13 2008 ln

-rws--s--x 1 root sys 15604 Mar 28 19:56 login

-rwxr-xr-x 1 root sys 43356 Nov 13 2008 ls

-rwxr-xr-x 1 root sys 18604 Nov 13 2008 mfg

-rwxr-xr-x 1 root sys 10068 Mar 28 19:56 mib2

-rwxr-xr-x 1 root sys 14656 Nov 13 2008 mkdir

-rwxr-xr-x 1 root sys 12732 Nov 13 2008 mkfifo

-rwxr-xr-x 1 root sys 21052 Nov 13 2008 more

-rwxr-xr-x 1 root sys 23232 Nov 13 2008 mount

-rwxr-xr-x 1 root sys 20876 Nov 13 2008 mv

-rwxr-xr-x 1 root sys 9536 Nov 13 2008 nice

-rwxr-xr-x 1 root sys 124 Mar 03 2010 nologin

-rwxr-xr-x 1 root sys 41268 Mar 28 19:57 ntp

-rwxr-xr-x 1 root sys 79712 Mar 28 19:56 ping

-rwxr-xr-x 1 root sys 133872 Mar 28 19:57 ping6

-rwxr-xr-x 1 root sys 29532 Mar 28 19:56 ps

-rwx--x--x 1 root sys 6836 Nov 13 2008 reboot

-rwxr-xr-x 1 root sys 27332 Nov 13 2008 rm

-rwxr-xr-x 1 root sys 8084 Nov 13 2008 rmdir

-rwsr-s--x 1 security sec 847916 May 11 13:03 secd

-rwxr-xr-x 1 root sys 36072 Nov 13 2008 settmask

-rwxr-xr-x 1 root sys 172556 Mar 28 19:58 sh

-rwxr-xr-x 1 root sys 6768 Nov 13 2008 sleep

-rwxr-xr-x 1 root sys 10136 Nov 13 2008 slog

-rwxr-xr-x 1 root sys 19424 Mar 28 19:57 sostat

-rwsr-x--x 1 security sec 184748 Mar 28 19:54 sshd

-rwxr-xr-x 1 root sys 24472 Nov 13 2008 stty

-rwxr-xr-x 1 root sys 4676 Nov 13 2008 sync

-rwxr-xr-x 1 root sys 18440 Nov 13 2008 tail

-rwxr-xr-x 1 root sys 156076 Nov 13 2008 tar

-rwxr-xr-x 1 root sys 33304 Mar 28 19:57 tftp

-rwxr-xr-x 1 root sys 80068 May 11 13:09 tftpClient

-rwsr-sr-- 1 syslog sys 159160 Nov 13 2008 tnpdisp

-rwxr-xr-x 1 root sys 17904 Nov 13 2008 touch

-rwxr-xr-x 1 root sys 17704 Nov 13 2008 umount

-rwxr-xr-x 1 root sys 9680 Nov 13 2008 uname

-rwxr-xr-x 1 root sys 28108 Mar 28 19:57 vm

-rwxr-xr-x 1 root sys 10496 Nov 13 2008 which

-rwxr-xr-x 1 root sys 17 May 31 2005 whoami

We can TFTP some files if we wanted to.

$ tftp

TFTP: usage - tftp -s address srcFile dstFile

tftpAddr = address of tftp server - ex: 10.1.1.1

srcFile = file to be retrieved - ex: sepxxx.cnf.xml

dstFile = filename in CNU file system - ex: /bin/sepxxx.cnf.xml

Let's check the processes taking up the CPU.

$ ps

format --> ps [-acCehjklmrSTuvwx] [-L] [-M core] [-O fmt] [-o fmt] [-p pid] [-U username]

$ ps -a

pid %cpu state tty command

9 0.0 run 0 /bin/sh

2 0.0 run 0 /sbin/syslogd

0 85.3 run 0 sysIdle

11 0.0 run 0 /sbin/inetd

13 0.0 run 0 /sbin/rtsold

25 0.0 run 0 /ubin/dsp

19 0.0 run 0 /bin/login

22 0.0 run 0 /bin/secd

21 0.0 run 0 /bin/tftpClient

24 0.0 run 0 /ubin/vieo

6 0.1 run 0 /sbin/strace

15 0.0 run 0 /sbin/dhcp6

14 0.0 run 0 /sbin/cdp

16 0.0 run 0 /sbin/pae

17 0.0 run 0 /sbin/imgauthd

20 0.0 run 0 /sbin/dhcp

23 0.0 run 0 /bin/ntp

29 0.0 run 0 /sbin/dns

1 0.0 run 0 /sbin/init

3 11.2 run 0 /tmp/sunvm.unzip/sunvm.cnu

26 0.0 run 0 /sbin/ewcl

5 0.0 run 0 /sbin/espd

31 20.0 run 0 /bin/ps

18 2.5 run 0 /bin/sshd

So, that is just an intro to how you can SSH into a phone and some basic ways to navigate around. Brush up on your Linux commands and try them. On newer models of phones (8900 and 9900 series), there are some commands that Cisco put in, such as viewing the call histories and watching the key presses on the phone. More to come on my next post!

5 comments:

MAzevedo said...: On the 8900 series, the login is:
user: default
password: cisco; January 23, 2012 at 9:06 AM
Sophia Field said...: I learn something new on different blogs everyday. It is always refreshing to read posts of other bloggers and learn something from them. Thanks for sharing.; June 6, 2012 at 2:49 AM
Unknown said...: Maybe you now default password and login for dx 650???; July 1, 2014 at 6:18 AM
Gergely said...: Hi,
Do you happen to know the elevated login for the 8800 series? The debug/debug one is very limited.
Thanks!; February 28, 2018 at 6:14 AM
Anonymous said...: please help me to connect to 9971. thanks.

~$ ssh -1 ip
SSH protocol v.1 is no longer supported

~$ ssh -c aes128-cbc debug@ip
Bad packet length 1952605032.
ssh_dispatch_run_fatal: Connection to ip port 22: message authentication code incorrect

$ ssh ip
Unable to negotiate with ip port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 ip
Unable to negotiate with ip port 22: no matching host key type found. Their offer: ssh-rsa; April 2, 2022 at 8:08 PM

IPT Buzz

Saturday, September 17, 2011

How to SSH into a Cisco IP Phone

5 comments:

Followers