Built a little tool called CUCMber to make my life easier when pulling Cisco phone configs! TrustedSec’s SeeYouCM-Thief research (blog here - https://trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems) got me hooked on this attack path - I've had a ton of success with it. But at scale, and in some environments, the existing tool gave me some headaches. So, CUCMber was born. It takes a list of Cisco phones (from gowitness or whatever you’ve got) and scrapes their config files. With any luck, that means creds or initial access. Repo’s up here: https://github.com/bc0la/cucmber - check it out, break it, let me know what you think! Takes an input file of Cisco phone IPs (harvest from gowitness, etc) and attempts to pull tftp address and hostname. At the moment, it dumps all found config files in ./output/ for parsing. Consider `grep -i password` or userID for user enum. I'm not sure which models are supported, may need some tweaking based on your situation.