hashcat Forum

Full Version: SIP (MD5)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi,

would it be possible to include an option to crack SIP MD5 passwords?
There are already some tools to do that but it can't use GPU. So here is the source code: http://www.darknet.org.uk/2008/08/sipcra...d-cracker/.

And here is the info how to generate SIP MD5 hash:

http://bramp.net/blog/2011/09/md5-digest...-with-php/

Thank you very much,

mikee
that should be easy to add in hashcat cpu. can we please have some example real-world hashes?
This would be a very nice feature to have. Atom: I suppose you mean hashcat gpu. Anyway.. I will add some examples later tonight
Lets start with CPU first Smile
This would be an awesome feature. Here is a sample hash:
Authorization: Digest username="ktxrk56yevb52dg4", realm="192.168.100.21", nonce="f9230a7f-77e0-426e-83c4-cf3ffd9315a7", qop=auth, cnonce="prNDNtHQotLf1Vp", nc=00000103, uri="sip:192.168.100.21:5065", response="3b1c269c6e13644538304b6a8e5626ff", algorithm=MD5, password="y7zwayvt94pu4jc8"

which would be:

str1 = MD5("ktxrk56yevb52dg4:192.168.100.21:y7zwayvt94pu4jc8")
str2 = MD5("REGISTERConfusedip:192.168.100.21:5065")

final = MD5("$str1:f9230a7f-77e0-426e-83c4-cf3ffd9315a7:$str2")

Actually there are two forms of digest auth for sip. One that includes cnonce and one that doesn't. See the description here:
http://en.wikipedia.org/wiki/Digest_acce...entication

It turns out my example is of the type that does use cnonce.

The perl script to compute the 'qop' version of the sip digest is as follows:


use Digest::MD5 qw(md5_hex);

my $str1 = "ktxrk56yevb52dg4:192.168.100.21:y7zwayvt94pu4jc8";
my $str2 = "REGISTERConfusedip:192.168.100.21:5065";
my $nonce = ":f9230a7f-77e0-426e-83c4-cf3ffd9315a7:00000103:prNDNtHQotLf1Vp:auth:";


print md5_hex(md5_hex($str1) . $nonce . md5_hex($str2)) . "\n";
It looks like SIP has at least two places that use MD5 digest:
One of which is in the password storage on disk on the SIP server - that's the MD5(username:domain:password).

The other place is during the in-flight network operations, and that, I think, is what quentusrex was referring to, since he was mentioning the nonce/salt and two md5 operations.

SIP password storage from one vendor, under a1-hash
http://wiki.freeswitch.org/wiki/XML_User...tory_Guide
of which the most relevant part is:
openssl dgst -md5 < filename, or echo -n "username:domain:password" | openssl dgst -md5.

Additional guidance on the in-flight MD5 use may be found at:
http://www.sipsorcery.com/mainsite/Help/...rdSecurity

I don't have FreeSwitch running, but when I have a test install, I'll generate some test samples.