hashcat Forum
SIP (MD5) - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Feature Requests (https://hashcat.net/forum/forum-7.html)
+--- Thread: SIP (MD5) (/thread-1455.html)

SIP (MD5) - m-i-k-e-e - 08-13-2012


would it be possible to include an option to crack SIP MD5 passwords?
There are already some tools to do that but it can't use GPU. So here is the source code: http://www.darknet.org.uk/2008/08/sipcrack-sip-login-dumper-hashpassword-cracker/.

And here is the info how to generate SIP MD5 hash:


Thank you very much,


RE: SIP (MD5) - atom - 08-13-2012

that should be easy to add in hashcat cpu. can we please have some example real-world hashes?

RE: SIP (MD5) - ShArkY_ - 08-18-2012

This would be a very nice feature to have. Atom: I suppose you mean hashcat gpu. Anyway.. I will add some examples later tonight

RE: SIP (MD5) - atom - 08-19-2012

Lets start with CPU first Smile

RE: SIP (MD5) - quentusrex - 08-31-2012

This would be an awesome feature. Here is a sample hash:
Authorization: Digest username="ktxrk56yevb52dg4", realm="", nonce="f9230a7f-77e0-426e-83c4-cf3ffd9315a7", qop=auth, cnonce="prNDNtHQotLf1Vp", nc=00000103, uri="sip:", response="3b1c269c6e13644538304b6a8e5626ff", algorithm=MD5, password="y7zwayvt94pu4jc8"

which would be:

str1 = MD5("ktxrk56yevb52dg4:")
str2 = MD5("REGISTERConfusedip:")

final = MD5("$str1:f9230a7f-77e0-426e-83c4-cf3ffd9315a7:$str2")

Actually there are two forms of digest auth for sip. One that includes cnonce and one that doesn't. See the description here:

It turns out my example is of the type that does use cnonce.

The perl script to compute the 'qop' version of the sip digest is as follows:

use Digest::MD5 qw(md5_hex);

my $str1 = "ktxrk56yevb52dg4:";
my $str2 = "REGISTERConfusedip:";
my $nonce = ":f9230a7f-77e0-426e-83c4-cf3ffd9315a7:00000103:prNDNtHQotLf1Vp:auth:";

print md5_hex(md5_hex($str1) . $nonce . md5_hex($str2)) . "\n";

RE: SIP (MD5) - Incisive - 08-31-2012

It looks like SIP has at least two places that use MD5 digest:
One of which is in the password storage on disk on the SIP server - that's the MD5(username:domain:password).

The other place is during the in-flight network operations, and that, I think, is what quentusrex was referring to, since he was mentioning the nonce/salt and two md5 operations.

SIP password storage from one vendor, under a1-hash
of which the most relevant part is:
openssl dgst -md5 < filename, or echo -n "username:domain:password" | openssl dgst -md5.

Additional guidance on the in-flight MD5 use may be found at:

I don't have FreeSwitch running, but when I have a test install, I'll generate some test samples.