09-01-2024, 11:54 AM
Hello everyone:
I am capturing data from the registration process of my router to my provider's SIP server. The provider does not deliver the data to the end users. I think I have obtained everything I need except for the password, which I am trying to obtain by brute force, knowing from other clients of the same provider that 8-character passwords is used and is made up of capital letters and numeric digits.
The data obtained in two readings with WireShark has been (I'm replace some caracters with XXX on sensible data or hashes):
CAPTURE 1:
---------------
[truncated]Authorization
igest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="811B2C4A88BXXXXXXXX00000C99A9A34",uri="sip:ims.masmovil.com",response="3edfbe32000eXXXXXXXXf6035ba8cc89",algorithm=MD5,cnonce="52XXXX95",qop=auth,nc=00000002
Authentication Scheme: Digest
Username: "e34XXXXXX023@ims.masmovil.com"
Realm: "ims.mnc004.mcc214.3gppnetwork.org"
Nonce Value: "811B2C4A88BXXXXXXXX00000C99A9A34"
Authentication URI: "sip:ims.masmovil.com"
Digest Authentication Response: "3edfbe32000eXXXXXXXXf6035ba8cc89"
Algorithm: MD5
CNonce Value: "52XXXX95"
QOP: auth
Nonce Count: 00000002
CAPTURE 2:
---------------
[truncated]Authorizationigest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="3184B77FE5XXXXXXXX00000010DA6241",uri="sip:ims.masmovil.com",response="417c098d315XXXXXXXX53260ff7c5f19",algorithm=MD5,cnonce="6bXXXX67",qop=auth,nc=00000002
Authentication Scheme: Digest
Username: "e34XXXXXX023@ims.masmovil.com"
Realm: "ims.mnc004.mcc214.3gppnetwork.org"
Nonce Value: "3184B77FE5XXXXXXXX00000010DA6241"
Authentication URI: "sip:ims.masmovil.com"
Digest Authentication Response: "417c098d315XXXXXXXX53260ff7c5f19"
Algorithm: MD5
CNonce Value: "6bXXXX67"
QOP: auth
Nonce Count: 00000002
And my hash.txt file contains the following:
$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**811B2C4A88BXXXXXXXX00000C99A9A34*52XXXX95*00000002*auth*MD5*3edfbe32000eXXXXXXXXf6035ba8cc89
$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**3184B77FE5XXXXXXXX00000010DA6241*6bXXXX67*00000002*auth*MD5*417c098d315XXXXXXXX53260ff7c5f19
The command with which I execute hashcat 6.2.6 is:
hashcat -a 3 -m 11400 -o output.txt hash.txt ?1?1?1?1?1?1?1?1 -1 ?u?d
Well, the process ends and does not obtain the password.
Any ideas?
Thank you very much.
I am capturing data from the registration process of my router to my provider's SIP server. The provider does not deliver the data to the end users. I think I have obtained everything I need except for the password, which I am trying to obtain by brute force, knowing from other clients of the same provider that 8-character passwords is used and is made up of capital letters and numeric digits.
The data obtained in two readings with WireShark has been (I'm replace some caracters with XXX on sensible data or hashes):
CAPTURE 1:
---------------
[truncated]Authorization
igest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="811B2C4A88BXXXXXXXX00000C99A9A34",uri="sip:ims.masmovil.com",response="3edfbe32000eXXXXXXXXf6035ba8cc89",algorithm=MD5,cnonce="52XXXX95",qop=auth,nc=00000002Authentication Scheme: Digest
Username: "e34XXXXXX023@ims.masmovil.com"
Realm: "ims.mnc004.mcc214.3gppnetwork.org"
Nonce Value: "811B2C4A88BXXXXXXXX00000C99A9A34"
Authentication URI: "sip:ims.masmovil.com"
Digest Authentication Response: "3edfbe32000eXXXXXXXXf6035ba8cc89"
Algorithm: MD5
CNonce Value: "52XXXX95"
QOP: auth
Nonce Count: 00000002
CAPTURE 2:
---------------
[truncated]Authorization
igest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="3184B77FE5XXXXXXXX00000010DA6241",uri="sip:ims.masmovil.com",response="417c098d315XXXXXXXX53260ff7c5f19",algorithm=MD5,cnonce="6bXXXX67",qop=auth,nc=00000002Authentication Scheme: Digest
Username: "e34XXXXXX023@ims.masmovil.com"
Realm: "ims.mnc004.mcc214.3gppnetwork.org"
Nonce Value: "3184B77FE5XXXXXXXX00000010DA6241"
Authentication URI: "sip:ims.masmovil.com"
Digest Authentication Response: "417c098d315XXXXXXXX53260ff7c5f19"
Algorithm: MD5
CNonce Value: "6bXXXX67"
QOP: auth
Nonce Count: 00000002
And my hash.txt file contains the following:
$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**811B2C4A88BXXXXXXXX00000C99A9A34*52XXXX95*00000002*auth*MD5*3edfbe32000eXXXXXXXXf6035ba8cc89
$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**3184B77FE5XXXXXXXX00000010DA6241*6bXXXX67*00000002*auth*MD5*417c098d315XXXXXXXX53260ff7c5f19
The command with which I execute hashcat 6.2.6 is:
hashcat -a 3 -m 11400 -o output.txt hash.txt ?1?1?1?1?1?1?1?1 -1 ?u?d
Well, the process ends and does not obtain the password.
Any ideas?
Thank you very much.