Help for create correct hash-format on MD5 sip digest 11400 atack
#1
Hello everyone:

I am capturing data from the registration process of my router to my provider's SIP server. The provider does not deliver the data to the end users. I think I have obtained everything I need except for the password, which I am trying to obtain by brute force, knowing from other clients of the same provider that 8-character passwords is used and is made up of capital letters and numeric digits.

The data obtained in two readings with WireShark has been (I'm replace some caracters with XXX on sensible data or hashes):

CAPTURE 1:
---------------
[truncated]AuthorizationBig Grinigest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="811B2C4A88BXXXXXXXX00000C99A9A34",uri="sip:ims.masmovil.com",response="3edfbe32000eXXXXXXXXf6035ba8cc89",algorithm=MD5,cnonce="52XXXX95",qop=auth,nc=00000002
    Authentication Scheme: Digest
    Username: "e34XXXXXX023@ims.masmovil.com"
    Realm: "ims.mnc004.mcc214.3gppnetwork.org"
    Nonce Value: "811B2C4A88BXXXXXXXX00000C99A9A34"
    Authentication URI: "sip:ims.masmovil.com"
    Digest Authentication Response: "3edfbe32000eXXXXXXXXf6035ba8cc89"
    Algorithm: MD5
    CNonce Value: "52XXXX95"
    QOP: auth
    Nonce Count: 00000002

CAPTURE 2:
---------------
[truncated]AuthorizationBig Grinigest username="e34XXXXXX023@ims.masmovil.com",realm="ims.mnc004.mcc214.3gppnetwork.org",nonce="3184B77FE5XXXXXXXX00000010DA6241",uri="sip:ims.masmovil.com",response="417c098d315XXXXXXXX53260ff7c5f19",algorithm=MD5,cnonce="6bXXXX67",qop=auth,nc=00000002
    Authentication Scheme: Digest
    Username: "e34XXXXXX023@ims.masmovil.com"
    Realm: "ims.mnc004.mcc214.3gppnetwork.org"
    Nonce Value: "3184B77FE5XXXXXXXX00000010DA6241"
    Authentication URI: "sip:ims.masmovil.com"
    Digest Authentication Response: "417c098d315XXXXXXXX53260ff7c5f19"
    Algorithm: MD5
    CNonce Value: "6bXXXX67"
    QOP: auth
    Nonce Count: 00000002



And my hash.txt file contains the following:

$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**811B2C4A88BXXXXXXXX00000C99A9A34*52XXXX95*00000002*auth*MD5*3edfbe32000eXXXXXXXXf6035ba8cc89
$sip$***e34XXXXXX023@ims.masmovil.com*ims.mnc004.mcc214.3gppnetwork.org*REGISTER*sip*ims.masmovil.com**3184B77FE5XXXXXXXX00000010DA6241*6bXXXX67*00000002*auth*MD5*417c098d315XXXXXXXX53260ff7c5f19


The command with which I execute hashcat 6.2.6 is:
hashcat -a 3 -m 11400 -o output.txt hash.txt ?1?1?1?1?1?1?1?1 -1 ?u?d

Well, the process ends and does not obtain the password.

Any ideas?

Thank you very much.
Reply
#2
The provider changes the passwords format from "upper + digits" to "upper + lower + digits".

I get my sip account password with:

hashcat -a 3 -m 11400 -o output.txt hash.txt ?1?1?1?1?1?1?1?1 -1 ?u?d?l
Reply