HTTP Digest Auth
#1
Hey all,

I have looked but i can't seem to find what I am looking for...if it exists...

Does hashcat have a way to work on http digest auths?

I read things that SIP Digest is basically the same thing..but I can't seem to find out the format to put the information in.  I have the user, realm, nonce, uri, nc, qop, and cnonce and just need to brute force the password.  I have a test python script based on info from (https://hashcat.net/forum/thread-1455.html response #5) and it works for a known password....it's just sooooo slow when looking for a unknown password....

Any help?
Reply
#2
It's hash type -m 11400 = SIP digest authentication (MD5)
The format is:
Quote:$sip$*[URI_SERVER]*[URI_CLIENT]*[USERNAME]*[REALM]*[METHOD]*[URI_PREFIX]*[URI_RESOURCE]*[URI_SUFFIX]*[NONCE_SERVER]*[NONCE_CLIENT]*[NONCE_COUNT]*[QOP]*[DIRECTIVE]*[MD5]
https://github.com/hashcat/hashcat/issue...-277439293

An example can be found here:
https://hashcat.net/wiki/example_hashes
Reply
#3
I am confused what to put for some of the sections.  I only have 1 uri entry to work with for example but there is ALOT of places with uri info in that string.

I have the following:

username
realm
nonce
uri
cnonce
nc
response
qop

That is it.  There are more entries in that example then I have so that was my main question.

Thanks, for the help!
Reply
#4
OK, this is what i have: ($ is my info above in 3rd post)

$sip$***$username*$realm*digest*$uri***$nonce*$cnonce*$nc*$qop*MD5*$response

I have tried many iterations of this but always get the same error:

Hashfile 'camerahash.txt' on line 1 ($sip$*): Salt-length exception

No matter what I put, the error is always ($sip$*WHATEVER IS AFTER THE FIRST STAR)
Reply
#5
Well, i "think" I have the line correct...it runs now anyways  However, it will not crack a known password in my test.

$sip$***$username*$realm*digest**$uri**$nonce*$cnonce*$nc*$qop*MD5*$response

The uri is one star over now and it runs.

Can someone tell me how SIP Digest auth works in hashcat?

Here is my sample python program that works with the data I have:

QUOTE

import hashlib, itertools, sys
 
def gen_passwords(universe,l):
        # use itertools to create a list of all password permutations
        wl = []
        for i in itertools.product(universe,repeat=l):
                wl.append("".join(i))
        return wl
 
def gen_response_unspec(username, password, nonce, realm, uri):
        hash1 = hashlib.md5(username+':'+realm+':'+password).hexdigest()
        hash2 = hashlib.md5('GET:'+uri).hexdigest()
        response = hashlib.md5(hash1+':'+nonce+':'+hash2).hexdigest()
        return response
 
def gen_response_auth(username, password, nonce, realm, uri,nonceCount,clientNonce,qop):
        # this remains the same unless directive is MD5-sess, there is no algorithm directive indicated so MD5 assumed
        hash1 = hashlib.md5(username+':'+realm+':'+password).hexdigest()
        # qop = 'auth' which is default, so this is still good
        hash2 = hashlib.md5('GET:'+uri).hexdigest()
        # qop = 'auth' so this one is different
        response = hashlib.md5(hash1+':'+nonce+':'+nonceCount+':'+clientNonce+':'+qop+':'+hash2).hexdigest()
        return response
 
 
def crack_digest(username):
        if len(sys.argv) < 2:
                wl = gen_passwords("abcdefghijklmnopqrstuvwxyz1234567890",4)
        else:
                wl = [sys.argv[1]]
        # the following is from the pcap
        nonce = ' '
        realm = ' '
        uri = ' '
        nonceCount = ' '
        clientNonce = ' '
        qop = ' '
        for pw in wl:
                response = gen_response_auth(username,pw,nonce,realm,uri,nonceCount,clientNonce,qop)
                print pw," \r",
                if response == ' ':
                        print 'Success!'
                        print 'Username: %s Password: %s'%(username,pw)
                        return
 
crack_digest('username')

END_QUOTE

Is there a way in hashcat to do the above?...or am i looking in the wrong place?

Again, thanks for the help!
Reply
#6
In my opinion it should be very obvious if you know what the HTTP Digest Authentication fields mean and for what they are used for. Anyway here is how you would format it in your *very* specific example (yeah, I agree, the format itself is more flexible to allow a very large set of different applications, including but not limited to SIP/HTTP etc, and therefore someone that has no clue what a nonce, qop, URI etc is, might get confused, but in all other cases it should be very intuitive):
Code:
$sip$***[username]*[realm]*GET*[uri_protocol]*[uri_ip]*[uri_port]*[nonce]*[clientNonce]*[nonceCount]*[qop]*MD5*[response]


the example hash from the example you linked (https://hashcat.net/forum/thread-1455-po...ml#pid8513) for instance should be formated like this:
Code:
$sip$***ktxrk56yevb52dg4*192.168.100.21*REGISTER*sip*192.168.100.21*5065*f9230a7f-77e0-426e-83c4-cf3ffd9315a7*prNDNtHQotLf1Vp*00000103*auth*MD5*3b1c269c6e13644538304b6a8e5626ff

(also note: in this case your python code need to be changed like this: hash2 = hashlib.md5('REGISTER:'+uri).hexdigest() i.e. replace "GET:" -> "REGISTER:")
Reply
#7
Thank you.

I'll be honest, I have a vague understanding of what is going on but the nomenclature I am still learning.  I do appreciate your help and i was able to retrieve the lost password. (employee left and forgot "yea right" the password to all of our security cameras...all 954 of them!!  There was no way we could of manually reset them all.)

I appreciate your patience with this noob :-)
Reply
#8
Hi! Can someone help me plzzzz to make a right hash string for sip? I have next respose from server (redundant strings are deleted):
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Configuration", nonce="some_md5_hash", qop="auth"
Server: lighttpd/1.4.32
and here from request:
GET /monitor.html HTTP/1.1
Authorization: Digest username="root", realm="Configuration", nonce="some_md5_hash", uri="/monitor.html", response="some_md5_hash", qop=auth, nc=00000001, cnonce="some_md5_half_length_hash"

it's my local webserver at 192.168.0.N ip and login:pass is root:12345 I just waana try to understand how make right hash string for hashcat(-m 11400)
Reply