Couldn't make SIP Digest work on hashcat
#1
Hello again,

I tried using hashcat on a SIP Digest Authentification and I haven't managed to make it work on hashcat. I've read the wiki + others posts on the forum doing so. So I tried to pipe a hash I knew the passphrase but again, I did not work. To illustrate this, I use here a hash from this tutorial and format it for a hash type input https://www.aldeid.com/wiki/Crack-VoIP. A friend used this method and it worked for him. I hoped to make it work through hashcat

Their raw file is :
192.168.1.29"212.27.52.5"0950236158"freephonie.net"BYE"sip:172.17.20.241:5062
"04cd38e646e760da129f99fa734ac1e4""""MD5"dc59445f8ef78a615a2ad4d57835a383

hashcat format is :
$sip$*[URI_SERVER]*[URI_CLIENT]*[USERNAME]*[REALM]*[METHOD]*[URI_PREFIX]*[URI_RESOURCE]*[URI_SUFFIX]*[NONCE_SERVER]*[NONCE_CLIENT]*[NONCE_COUNT]*[QOP]*[DIRECTIVE]*[MD5]
--->
$sip$*192.168.1.29*212.27.52.5*0950236158*freephonie.net*BYE*sip*172.17.20.241*5062*04cd38e646e760da129f99fa734ac1e4****MD5*dc59445f8ef78a615a2ad4d57835a383

I tried their way, by dictionary, to get the '507ZEy' password. I also tried very specific masks, but I always got an exhausted status.
This time I don't have any OpenCL warning.

Am I doing something wrong ?
#2
Have you tried cracking the example hash?

Try using the 4.2.0-rc2 version here: https://hashcat.net/beta/
#3
well, who says that the example and passwords are correct on that page? It could be just a tutorial without a working hash/password.

Indeed, I tried with sipcrack and it doesn't crack with that password.

What is also suspicious is the hashes dc59445f8ef78a615a2ad4... vs dc59495f8eb78a605a2ad5... It really seems that this is a modified hash or something like this. Hashes generally are not that similar even if you would be very lucky you wouldn't end up with 2 hashes that look almost the same.

I would recommend to just do your own capture or use some examples where at least by following the tutorial you would also get a postive hit (in this case the sipcrack run does not work, at least not on my stystem).
#4
the actual password noted in the wiki article is "507ZEy@l" but I can't crack the hash with hashcat.
#5
Thank you both for your answers. Actually I think you are right and the displayed passcode is not correct.

I have tried to reproduce the hashcat format of that hash here and it worked :
https://sites.google.com/site/httpbrute/tutorial
--> $sip$*192.168.1.110*192.168.1.110*user151*Apple*REGISTER*sip*192.168.1.110*5060*b57aa7088ae5cac88d298d66f2c809cd****MD5*77795e92300dcc3c2fd974b2b47e5f0c
--> hashcat -m 11400 -a 3 brute_test ?l?l?l?l?d?d?d
[...]
$sip$*192.168.1.110*192.168.1.110*user151*Apple*REGISTER*sip*192.168.1.110*5060*b57aa7088ae5cac88d298d66f2c809cd****MD5*77795e92300dcc3c2fd974b2b47e5f0c:pass151