Sip Digest MD5 syntax problem

[sakas23]

Hello community,

I try to create a SIP Digest Authenticaiton MD5 hash to crack it with hashcat, but there seems to be a problem.

Below is an attachment of register packet from wireshark.

So the hash i created with these details is :

$sip$*sip:192.168.0.38**Renia*asterisk*REGISTER*sip*sip:192.168.0.38**61b3081d****MD5*e50978c1b8c8cc4d0c78988690ed461e

The nonce and response values are different. I was making some other tries.

The command i am running in hashcat is : hashcat64.exe -a 0 - m 11400 hash.txt dictionary.txt

where dictionary is the file which contains the cracked password.

The hashcat's output is : "Approaching final keyspace - workload adjusted."

My question is if iam doing something wrong or what do i have to add to the hash?

Note: some white gaps in the pictures are because it is my public ip.

Thanks in advance.

[undeath]

you need to remove the "sip:" from "sip:192.168.0.38". That may or may not be all that is wrong. Besides that, it's a little suspicious that the second variable is empty.

[sakas23]

you need to remove the "sip:" from "sip:192.168.0.38". That may or may not be all that is wrong. Besides that, it's a little suspicious that the second variable is empty.

Hello undeath,

Thank you for your response.

I tried without sip and it didnt work.

I also tried to make my network not to access the internet, to have only local ips to try again.

In addition, i noticed that in the wireshark packet, in the section uri=sip:... it exists also ";transport=UDP". Dont know if it is important or not.

Also i am trying to find the correct format for the sip hash method for hashcat.

Thanks in advance.

[philsmd]

1. the forum rules make it very clear that you shouldn't post hashes. it's even worse that you didn't mention the password and if you know the pass of this hash (we also do not know if the hash is manipulated/modified)
2. the hash format is explained very well and was already mentioned a couple of times on this forum too: https://hashcat.net/forum/thread-6571-po...l#pid34996 , https://hashcat.net/forum/thread-7054-po...l#pid37748 etc
3. there are example hashes: https://hashcat.net/wiki/example_hashes

[sakas23]

1. the forum rules make it very clear that you shouldn't post hashes. it's even worse that you didn't mention the password and if you know the pass of this hash (we also do not know if the hash is manipulated/modified)
2. the hash format is explained very well and was already mentioned a couple of times on this forum too: https://hashcat.net/forum/thread-6571-po...l#pid34996 , https://hashcat.net/forum/thread-7054-po...l#pid37748 etc
3. there are example hashes: https://hashcat.net/wiki/example_hashes

Hello philsmd,

I am really sorry i didnt know that.

I am just doing some tests in my local network and I am a little bit desparate finding a solution to this problem.

I've tried some combinations, but unfortunately i cant make it work.

Could you please give me an idea how to find a solution?

Thanks in advance.

[philsmd]

1. generate a hash for which you know the password
2. try to compare it with the example hash from https://hashcat.net/wiki/example_hashes (it is very similar: SIP and register method and using asterisk)
3. the example hash is using both IPs (from server and client), your example does not. why not troubleshoot this possibility ? undeath is for sure right that sip:IP makes no sense, they are 2 different fields (see example hash)

[philsmd]

update: the password seems to be "1234"

the hash is using $sip$***Renia*asterisk*REGISTER*sip*192.168.0.38;transport=UDP**2bf3223e****MD5*f7b5xxx

[sakas23]

update: the password seems to be "1234"

the hash is using $sip$***Renia*asterisk*REGISTER*sip*192.168.0.38;transport=UDP**2bf3223e****MD5*f7b5xxx

WOW,

Phil really??

So the hash is like you posted?

Could you please explain where did you put each element and the format in general??

God bless you

[philsmd]

problem solved (as per PM from sakas23).

the hashes are just:
$sip$***Renia*asterisk*REGISTER*sip*192.168.0.38;transport=UDP**2bf3223e****MD5*f7b531XXX

and

$sip$***Renia*asterisk*REGISTER*sip*192.168.0.38;transport=UDP**61b3081d****MD5*e50978XXX

with the XXX replaced with the rest of the MD5 digest. the password is 1234 for both.

The only special thing here is the appended ";transport=UDP" within the URI.

The format itself was already explained dozens of times on github/forum etc and is just:

Code:

$sip$*[URI_SERVER]*[URI_CLIENT]*[USERNAME]*[REALM]*[METHOD]*[URI_PREFIX]*[URI_RESOURCE]*[URI_SUFFIX]*[NONCE_SERVER]*[NONCE_CLIENT]*[NONCE_COUNT]*[QOP]*[DIRECTIVE]*[MD5]

it depends a lot on the application (asterisk, web auth etc) which fields are used by the "server" in calculating the digest. It's NOT always the same. for instance somtimes the client IP/URI Is important and used to calculate the digest, sometimes in other applications it's ignored. It depends.

remember to not post hashes (and mask them with XXX if the admin/moderator explicitly asks for a masked hash): https://hashcat.net/forum/announcement-2.html
do not waste the times of others to "crack" the hashes. just tell them the (example) password immediately (again, after you got a confirmation by an admin/moderator that you should provide an example with known password).

I will close this thread, since solved