Please note, this is a STATIC archive of website hashcat.net from 08 Oct 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

hashcat Forum > Deprecated; Ancient Versions > Feature Requests > SIP (MD5)
Full Version: SIP (MD5)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

m-i-k-e-e

08-13-2012, 08:51 AM
Hi,

would it be possible to include an option to crack SIP MD5 passwords?
There are already some tools to do that but it can't use GPU. So here is the source code: https://www.darknet.org.uk/2008/08/sipcra...d-cracker/.

And here is the info how to generate SIP MD5 hash:

https://bramp.net/blog/2011/09/md5-digest...-with-php/

Thank you very much,

mikee

atom

08-13-2012, 10:41 AM
that should be easy to add in hashcat cpu. can we please have some example real-world hashes?

ShArkY_

08-18-2012, 07:11 PM
This would be a very nice feature to have. Atom: I suppose you mean hashcat gpu. Anyway.. I will add some examples later tonight

atom

08-19-2012, 10:26 AM
Lets start with CPU first Smile

quentusrex

08-31-2012, 07:59 PM
This would be an awesome feature. Here is a sample hash:
Authorization: Digest username="ktxrk56yevb52dg4", realm="192.168.100.21", nonce="f9230a7f-77e0-426e-83c4-cf3ffd9315a7", qop=auth, cnonce="prNDNtHQotLf1Vp", nc=00000103, uri="sip:192.168.100.21:5065", response="3b1c269c6e13644538304b6a8e5626ff", algorithm=MD5, password="y7zwayvt94pu4jc8"

which would be:

str1 = MD5("ktxrk56yevb52dg4:192.168.100.21:y7zwayvt94pu4jc8")
str2 = MD5("REGISTERConfusedip:192.168.100.21:5065")

final = MD5("$str1:f9230a7f-77e0-426e-83c4-cf3ffd9315a7:$str2")
Actually there are two forms of digest auth for sip. One that includes cnonce and one that doesn't. See the description here:
https://en.wikipedia.org/wiki/Digest_acce...entication

It turns out my example is of the type that does use cnonce.
The perl script to compute the 'qop' version of the sip digest is as follows:


use Digest::MD5 qw(md5_hex);

my $str1 = "ktxrk56yevb52dg4:192.168.100.21:y7zwayvt94pu4jc8";
my $str2 = "REGISTERConfusedip:192.168.100.21:5065";
my $nonce = ":f9230a7f-77e0-426e-83c4-cf3ffd9315a7:00000103:prNDNtHQotLf1Vp:auth:";


print md5_hex(md5_hex($str1) . $nonce . md5_hex($str2)) . "\n";

Incisive

08-31-2012, 09:13 PM
It looks like SIP has at least two places that use MD5 digest:
One of which is in the password storage on disk on the SIP server - that's the MD5(username:domain:password).

The other place is during the in-flight network operations, and that, I think, is what quentusrex was referring to, since he was mentioning the nonce/salt and two md5 operations.

SIP password storage from one vendor, under a1-hash
https://wiki.freeswitch.org/wiki/XML_User...tory_Guide
of which the most relevant part is:
openssl dgst -md5 < filename, or echo -n "username:domain:password" | openssl dgst -md5.

Additional guidance on the in-flight MD5 use may be found at:
https://www.sipsorcery.com/mainsite/Help/...rdSecurity

I don't have FreeSwitch running, but when I have a test install, I'll generate some test samples.
hashcat Forum > Deprecated; Ancient Versions > Feature Requests > SIP (MD5)