4.3 KiB
sipcrack
Notes
SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol.
The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.
SIPcrack contains 2 programs: sipdump to capture the digest authentication and sipcrack to bruteforce the hash using a wordlist or standard input. sipdump dumps SIP digest authentications. If a login is found, the sniffed login is written to the dump file. See 'sipdump -h' for options.
sipcrack bruteforces the user's password with the dump file generated by sipdump. If a password is found, the sniffed and cracked login will be updated in the dump file. See 'sipcrack -h' for options.
Help Text
SIPcrack 0.2 ( MaJoMu | www.codito.de )
----------------------------------------
Usage: sipcrack [OPTIONS] [ -s | -w <wordlist> ] <dump file>
<dump file> = file containing logins sniffed by SIPdump
Options:
-s = use stdin for passwords
-w wordlist = file containing all passwords to try
-p num = print cracking process every n passwords (for -w)
(ATTENTION: slows down heavily)
* Either -w <wordlist> or -s has to be given
Example Usage
Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file.
Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated.
Example from aldeid
Capturing the traffic
Let's capture the traffic using tcpdump:
$ tcpdump -s0 -w sip.pcap tcp or udp
Isolating the login
sipdump is a tool shipped with SIPcrack. It enables to detect the SIP login from a related traffic capture file.
$ cd ~/src/SIPcrack-0.3pre/
$ ./sipdump -p ~/tmp/sip.pcap logins.dump
SIPdump 0.3pre ( MaJoMu | www.codito.de )
---------------------------------------
* Using pcap file '../../tmp/sip.pcap' for sniffing
* Starting to sniff with packet filter 'tcp or udp'
* Dumped login from 212.27.52.5 -> 192.168.1.29 (User: '0950236158')
* Exiting, sniffed 1 logins
$ cat logins.dump
192.168.1.29"212.27.52.5"0950236158"freephonie.net"BYE"sip:172.17.20.241:5062
"04cd38e646e760da129f99fa734ac1e4""""MD5"dc59445f8ef78a615a2ad4d57835a383
As you can see from the string above, the login appears in clear, and the password as a MD5 hash.
Notice that we could also have used tshark to obtain the same result:
$ tshark -r sip.pcap -Tfields -e sip.auth | grep username
Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\",
nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:0950236158@freephonie.net\",
response=\"dc59445f8ef78a615a2ad4d57835a383\",algorithm=MD5,
opaque=\"04cc3f555880bdf\"\x0d\x0a
Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\",
nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:172.17.20.241:5062\",
response=\"dc59995a8eb78f605a2ad5d57835a383\",algorithm=MD5,
opaque=\"04cd38e646e760\"\x0d\x0a
Cracking the password
sipcrack is based on dictionaries to crack the password. For the example, we have built a file containing our password.
$ car ~/exploits/dictionaries/test.txt
azerty
elephant
test
password
admin
password01
Password01
507ZEy@l
oops
oopsoops
cat
dog7
monster
$ ./sipcrack -w ~/exploits/dictionaries/test.txt logins.dump
SIPcrack 0.3pre ( MaJoMu | www.codito.de )
----------------------------------------
* Found Accounts:
Num Server Client User Hash|Password
1 192.168.1.29 212.27.52.5 0950236158 dc59495f8eb78a605a2ad5d57835a383
* Select which entry to crack (1 - 1): 1
* Generating static MD5 hash... 04cd38e646e760da129f99fa734ac1e4
* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383')
* Loaded wordlist: '~/exploits/dictionaries/test.txt'
* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383')
* Tried 10 passwords in 0 seconds
* Found password: '507ZEy@l'
* Updating dump file 'logins.dump'... done