Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SIP Digest Authentication‏

From: Bassem Ammar <basem () live ru>
Date: Sun, 2 Oct 2011 01:35:26 +0200

Hi Jaso,

 Both of sipdump/sipcrack needs sniffed captured data .below info are not sniffed from the network or if you can help 
me if 
sipdump/sipcrack can do this !


Subject: Re: SIP Digest Authentication‏
From: justiceguy () pobox com
Date: Sat, 1 Oct 2011 14:22:45 -0500
CC: pen-test () securityfocus com
To: basem () live ru

Bassem,

Try sipdump/sipcrack tool.

Jason
On Sep 30, 2011, at 11:02 PM, Bassem Ammar wrote:



HI,

How can i got the SIP password if i have the following 

1- SIP USER which use in Digest Authorization 
2- realm name
3- nonce 
4- uri
5- response
6-cnonce
7- REGISTERED captured messages 

As i know this should be 

{HA1} ={MD5}{A1}={MD5}{username}{realm}{password} 
{HA2} ={MD5}{A2}={MD5}{method}:{digestURI}
response=MD5{HA1}{nonce}{HA2}

but
i can't find any free script or tool to get it and am working on , so 
is there any ideas how to break the SIP digest information leakage and 
the appropriate tool for this except immunity canvas ?                                        

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


                                          

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: