Jason
On Sep 30, 2011, at 11:02 PM, Bassem Ammar wrote:
>
> HI,
>
> How can i got the SIP password if i have the following
>
> 1- SIP USER which use in Digest Authorization
> 2- realm name
> 3- nonce
> 4- uri
> 5- response
> 6-cnonce
> 7- REGISTERED captured messages
>
> As i know this should be
>
> {HA1} ={MD5}{A1}={MD5}{username}{realm}{password}
> {HA2} ={MD5}{A2}={MD5}{method}:{digestURI}
> response=MD5{HA1}{nonce}{HA2}
>
> but
> i can't find any free script or tool to get it and am working on , so
> is there any ideas how to break the SIP digest information leakage and
> the appropriate tool for this except immunity canvas ?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
Try sipdump/sipcrack tool.
Jason
On Sep 30, 2011, at 11:02 PM, Bassem Ammar wrote:
>
> HI,
>
> How can i got the SIP password if i have the following
>
> 1- SIP USER which use in Digest Authorization
> 2- realm name
> 3- nonce
> 4- uri
> 5- response
> 6-cnonce
> 7- REGISTERED captured messages
>
> As i know this should be
>
> {HA1} ={MD5}{A1}={MD5}{username}{realm}{password}
> {HA2} ={MD5}{A2}={MD5}{method}:{digestURI}
> response=MD5{HA1}{nonce}{HA2}
>
> but
> i can't find any free script or tool to get it and am working on , so
> is there any ideas how to break the SIP digest information leakage and
> the appropriate tool for this except immunity canvas ?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]