SIP password brute forcer
This password bruter is intentionally left as simple as possible so it would be trivial to integrate with external utilities. By default single username and hash are probed using list of passwords from supplied file. For cracking multiple hashes from .pcap file in parallel integration with external tools like GNU Parallel and Tshark is required: see examples below.
- all the optimizations first and foremost should go into underlying libraries.
- output format and user interface are not stable yet.
sippass password response method uri username realm nonce [nonce_count] [cnonce] [qop]
Simple usage examples
The following example will reveal for you very secret password of '123456':
sippass password.list 2b567dd47b587955f1a83f60f94138ad REGISTER sip:126.96.36.199 5301 asterisk 39ef13c5
This one will fail to find the password:
sippass password.list 2b567dd47b587955f1a83f60f94138ad REGISTER sip:188.8.131.52 5301 asterisk 39ef13c5 2 aaa qop
The output is in .csv format without header containing following information: username,password,hash,tries,time
- username - user login
- password - the bruteforced password (in double-quotes) or NA if no password was found
- hash - the original response we tried to break
- tries - number of candidate passwords tried during bruteforce
- time - number of seconds (double-precision floating point number with millisecond accuracy) which bruteforce took
Export data from multiple capture files for further analysis (for example with R) or cracking:
env SIPFILTER="my.own.sip.server.mil" DEST="/var/tmp" sipdump.sh log.pcap.*
The latter will suppress all the entries containing the value of SIPFILTER variable as a substring. The resulting .csv files will be placed either at the same location as original .pcap files or in the directory specified by
$DEST variable - make sure permissions allow that. Note the use of sed in the wrapper script to workaround broken tshark escaping. I'd be happy to hear about using better tools for dissecting pcap files. See https://www.wireshark.org/docs/dfref/s/sip.html for more details.
sipflow.sh (which is actually symlink) will similarly dump all the SIP protocol messages related to call flow which might be handy for deeper analysis. Note: for GeoIP to work corresponding databases should be installed and available to tshark (check that ~/.wireshark/geoip_db_paths contains "/usr/share/GeoIP" - the quotes should be included!).
Advanced massive cracking
The following example assumes that your pcap files has been processed and all the relevant information has been extracted into .csv files in the current directory while the list of passwords is located in
/tmp/plist. The results for all the cracking jobs will be saved into the file (GNU Parallel will take care of the boring details of arranging them properly). Note that the very same file (it could be completely different file as well) would be checked for already successfully cracked passwords to avoid repetition of work in case you have to resume previously interrupted cracking session.
env PASSWORDLIST="/tmp/plist" REALMFILTER="my.sip.realm" CRACKRESULT="sipcrack.report" sipcrack.gawk *.csv | parallel --no-notice --gnu >> sipcrack.report
The REALMFILTER can be safely omitted if you don't have to skip requests with a given realm, the CRACKRESULT environment varible can be omitted as well if you do not intend to consider results of previous cracking attempts.
The .pcap file (and corresponding .csv dump) might contain multiple login attempts with different passwords for a given username. By default if any password is already known via CRACKRESULT file than all the entries for that username will be silently skipped. In order to override this policy set environment variable
POLICY=exhaustive - this will force bruteforce for every unknown hash regardless of login.
As an example the following script will generate Asterisk-compatible configuration from the crack result while skipping some logins and using the password from first occurrence of particular login.
env SKIP="user1 user2 user3" SKEL="type=friend host=dynamic dtmfmode=rfc2833 allow=all port=5060 qualify=yes nat=yes disallow=all allow=alaw" sip2ast.gawk sipcrack.report > cracked.conf
Note that it's assumed that user mailbox equals his username. If that's not the case than script should be adjusted accordingly.
- Belle-SIP library
- GNU Parallel
- GNU awk