Permalink
Browse files

Integrate SIPcrack 0.4 into JtR. SIPdump.c is still to be integrated.

Signed-off-by: dsk <dhiru.kholia@gmail.com>
  • Loading branch information...
1 parent 2895b70 commit 59b94daa7f1ccad1ae2105bd9192672db400c807 @kholia kholia committed Mar 11, 2012
Showing with 395 additions and 0 deletions.
  1. +3 −0 .gitignore
  2. +26 −0 doc/SIPcrack-LICENSE
  3. +227 −0 src/sip_fmt_plug.c
  4. +93 −0 src/sip_fmt_plug.h
  5. +20 −0 src/sipdump2john.py
  6. +20 −0 src/unused/crc32.py
  7. +3 −0 src/unused/sipdump.txt
  8. +3 −0 src/unused/sipdumpjohn.txt
View
@@ -1 +1,4 @@
*.o
+*.log
+*.pot
+*.rec
View
@@ -0,0 +1,26 @@
+
+Copyright (c) 2007 Martin J. Muench. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+- Redistribution of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+- Redistribution in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+- Neither the name of the author nor the names of its contributors may
+ be used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS''
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
View
@@ -0,0 +1,227 @@
+/* SIP cracker patch for JtR. Hacked together during March of 2012 by
+ * Dhiru Kholia <dhiru.kholia at gmail.com> .
+ *
+ * Copyright (C) 2007 Martin J. Muench <mjm@codito.de>
+ * SIP digest authentication password (hash) cracker
+ * See doc/SIPcrack-LICENSE */
+
+#include <openssl/md5.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <assert.h>
+#include <errno.h>
+#include "arch.h"
+#include "crc32.h"
+#include "misc.h"
+#include "common.h"
+#include "formats.h"
+#include "params.h"
+#include "options.h"
+#include "sip_fmt_plug.h"
+
+#define FORMAT_LABEL "sip"
+#define FORMAT_NAME "SIP"
+#define ALGORITHM_NAME "32/" ARCH_BITS_STR
+#define BENCHMARK_COMMENT ""
+#define BENCHMARK_LENGTH -1
+#define PLAINTEXT_LENGTH 32
+#define BINARY_SIZE 16
+#define SALT_SIZE 256
+#define MIN_KEYS_PER_CRYPT 1
+#define MAX_KEYS_PER_CRYPT 1
+
+static struct fmt_tests sip_tests[] = {
+ {"$sip$*192.168.1.111*192.168.1.104*200*asterisk*REGISTER*sip*192.168.1.104*46cce857****MD5*4dfc7515936a667565228dbaa0293dfc", "123456"},
+ {NULL}
+};
+
+static char saved_key[PLAINTEXT_LENGTH + 1];
+unsigned char cracked;
+
+/* Hash */
+MD5_CTX md5_ctx;
+static unsigned char md5_bin_hash[MD5_LEN];
+static char static_hash[MD5_LEN_HEX+1], dynamic_hash[MD5_LEN_HEX+1], final_hash[MD5_LEN_HEX+1];
+static char dynamic_hash_data[DYNAMIC_HASH_SIZE]; /* USER:REALM: */
+static char static_hash_data[STATIC_HASH_SIZE]; /* :nonce:nonce_count:cnonce:qop:static_hash */
+static size_t static_hash_data_len, dynamic_hash_data_len;
+static char bin2hex_table[256][2]; /* table for bin<->hex mapping */
+static login_t *login;
+
+static void init(struct fmt_main *pFmt)
+{
+ /* Init bin 2 hex table for faster conversions later */
+ init_bin2hex(bin2hex_table);
+}
+
+static int valid(char *ciphertext, struct fmt_main *pFmt)
+{
+ return !strncmp(ciphertext, "$sip$", 5);
+}
+
+static void *get_salt(char *ciphertext)
+{
+ return ciphertext;
+}
+
+
+static void set_salt(void *salt)
+{
+ char **lines;
+ int num_lines;
+ char *saltcopy = strdup(salt);
+ char *keeptr = saltcopy;
+ saltcopy += 6; /* skip over "$sip$*" */
+ login = (login_t *)malloc(sizeof(login_t));
+ memset(login, 0, sizeof(login_t));
+ lines = stringtoarray(saltcopy, '*', &num_lines);
+ assert(num_lines == 13);
+ strncpy(login->server, lines[0], sizeof(login->server) - 1 );
+ strncpy(login->client, lines[1], sizeof(login->client) - 1 );
+ strncpy(login->user, lines[2], sizeof(login->user) - 1 );
+ strncpy(login->realm, lines[3], sizeof(login->realm) - 1 );
+ strncpy(login->method, lines[4], sizeof(login->method) - 1 );
+ /* special handling for uri */
+ sprintf(login->uri, "%s:%s", lines[5], lines[6]);
+ strncpy(login->nonce, lines[7], sizeof(login->nonce) - 1 );
+ strncpy(login->cnonce, lines[8], sizeof(login->cnonce) - 1 );
+ strncpy(login->nonce_count, lines[9], sizeof(login->nonce_count) - 1 );
+ strncpy(login->qop, lines[10], sizeof(login->qop) - 1 );
+ strncpy(login->algorithm, lines[11], sizeof(login->algorithm) - 1 );
+ strncpy(login->hash, lines[12], sizeof(login->hash) - 1 );
+ if(strncmp(login->algorithm, "MD5", strlen(login->algorithm))) {
+ printf("\n* Cannot crack '%s' hash, only MD5 supported so far...\n", login->algorithm);
+ exit(-1);
+ }
+
+ /* Generating MD5 static hash: 'METHOD:URI' */
+ MD5_Init(&md5_ctx);
+ MD5_Update(&md5_ctx, (unsigned char*)login->method, strlen( login->method ));
+ MD5_Update(&md5_ctx, (unsigned char*)":", 1);
+ MD5_Update(&md5_ctx, (unsigned char*)login->uri, strlen( login->uri ));
+ MD5_Final(md5_bin_hash, &md5_ctx);
+ bin_to_hex(bin2hex_table, md5_bin_hash, MD5_LEN, static_hash, MD5_LEN_HEX);
+
+ /* Constructing first part of dynamic hash: 'USER:REALM:' */
+ snprintf(dynamic_hash_data, sizeof(dynamic_hash_data), "%s:%s:", login->user, login->realm);
+
+ /* Construct last part of final hash data: ':NONCE(:CNONCE:NONCE_COUNT:QOP):<static_hash>' */
+ /* no qop */
+ if(!strlen(login->qop))
+ snprintf(static_hash_data, sizeof(static_hash_data), ":%s:%s", login->nonce, static_hash);
+ /* qop/conce/cnonce_count */
+ else
+ snprintf(static_hash_data, sizeof(static_hash_data), ":%s:%s:%s:%s:%s",
+ login->nonce, login->nonce_count, login->cnonce,
+ login->qop, static_hash);
+ /* Get lens of static buffers */
+ dynamic_hash_data_len = strlen(dynamic_hash_data);
+ static_hash_data_len = strlen(static_hash_data);
+
+ /* Begin brute force attack */
+#ifdef SIP_DEBUG
+ printf("Starting bruteforce against user '%s' (%s: '%s')\n",
+ login->user, login->algorithm, login->hash);
+#endif
+ cracked = 0;
+ free(keeptr);
+}
+
+static void crypt_all(int count)
+{
+ /* password */
+ char pw[64];
+ size_t pw_len=0;
+ strcpy(pw, saved_key);
+
+ /* Generate dynamic hash including pw (see above) */
+ MD5_Init(&md5_ctx);
+ MD5_Update(&md5_ctx, (unsigned char*)dynamic_hash_data, dynamic_hash_data_len);
+ pw_len = strlen(pw);
+ MD5_Update(&md5_ctx,
+ (unsigned char*)pw,
+ (pw[pw_len-2] == 0x0d ? pw_len-2 : pw[pw_len-1] == 0x0a ? pw_len -1 : pw_len));
+ MD5_Final(md5_bin_hash, &md5_ctx);
+ bin_to_hex(bin2hex_table, md5_bin_hash, MD5_LEN, dynamic_hash, MD5_LEN_HEX);
+
+ /* Generate digest response hash */
+ MD5_Init(&md5_ctx);
+ MD5_Update(&md5_ctx, (unsigned char*)dynamic_hash, MD5_LEN_HEX);
+ MD5_Update(&md5_ctx, (unsigned char*)static_hash_data, static_hash_data_len);
+ MD5_Final(md5_bin_hash, &md5_ctx);
+ bin_to_hex(bin2hex_table, md5_bin_hash, MD5_LEN, final_hash, MD5_LEN_HEX);
+
+ /* Check for match */
+ if(!strncmp(final_hash, login->hash, MD5_LEN_HEX)) {
+ cracked= 1;
+ }
+}
+
+static int cmp_all(void *binary, int count)
+{
+ if(cracked)
+ return 1;
+ return 0;
+}
+
+static int cmp_one(void *binary, int index)
+{
+ return cracked;
+}
+
+static int cmp_exact(char *source, int index)
+{
+ return 1;
+}
+
+static void sip_set_key(char *key, int index)
+{
+ int saved_key_length = strlen(key);
+ memcpy(saved_key, key, saved_key_length);
+ saved_key[saved_key_length] = 0;
+}
+
+static char *get_key(int index)
+{
+ return saved_key;
+}
+
+struct fmt_main sip_fmt = {
+ {
+ FORMAT_LABEL,
+ FORMAT_NAME,
+ ALGORITHM_NAME,
+ BENCHMARK_COMMENT,
+ BENCHMARK_LENGTH,
+ PLAINTEXT_LENGTH,
+ BINARY_SIZE,
+ SALT_SIZE,
+ MIN_KEYS_PER_CRYPT,
+ MAX_KEYS_PER_CRYPT,
+ FMT_CASE | FMT_8_BIT | FMT_OMP,
+ sip_tests
+ }, {
+ init,
+ fmt_default_prepare,
+ valid,
+ fmt_default_split,
+ fmt_default_binary,
+ get_salt,
+ {
+ fmt_default_binary_hash
+ },
+ fmt_default_salt_hash,
+ set_salt,
+ sip_set_key,
+ get_key,
+ fmt_default_clear_keys,
+ crypt_all,
+ {
+ fmt_default_get_hash
+ },
+ cmp_all,
+ cmp_one,
+ cmp_exact
+ }
+};
View
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2007 Martin J. Muench <mjm@codito.de>
+ *
+ * See doc/SIPcrack-LICENSE */
+
+#ifndef SIP_FMT_PLUG_H
+#define SIP_FMT_PLUG_H
+
+/* sip field sizes */
+#define HOST_MAXLEN 256 /* Max len of hostnames */
+#define USER_MAXLEN 128 /* Max len of user names */
+#define URI_MAXLEN 256 /* Max len of uri */
+#define NONCE_MAXLEN 128 /* Max len of nonce value */
+#define CNONCE_MAXLEN 128 /* Max len for cnonce value */
+#define NONCECOUNT_MAXLEN 8 /* Max len for nonce count */
+#define QOP_MAXLEN 12 /* Max len for qop value */
+#define LOGIN_MAXLEN 1024 /* Max len of login entry */
+#define ALG_MAXLEN 8 /* Max len of algorithm name */
+#define METHOD_MAXLEN 16 /* Max len of method string */
+
+/* Hash stuff */
+#define MD5_LEN 16 /* Len of MD5 binary hash */
+#define MD5_LEN_HEX 32 /* Len of MD5 hex hash */
+#define PW_MAXLEN 32 /* Max len of password */
+
+#define DYNAMIC_HASH_SIZE USER_MAXLEN + HOST_MAXLEN + 3
+#define STATIC_HASH_SIZE NONCE_MAXLEN + CNONCE_MAXLEN + NONCECOUNT_MAXLEN \
+ + QOP_MAXLEN + MD5_LEN_HEX + 6
+
+/* Structure to hold login information */
+typedef struct {
+ char server[HOST_MAXLEN];
+ char client[HOST_MAXLEN];
+ char user[USER_MAXLEN];
+ char realm[HOST_MAXLEN];
+ char method[METHOD_MAXLEN];
+ char uri[URI_MAXLEN];
+ char nonce[NONCE_MAXLEN];
+ char cnonce[NONCE_MAXLEN];
+ char nonce_count[CNONCE_MAXLEN];
+ char qop[QOP_MAXLEN];
+ char algorithm[ALG_MAXLEN];
+ char hash[MD5_LEN_HEX+1];
+} login_t;
+
+char **stringtoarray(char *string, char delimiter, int *size)
+{
+ char **array = NULL;
+ char *ptr, *oldptr;
+ int flag = 1;
+ int count;
+ *size = 0;
+ ptr = string;
+ for(count=0 ; flag ; count++) {
+ for (oldptr=ptr;*ptr&&*ptr!=delimiter;(void)*ptr++)
+ ;
+ if (!*ptr) flag = 0;
+ *ptr++ = 0x00;
+ (*size)++;
+ array = realloc(array, (count+1)*sizeof(char *));
+ array[count] = strdup(oldptr);
+ }
+ return array;
+}
+
+/* init bin 2 hex table */
+void init_bin2hex(char bin2hex_table[256][2])
+{
+ unsigned i=0;
+ for(i=0;i<256;i++) {
+ bin2hex_table[i][0] = ( ((i >> 4) & 0x0F) <= 0x09) ? (((i >> 4) & 0x0F) + '0') : (((i >> 4) & 0x0F) + 'a' - 10);
+ bin2hex_table[i][1] = ( ((i) & 0x0F) <= 0x09) ? (((i) & 0x0F) + '0') : (((i) & 0x0F) + 'a' - 10);
+ }
+ return;
+}
+
+/* convert bin to hex */
+void bin_to_hex(char bin2hex_table[256][2],
+ const unsigned char *bin_buffer,
+ size_t bin_buffer_size,
+ char * hex_buffer,
+ size_t hex_buffer_size)
+{
+ unsigned i;
+ for(i=0;i<bin_buffer_size; ++i) {
+ hex_buffer[i*2 ] = bin2hex_table[bin_buffer[i]][0];
+ hex_buffer[i*2+1] = bin2hex_table[bin_buffer[i]][1];
+ }
+ hex_buffer[bin_buffer_size*2] = 0x00;
+ return;
+}
+
+#endif
View
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+import sys
+
+def process_file(filename):
+ with open(filename, "r") as f:
+ for line in f.readlines():
+ line = line.rstrip().replace('"', '*').replace(':', '*')
+ data = line.split('*');
+ print "%s-%s:$sip$*%s" % (data[0], data[1], line)
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ print >>sys.stderr, "Usage: %s <sipdump dump files>" % sys.argv[0]
+ sys.exit(-1)
+
+ for i in range(1, len(sys.argv)):
+ process_file(sys.argv[i])
+
+
View
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+"""Program to calculate CRC32 checksum of files."""
+
+import sys
+from zlib import crc32
+
+def process_file(filename):
+ """Calculate CRC32 checksum of filename."""
+ data = open(filename, "r").read()
+ crc = "%X" % (crc32(data) & 0xFFFFFFFF)
+ return crc
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ print >> sys.stderr, "Usage: %s <files>" % sys.argv[0]
+ sys.exit(-1)
+
+ for i in range(1, len(sys.argv)):
+ print sys.argv[i], ":", process_file(sys.argv[i])
View
@@ -0,0 +1,3 @@
+192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"44b80d16""""MD5"8edc2d549294f6535070439fb069c968
+192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"46cce857""""MD5"4dfc7515936a667565228dbaa0293dfc
+192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"2252e8fe""""MD5"5b895c6ae07ed8391212119aab36f108
Oops, something went wrong.

0 comments on commit 59b94da

Please sign in to comment.