Tutorial

So what is a HTTP Digest Authentication? It is a way for server to authenticate the client. When client tries to perform an action on the server the action may be challenged. HTTP digest suggests the server provides a riddle in a form of several parameters and client has to use the parameters, throw in the mix a password and perform few times MD5 digest operations. End result should be a response value which then server can validate against. This is possible cause password is a shared secret that both the server and client know. This way secret password is never shared in clear text. Man-in-the-middle stays deprived of the password phrase. The way how exactly response is calculated can be further explored on Wikipedia. The article is very clear and concise regarding what has to be done.

ITSP CLIENT

| |

M1 |<----------REGISTER-----------|

M2 |-------------407------------->|

M3 |<-----REGISTER with auth------| // with authentication

M4 |-----------200 OK------------>|

The example below is for the case when a VoIP client registers with a server.

M2 message can look something like this:

SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/UDP 127.0.0.1:5066;branch=z9hG4bK-d8754z-61330651570b5659-1---d8754z-;rport

From: "My Voip"<sip:151@192.168.1.110:5060>;tag=733aec3d

To: "My Voip"<sip:151@192.168.1.110:5060>;tag=ZmFlYWMzZjE2NTQyYTFmZjM0NTM5ZGM0YmIxM2MxNjc.

Call-ID: ZmFlYWMzZjE2NTQyYTFmZjM0NTM5ZGM0YmIxM2MxNjc.

CSeq: 1 REGISTER

Proxy-Authenticate: Digest realm="Apple", domain="sip:192.168.1.110", nonce="b57aa7088ae5cac88d298d66f2c809cd", opaque="185a87188c63a2c7f69105023454e0b2", stale=TRUE, algorithm=MD5

Content-Length: 0

M3 message may look like following:

REGISTER sip:192.168.1.110:5060 SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5066;branch=z9hG4bK-d8754z-48167f4f0919b433-1---d8754z-;rport

Max-Forwards: 70

Contact: <sip:151@127.0.0.1:5066;rinstance=9ce26bdb3e692e6a>

To: "My Voip"<sip:151@192.168.1.110:5060>

From: "My Voip"<sip:151@192.168.1.110:5060>;tag=733aec3d

Call-ID: ZmFlYWMzZjE2NTQyYTFmZjM0NTM5ZGM0YmIxM2MxNjc.

CSeq: 2 REGISTER

Expires: 3600

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO

Proxy-Authorization: Digest username="user151",realm="Apple",nonce="b57aa7088ae5cac88d298d66f2c809cd",uri="sip:192.168.1.110:5060",

response="77795e92300dcc3c2fd974b2b47e5f0c",algorithm=MD5,opaque="185a87188c63a2c7f69105023454e0b2"

Content-Length: 0

To calculate a response for a REGISTER example given above, fields have to be filled as per image attached. Parameters which matter for the calculation are highlighted. To complete the calculation one has to enter password as well. In this case password is :"pass151".

NOTE: Fields "NonceCount", "CNonce" and "EntityBody" will be unlocked only if Qop parameter is set to "auth" or "auth-int".

Now, beside calculating a response the tool can be used to retrieve the password too. In order to do so you have to configure all known bits of information, except password which is left blank and left to the tool to find it out. Let's say we would like to guess the password for the example above. The process can be divided in 2 steps:

1) Configure all the fields known (you extract the information from the signaling

2) Choose password generation settings. This is where your guessing comes into play can has a major impact on time required to get the password. Wise settings can save you trillions of unnecessary calculation. No kidding!

Fields rounded with green is what has to be provided. Fields rounded with blue line is the result and additional information (time spent ad number of tried password combinations).

Settings for this run were as per image below:

NOTE: Number of possible Password characters can make a huge, huge difference in performance and speed with which a password is recovered. The order of Password characters does make a big difference too. For example, if I had selected characters to go like: "apqrst012345", a password would be recovered in only 32 seconds and after 3,058,687 tries.

There are several options which can be tweaked to faster get wanted password. The Settings screens provides following:

    • Password characters - only characters provided can be used when constructing the password

    • Both upper and lower case - this flag indicates whether upper case letters should be used too

    • Consecutive char repetition limit - is a limit regarding how many times a character can be consecutively repeated

    • Same character limit - how many times a character an be repeated in a password

    • Special character limit - if special characters are used, how many special characters can be in a password

    • Max uppercase limit - limits the number of upper case letters

    • Minimum and Maximum password lengths - self explanatory

Conclusion:

Lengthy passwords with combination of lower, upper case letters, numbers and special characters will be extremely difficult to retrieve. If not impossible! But, sometimes guesses can pay off. Try first only numeric combinations, then start increasing pool of possible password characters. Try guessing number of special characters, upper case letters, same character limit and consecutive character repetitions. Proper settings can speed up the whole procedure.

In any case, arm yourself with infinite patience and be aware when retrieving the password the tool will consume most of CPU cycles. Good luck!