[VOIPSEC] FWD - Hotel and Wfi Insecurity, including SIP
pwalenta at wi.rr.com
Mon Nov 21 07:32:22 GMT 2005
Well, the original basic authentication (now deprecated by rfc 3261?) is
easy to sniff.
Obviously digest based authentication is much more difficult since the
actual password/key is never passed over the network, only its hash.
I'm making the assumption that it *could* be cracked given there are many
tools now that can crack MD2/4/5/SHA/SQL hashes using a variety of brute
The utility I mentioned - Cain - has 20+ hash methods it can crack, SIP
being one of them. The few times I've used it, it's taken about 20 or so
hours to crack the easier hashed authentications. Cain can be helped by
seeding what it will try, and given the propensity for users to use the same
password across multiple systems, all you need is a few sniffs of other
traffic from a given machine, and you can send Cain on its way to guessing.
Heck, Cain can even crack the RSA SecurID token pattern given a little
Capturing the packets is easy, undoing the hash is possible but difficult
and time consuming. This is one of the ways good security managers deal
with threats - by making sure if the passwords can be broken - they aren't
valid by the time an attacker can use them. Given that there are now
numerous hackers devoted to this sort of thing, the password/digest cracking
systems are becoming more refined.
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Henrik Ingo
Sent: Monday, November 21, 2005 12:58 AM
To: voipsec at voipsa.org
Subject: Re: [VOIPSEC] FWD - Hotel and Wfi Insecurity, including SIP
Philip Walenta wrote:
> No location ever seems to turn off CDP, or employ any sort of security
> measures (DHCP snooping etc). They also don't turn off BPDU's on access
> ports. Your colleague also mentioned sniffing most protocols, but didn't
> bring up one that is ripe for abuse - softphones. I've seen numerous
> using various methods of softphones (SIP, Cisco's Skinny, Yahoo voice
> all of which have passwords that are easy to acquire via sniffing
> (especially now that Cain can sniff and record voice conversations).
Since you are the second one to write about it, I have to ask: How is a
SIP password (v 2, digest authentication) easy to sniff??
Henrik.Ingo at sesca.com
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec