I just finished a patch against Romain Raboin’s HTTP Digest authentication patch for John the Ripper. Romain’s patch is also included in the jumbo patch available from the John the Ripper main page. The patch I made is very small and simply checks if the Quality of Protection (qop) parameter was supplied in the input or not. If it’s not it makes the appropriate changes so that the response is computed per the simpler RFC 2069 standard instead.
In order to be able to use it together with SIP another small fix against the uri parameter was done. As the uri parameter in SIP contains a colon, which is used as a delimiter in John the Ripper, it searches the supplied input for the string “sip_” and converts the underscore to a colon. This means that the input fed to John the Ripper needs to have it’s SIP uri’s formatted accordingly. I found another patch that attempts to solve the character delimiter issue but haven’t tried going down that path yet.
You can find my patch here.
I also wrote a small shell script that can extract and build the correct input for John the Ripper from the output of tcpdump or tshark. This script can be found here.
In short the script allows you to do this:
tcpdump -nvr sipcapture.pcap | ./extractsipauth.sh > sipauthorizationresponses.txt
john --wordlist=dictionary/common.txt sipauthorizationresponses.txt