I just finished a patch against Romain Raboin’s HTTP Digest authentication patch for John the Ripper. Romain’s patch is also included in the jumbo patch available from the John the Ripper main page. The patch I made is very small and simply checks if the Quality of Protection (qop) parameter was supplied in the input or not. If it’s not it makes the appropriate changes so that the response is computed per the simpler RFC 2069 standard instead.
I received some great feedback from Ron Bowes over at SkullSecurity, pointing out some redundant code and a better approach of achieving what I was doing. I have changed the code according to his suggestions and made it available for download here.
For more details on how to use the script check the first article over here.
While testing another IP PBX product I found some bugs in my applications that I have now fixed. While fixing these bugs I also finished some additional changes that I have been working on. I also added an additional method of determining if an account is valid or not that I found while testing the other PBX product.
More details are available under the VoIPTK page.
I found a security hole in the Asterisk SIP implementation last week. I was happy to hear that it has already been patched and released. The vulnerability allows an attacker to determine whether a given username is valid or not. With knowledge of existing usernames a more efficient password guessing attack can be mounted against the system.
The full advisory can be read here:
I have been working on some very basic VoIP tools lately which amongst other things have this attack implemented. I’ll hopefully get to releasing it in the near future.