[asterisk-users] how to show used "wrong password"

Randall randall at songshu.org
Tue Mar 13 11:30:09 CDT 2012

On 03/13/2012 03:53 PM, Kevin P. Fleming wrote:
> On 03/13/2012 08:11 AM, A J Stiles wrote:
>> On Tuesday 13 March 2012, Randall wrote:
>>> hi all,
>>> have asterisk set up in combination with fail2ban.
>>> all works as expected only there is 1 extension that is trying to
>>> register with a wrong password causing fail2ban to block the IP 
>>> address,
>>> normally that is ok behaviour but i have several extensions on that IP
>>> address.
>>> ..... snip .....
>>> anyway to see which "wrong password" is being used?
>> tcpflow.
>> (And don't underestimate the power of simply disconnecting things 
>> until it
>> works .....  last thing you disconnected was the faulty one.)
> This will not help. Assuming we are talking about a SIP REGISTER here, 
> the password is *not* sent in the request. Asterisk issues a challenge 
> including a randomly generated value (called a 'nonce'), then the UA 
> attempting to register responds to that challenge with an MD5 digest 
> of a string composed of various elements, including both the nonce and 
> the shared secret ('password'). Asterisk computes the same digest 
> internally, and if they match, then the assumption is that both ends 
> know the shared secret.
> By their very nature, digest functions are not reversible; given the 
> MD5 digest present in an SIP request containing an Authorization 
> header, there is no way to figure out what shared secret was used in 
> the computation of that digest. Since you know the nonce and the other 
> portions of the calculation, you could attempt to try various 'likely' 
> passwords to see if any of them result in the same digest value... 
> this is called the brute-force method, and it could take a *very* long 
> time to arrive at a shared secret that would allow the endpoint to 
> register.

doesn't work

More information about the asterisk-users mailing list