[asterisk-users] how to show used "wrong password"

A J Stiles asterisk_list at earthshod.co.uk
Tue Mar 13 12:17:29 CDT 2012


On Tuesday 13 March 2012, Kevin P. Fleming wrote:
> [tcpflow] will not help. Assuming we are talking about a SIP REGISTER here,
> the password is *not* sent in the request. Asterisk issues a challenge
> including a randomly generated value (called a 'nonce'), then the UA
> attempting to register responds to that challenge with an MD5 digest of
> a string composed of various elements, including both the nonce and the
> shared secret ('password'). Asterisk computes the same digest
> internally, and if they match, then the assumption is that both ends
> know the shared secret.

Ouch.  That isn't going to be so easy to spot, then!  You would have to guess 
a bunch of likely passwords, fake up a challenge with some known nonce, and  
compare the response against those you would expect with each of the various 
possible passwords.  (You've already got the Source Code to do all this, of 
course.)

You'll have to try the selective unplugging method instead .....

-- 
AJS

Answers come *after* questions.



More information about the asterisk-users mailing list