[asterisk-users] how to show used "wrong password"

[Kevin P. Fleming]

On 03/13/2012 08:11 AM, A J Stiles wrote:
> On Tuesday 13 March 2012, Randall wrote:
>> hi all,
>>
>> have asterisk set up in combination with fail2ban.
>> all works as expected only there is 1 extension that is trying to
>> register with a wrong password causing fail2ban to block the IP address,
>> normally that is ok behaviour but i have several extensions on that IP
>> address.
>> ..... snip .....
>> anyway to see which "wrong password" is being used?
>
> tcpflow.
>
> (And don't underestimate the power of simply disconnecting things until it
> works .....  last thing you disconnected was the faulty one.)

This will not help. Assuming we are talking about a SIP REGISTER here, 
the password is *not* sent in the request. Asterisk issues a challenge 
including a randomly generated value (called a 'nonce'), then the UA 
attempting to register responds to that challenge with an MD5 digest of 
a string composed of various elements, including both the nonce and the 
shared secret ('password'). Asterisk computes the same digest 
internally, and if they match, then the assumption is that both ends 
know the shared secret.

By their very nature, digest functions are not reversible; given the MD5 
digest present in an SIP request containing an Authorization header, 
there is no way to figure out what shared secret was used in the 
computation of that digest. Since you know the nonce and the other 
portions of the calculation, you could attempt to try various 'likely' 
passwords to see if any of them result in the same digest value... this 
is called the brute-force method, and it could take a *very* long time 
to arrive at a shared secret that would allow the endpoint to register.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org