Hacking VoIP Protocols, Attacks, and Countermeasures by Himanshu Dwivedi

Author:Himanshu Dwivedi [Himanshu Dwivedi]
Language: eng
Format: epub, pdf
Tags: COMPUTERS / Data Transmission Systems / General
ISBN: 9781593273408
Published: 2010-08-24T16:00:00+00:00

IAX.Brute performs the passive dictionary attack and, using these examples, identifies the password as 123voiptest.

Active Dictionary Attack

In addition to passive attacks, IAX is also vulnerable to pre-computed dictionary attacks. Pre-computed attacks require the attacker to take a single challenge and concatenate it with a list of passwords to create a long list of MD5 hashes. Once a list of pre-computed hashes has been created, the attacker takes the same challenge that was used to create all the hashes and issues it to an IAX client endpoint. In order for the attack to work, the victim must already have sent an authentication request packet to the Asterisk server. The attacker then spoofs the response by using the IP address of the Asterisk server, then sends a packet using her own challenge before the real challenge packet from the Asterisk server reaches the client. Additionally, to ensure that the attacker's spoofed packet (using the source IP of the Asterisk server) reaches the victim first, the attacker can create a packet in which the sequence information is low enough for the victim to assume it should be processed before any other challenge packet with a higher sequence number. This will guarantee that the attacker's challenge will be used by the endpoint to create the MD5 authentication hash. When the endpoint receives the challenge from the attacker, it will respond with an MD5 hash derived from the attacker's challenge and its own password. To complete the attack, the attacker simply matches the hash sent by the endpoint to a pre-computed hash created by the attacker. Once the attacker finds a match, the password has been compromised.

A way to carry out this attack is to concatenate 101320040 with every word in the English dictionary, which would create a list of pre-computed hashes. Once the list has been created, the only step the attacker needs to complete is to send a packet to the endpoint with the challenge of 101320040. When the endpoint receives the challenge, it will send the MD5 hash over the network. The attacker can simply sniff the response and compare it with the pre-computed list. Once one of the pre-computed MD5 hashes has been matched to the hash captured from the target, the attacker knows the password. Figure 5-7 shows an example of the pre-computed attack using active packet injection.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.