int main(void)
{
char buf[255];
int count;
char **chbuffer;
if((chbuffer=charArrAlloc(25,255))==NULL)
{
return 1;
}
while(fgets(buf,255,stdin)!=NULL)
{
count=stringtoarray(buf,255,chbuffer,25,255,'\n');
printfstrarr(chbuffer,count);
}
freeArr(chbuffer,25);
return 0;
}
// NOTE, this still needs work. I am sure this will not eliminate (compact out)
// duplicate salts.
static void *get_salt(char *ciphertext)
{
sip_salt *salt;
static char saltBuf[2048];
char *lines[16];
login_t login;
int num_lines;
MD5_CTX md5_ctx;
unsigned char md5_bin_hash[MD5_LEN];
char static_hash[MD5_LEN_HEX+1];
char *saltcopy = saltBuf;
salt = mem_calloc_tiny(sizeof(sip_salt), MEM_ALIGN_NONE);
strcpy(saltBuf, ciphertext);
saltcopy += 6; /* skip over "$sip$*" */
memset(&login, 0, sizeof(login_t));
num_lines = stringtoarray(lines, saltcopy, '*');
assert(num_lines == 14);
strncpy(login.server, lines[0], sizeof(login.server) - 1 );
strncpy(login.client, lines[1], sizeof(login.client) - 1 );
strncpy(login.user, lines[2], sizeof(login.user) - 1 );
strncpy(login.realm, lines[3], sizeof(login.realm) - 1 );
strncpy(login.method, lines[4], sizeof(login.method) - 1 );
/* special handling for uri */
if (!strcmp(lines[7], ""))
sprintf(login.uri, "%s:%s", lines[5], lines[6]);
else
sprintf(login.uri, "%s:%s:%s", lines[5], lines[6], lines[7]);
strncpy(login.nonce, lines[8], sizeof(login.nonce) - 1 );
strncpy(login.cnonce, lines[9], sizeof(login.cnonce) - 1 );
strncpy(login.nonce_count, lines[10], sizeof(login.nonce_count) - 1 );
strncpy(login.qop, lines[11], sizeof(login.qop) - 1 );
strncpy(login.algorithm, lines[12], sizeof(login.algorithm) - 1 );
strncpy(login.hash, lines[13], sizeof(login.hash) - 1 );
if(strncmp(login.algorithm, "MD5", strlen(login.algorithm))) {
printf("\n* Cannot crack '%s' hash, only MD5 supported so far...\n", login.algorithm);
exit(-1);
}
/* Generating MD5 static hash: 'METHOD:URI' */
MD5_Init(&md5_ctx);
MD5_Update(&md5_ctx, (unsigned char*)login.method, strlen( login.method ));
MD5_Update(&md5_ctx, (unsigned char*)":", 1);
MD5_Update(&md5_ctx, (unsigned char*)login.uri, strlen( login.uri ));
MD5_Final(md5_bin_hash, &md5_ctx);
bin_to_hex(bin2hex_table, md5_bin_hash, MD5_LEN, static_hash, MD5_LEN_HEX);
/* Constructing first part of dynamic hash: 'USER:REALM:' */
salt->dynamic_hash_data = salt->Buf;
snprintf(salt->dynamic_hash_data, DYNAMIC_HASH_SIZE, "%s:%s:", login.user, login.realm);
salt->dynamic_hash_data_len = strlen(salt->dynamic_hash_data);
/* Construct last part of final hash data: ':NONCE(:CNONCE:NONCE_COUNT:QOP):<static_hash>' */
/* no qop */
salt->static_hash_data = &(salt->Buf[salt->dynamic_hash_data_len+1]);
if(!strlen(login.qop))
snprintf(salt->static_hash_data, STATIC_HASH_SIZE, ":%s:%s", login.nonce, static_hash);
/* qop/conce/cnonce_count */
else
snprintf(salt->static_hash_data, STATIC_HASH_SIZE, ":%s:%s:%s:%s:%s",
login.nonce, login.nonce_count, login.cnonce,
login.qop, static_hash);
/* Get lens of static buffers */
salt->static_hash_data_len = strlen(salt->static_hash_data);
/* Begin brute force attack */
#ifdef SIP_DEBUG
printf("Starting bruteforce against user '%s' (%s: '%s')\n",
login.user, login.algorithm, login.hash);
#endif
strcpy(salt->login_hash, login.hash);
return salt;
}
