| Extract SIP PW from PAP2 Have a PAP2 with a Large National Provider. They frown on BYOD, but I would like to try some other ATA with their equipment and use a Softphone. Here's the rub; they sent me a replacement unit because of a problem, and forgot to put on an Admin PW. So, I can access the Admin Area, and see my SIP PW (******). I've tried several "password exposing" programs that supposedly can turn the * PW to text. However, when I try them on the Admin page in my browser, they don't work or say "no passwords on this page".
Any ideas on how I can "extract" the SIP P/W from the Admin Page? |
|
Dan_voip
join:2007-01-03
Saint-Hubert, QC
kudos:3 | First of all the admin password of PAP2 and the SIP password for one of the lines have nothing in common so even if you get the SIP password you don't have to test it on the admin page of your PAP2, you can test it on a Softphone. |
|
|
|
| reply to jdhunt
You can't get the SIP password from the PAP2's web pages, as it's not exposed there at all. There are only three ways in which you can get to it, and of those, only one is potentially feasible to you.
1) Brute force it. This is generally an exercise in futility. If they use a strong password, it could potentially take you many, many orders of magnitude longer than the age of the universe. Furthermore, your provider would likely lock you out long before you get very far.
2) Extract the PAP2's configuration journal from its flash chip, descramble and decode it. You'll need to remove the flash chip and read it out with an EPROM programmer, unless you have the means to get to it through software means (there's no API/protocol for that, nor any publicly available tools or info on how to do this). Once you have the dump, you need to descramble the configuration journal. However, there's no one outside of the developers of the PAP2, or myself, known to know the algorithm, so you're not likely to get anywhere there.
3) Since you have admin access to the adapter, you do have access to the profile rule used to provision it (if being provisioned), and may also have access to the encryption key used to encrypt the provisioning file, if encrypted and the key is stored in the profile rule or one of the visible GPP_x variables. With that info in hand, with some possible exceptions, you may be able to download the provisioning file, and decrypt it, and hence get to the SIP password. This is really your only viable option. |
|
| 1: The provisioning rule points to a web page. That page has a lot of values, most of which are i n the form of "pxxx=xxx"
2. There are no GPP_x variables.
3. Where to look for the actual provisioning file? |
|
toro
join:2006-01-27
Scarborough, ON Reviews:
 ·TekSavvy DSL
 ·voip.ms
| reply to DogFace05
Is there any way to make an ATA send plain username and password during registration rather than using a challenge/response scheme ? If that was possible, then one could theoretically spoof the registration servers with his/her own and see what the ATA is sending (or sniff the traffic from the ATA).
--
Providers: voip.ms, freephoneline, smartcall.ro through asterisk. Hardware: Vonage VDV21, Moto VT2x42, Linksys SPA series, Grandstream HT series, Panasonic KX-TGP5x0
»www.voipfan.net |
|
| reply to jdhunt
said by jdhunt :1: The provisioning rule points to a web page. That page has a lot of values, most of which are i n the form of "pxxx=xxx" Does the Profile Rule contain any variables, such as $MA ? If so, you will need to substitute the actual MAC address, etc.
It appears (possibly because of different User-Agent sent by your browser), that you stumbled on a Grandstream provisioning file. Do you see your phone number or user ID in p35 or p735? If so, the password is in p34 or p734, respectively. Otherwise, it may be a generic file (for unprovisioned account), because of the variable problem above.
said by jdhunt :2. There are no GPP_x variables.
In Admin Advanced mode, on the Provisioning page, do you see any General Purpose Parameters? If not, what is exact model of your ATA (printed on the unit)?
said by jdhunt :3. Where to look for the actual provisioning file?
If you can capture traffic from the unit, you could look at what it is pulling from provider's server. |
|
| reply to toro
said by toro:Is there any way to make an ATA send plain username and password during registration rather than using a challenge/response scheme ? If that was possible, then one could theoretically spoof the registration servers with his/her own and see what the ATA is sending (or sniff the traffic from the ATA).
You could with an ATA that supports "Basic" HTTP authentication. The PAP2 does not, and the SIP RFC explicitly requires "Digest" (MD5) authentication. Of course, that doesn't guarantee that some incompetent designer hasn't built in "Basic" authentication into some ATA out there, but I'm not aware of any that does. |
|
| Looks like it'd not worth it! But, my box is acting a little strange. I disabled provisioning (so they couldn't put a PW back on, and made a few other changes. But later, the old settings came back. Thought I forgot to save them, so tried again. Same thing! What's going on? |
|
| said by jdhunt :Looks like it'd not worth it! But, my box is acting a little strange. I disabled provisioning (so they couldn't put a PW back on, and made a few other changes. But later, the old settings came back. Thought I forgot to save them, so tried again. Same thing! What's going on?
Possibly, some settings have been locked, but they should then be grayed out, so this seems very strange.
With your Internet modem disconnected, set Provision Enable to no, clear Profile Rule (and B, C, D if applicable), and clear Upgrade Rule. Save settings, examine them to be sure they "took". Reboot ATA, examine again. Then, reconnect the Internet and reboot ATA again. Reexamine settings to see if they somehow reverted. |
|
Dan_voip
join:2007-01-03
Saint-Hubert, QC
kudos:3 Reviews:
·TekSavvy DSL
| said by Stewart:With your Internet modem disconnected, set Provision Enable to no, clear Profile Rule (and B, C, D if applicable), and clear Upgrade Rule. A good thing is to save all those settings before clearing them. |
|
