Posted on Thursday, 10th June 2010 by Michael

MJSIP: Automating the Magic Jack SIP retrieval

What is it:

MJSIP is a simple Perl script written by a co-worker and myself. This script uses regular expression matching to automate the finding of your SIP password in the dump file.

MJSIP has been tested on over 50 Jacks that were purchased and registered this month (6/07/10). Each Magic Jack we tested worked flawlessly.

Though this tool has been tested and we have worked out many of the bugs there are two conditions that we are aware of that will cause MJSIP not to return a password back to you. The first condition is if you dumped the memory wrong using the SIPDump tool. The second condition is if your Magic Jack password contains the same letter or number more than 4 x in a row.

What is required:

MJSIP: Our Perl script. This can be downloaded here: http://www.digitaloffensive.com/mj/mjsip.zip

SIPDump: Magic Jack stores all your SIP information in the programs memory during the startup process. SIPDump is a modified version of MemDump, which was originally developed by Stroth. You can download this tool here: http://www.digitaloffensive.com/mj/mj.rar

Active Perl: This is a free windows port of the Perl interpreter. It can be downloaded her for the 32 bit or 64 bit processor: http://www.activestate.com/activeperl/downloads. Download the msi file and install it, choose all the defaults.

How to use it:

Step 1: Download and extract all your tools to a folder on your system. Working out of one folder will make life so much easier.

Step 2: Use SIPDump.exe to dump the Memory of your Magic Jack. If you need more details on how to do this check out my article on this located here: http://www.digitaloffensive.com/2010/03/hacking-the-magic-jack-in-2010-for-use-on-trixbox-or-any-other-sip-device/

Step3: Out of all the Magic Jack’s we have tested the 3rd dump file was the most reliable at containing the password. I would strongly suggest you do not change that line in the MJSIP.pl file.

Step 4: Open a command prompt and navigate to the folder that you created that has all your tools in it. This folder should also contain you SIPDump files, unless you did not listen to my suggestions above. Once in that folder type the following command “perl mjsip.pl” This should dump your password to the screen.

If you found this tool helpful please feel free to either visit one of our sponsors or donate by clicking here.





If you have questions, concerns or ideas to automate more or add to it feel free to contact us.

Posted in Papers | Comments (26)

26 Responses to “MJSIP: Automating the Magic Jack SIP retrieval”

  1. Michael Says:

    Updated code to open “SIPDump3.txt” by default.

  2. Steve Says:

    great work,thanks for the help for the community.

  3. warezjoe Says:

    Great write up Mike. Question for you, It seems that this is a client side vulnerability (risk), is there a way to perform this type of attack on MJs that are present on a USB networked hub or similar configuration?

    WJ

  4. Michael Says:

    You could do it on the network as well. Though it is not as easy. You would need to be able to do a process listing of the network machine and grab the magic jack PID. You would then need to restart the process and grab the PID again. Once the process is restarted you would need to use a tool that can be configured to dump the memory of the remote machine via PID or have a copy of SipDump running locally on the compromised machine. Even if you did all that it is still a race condition on when the ad loads to to start the dump.

    What I do is do a search on your network for SIPDump* and see if any one has created any dumps. Then grab them and dump them to a folder with my script. That will get you the password.

    This tool was written more for those that want to get their SIP credentials to plugin into a ATA or PBX of their own and not use the Magic Jack dongle.

  5. Tim Says:

    Hello Mike,
    Is there a way you contact me through my email
    (thien63@msn.com) or call me at 832-373-6908. I have an invention that ready to produce, but I see a better option by using softphone with sip credential. I can pay you or join us as sub-contract to finalize this product. Thanks

  6. Michael Says:

    Tim I sent you a email.

  7. Michael Says:

    If any one find any other information / filters that need to be added to this script please let me know.

  8. Rami mizrahi Says:

    Hi Michael.
    Thank you for your amazing post.
    i have one small question.
    If i’ll find my MJ info, can i use it on my N95 nokia (symbian OS) ?
    Thank you for your time.

    Rami.

  9. Michael Says:

    Yes but: There is always a but. The SIP info alone will not work you will need to still use a proxy installed somewhere. Either mjproxy on linux and tomatoe based routers or mjmd5.exe on windows boxes.

    The second but is you will need a softphone installed on your phone. The issue there is the only one I know of is fring and they do not support 20 char passwords.

  10. Vijay Says:

    Thanks for your post and I got my password. But when I tried to connect from my iphone via Siphon it says credentils failed. Any suggestions? I configured siphon as per a post where some people got it success.

    Thanks!

  11. Michael Says:

    Thanks. I use adore softphone on my ipad and iphone. The issue that you mention sounds like you are running the siphone without having a proxy running somewhere else. Many people forget even with the SIP credentials you have to still use a proxy. I suggest running mjmd5.exe on your desktop and testing again.

    I hope that helps.

  12. coozze Says:

    Is this still working for everyone? i get multiple passwords and none of them work

  13. Michael Says:

    This is still working as of this morning. I do several magic Jacks a day. If you have at the output please send it to me and I will look. The newer Jacks have added some more trash that I need to filter out I just have not had time to update my code on the site. I update locally as I find new strings to remove. If you send me your output I will add the strings and send it out. Also are you suing the proxy with the credentials, remember having the credentials is not the only thing you need. 99% of people don’t do that and blame my code. Remember this code is offered currently free of charge. I get close to 3k unique visitors a month and over 6k in repeat. But only a few ever support my efforts.

  14. Luke Says:

    Thanks for the script and write up. It worked great for me on two magic jacks. I just wish I could get the credentials to work on my Android with sipdroid!

  15. Michael Says:

    Luke,

    I just got a droid and what I do is have it use sipdroid and register to my asterisk PBX. That is prob a bit more then you want to do. But you can always host mjmd5.exe on your home computer and open the port you have it listen on to your home computer on your router and use your public IP in the sipdroid settings.

  16. Nick Says:

    Hi Michael

    First thanks for the info.

    Now after following your step by step. I get about 50 passwords in upper case form. When entering the password in fring on my Iphone 4 do I enter them in upper case or lower case. Final I’m using my MJ from Montreal Canada, after getting my proxy name from nslookup. It gave me vms03.dallas1.talk4free.com is that good or not.

    Thanks

  17. Nick Says:

    SORRY I forgot also do I have to enter all the password to see which one is right or is the last password the good one.

  18. Michael Says:

    The one that repeats the most is usually the password. Case is not important. The issue you may have is fringe cant take a 20 char password unless a recent update fixed that. As far as the proxy that one is fine. Recent updates have made some major changes. Don’t be surprise if your password changes either as that was a issue a few weeks ago for many users.

  19. Michael Says:

    Only one is right it usually standout like a sore thumb

  20. Nick Says:

    Thanks Michael

    So if the password doesn’t work its because they have role over a new one. And I’ll have to go and do the mjsip.pl over again. Also the passwords are they all suppose to be your MJ phone number. Isn’t that very easy for other to hack to. Sorry if this sounds like a stupid question.

  21. Nick Says:

    Hi Michael

    It look like that Fringe doesn’t like the user name or the Password like you have told me about 20 Char password problem. What other Iphone app is out there that I can try to make this work.

  22. Pradeep Says:

    I’ve taken most of the bits covered in all the replies, but no luck yet. I tried Blink on my mac, fring and adore softphone on my iphone – all seem to fail due to “authentication failure”. I tried EXXXXX..01 and EXXXX..02, but no luck. Password was taken from the perl script’s output that stood out of 3 others.

  23. Michael Says:

    Make sure you are using mjmd5.exe or mjproxy as those pieces of software alone will not encrypt the connection the way mj requires hence the failure.

  24. Frank Says:

    Mike, I don’t know if its outdated now, but I’ve tried the process.

    On the outset with SIPDUMP — I get no matching file were found in all sipdump txt files.

    Any suggestions?

  25. Keith Says:

    Does this still work as of the latest version? I’ve created many dumps using different methods but I never find any reference to “ProxyPassword” or any of the other mentioned parameters. Did the folks at MJ kill this? If so, are there other ways of obtaining the password?

  26. Randy Says:

    I tried it with the latest MajicJack and many passwords are found but non work (using X-Lite to test them it has MD5).

    Any new leads. Fiddler, SIPDump, pmdump. all tried. For now no luck.

Leave a Reply

*