Posted on Thursday, 10th June 2010 by Michael
MJSIP: Automating the Magic Jack SIP retrieval
What is it:
MJSIP is a simple Perl script written by a co-worker and myself. This script uses regular expression matching to automate the finding of your SIP password in the dump file.
MJSIP has been tested on over 50 Jacks that were purchased and registered this month (6/07/10). Each Magic Jack we tested worked flawlessly.
Though this tool has been tested and we have worked out many of the bugs there are two conditions that we are aware of that will cause MJSIP not to return a password back to you. The first condition is if you dumped the memory wrong using the SIPDump tool. The second condition is if your Magic Jack password contains the same letter or number more than 4 x in a row.
What is required:
MJSIP: Our Perl script. This can be downloaded here: http://www.digitaloffensive.com/mj/mjsip.zip
SIPDump: Magic Jack stores all your SIP information in the programs memory during the startup process. SIPDump is a modified version of MemDump, which was originally developed by Stroth. You can download this tool here: http://www.digitaloffensive.com/mj/mj.rar
Active Perl: This is a free windows port of the Perl interpreter. It can be downloaded her for the 32 bit or 64 bit processor: http://www.activestate.com/activeperl/downloads. Download the msi file and install it, choose all the defaults.
How to use it:
Step 1: Download and extract all your tools to a folder on your system. Working out of one folder will make life so much easier.
Step 2: Use SIPDump.exe to dump the Memory of your Magic Jack. If you need more details on how to do this check out my article on this located here: http://www.digitaloffensive.com/2010/03/hacking-the-magic-jack-in-2010-for-use-on-trixbox-or-any-other-sip-device/
Step3: Out of all the Magic Jack’s we have tested the 3rd dump file was the most reliable at containing the password. I would strongly suggest you do not change that line in the MJSIP.pl file.
Step 4: Open a command prompt and navigate to the folder that you created that has all your tools in it. This folder should also contain you SIPDump files, unless you did not listen to my suggestions above. Once in that folder type the following command “perl mjsip.pl” This should dump your password to the screen.
If you found this tool helpful please feel free to either visit one of our sponsors or donate by clicking here.
If you have questions, concerns or ideas to automate more or add to it feel free to contact us.
Posted in Papers | Comments (27)
June 10th, 2010 at 3:59 pm
Updated code to open “SIPDump3.txt” by default.
June 12th, 2010 at 11:26 pm
great work,thanks for the help for the community.
June 14th, 2010 at 9:54 am
Great write up Mike. Question for you, It seems that this is a client side vulnerability (risk), is there a way to perform this type of attack on MJs that are present on a USB networked hub or similar configuration?
WJ
June 14th, 2010 at 10:12 am
You could do it on the network as well. Though it is not as easy. You would need to be able to do a process listing of the network machine and grab the magic jack PID. You would then need to restart the process and grab the PID again. Once the process is restarted you would need to use a tool that can be configured to dump the memory of the remote machine via PID or have a copy of SipDump running locally on the compromised machine. Even if you did all that it is still a race condition on when the ad loads to to start the dump.
What I do is do a search on your network for SIPDump* and see if any one has created any dumps. Then grab them and dump them to a folder with my script. That will get you the password.
This tool was written more for those that want to get their SIP credentials to plugin into a ATA or PBX of their own and not use the Magic Jack dongle.
July 10th, 2010 at 3:29 pm
Hello Mike,
Is there a way you contact me through my email
(thien63@msn.com) or call me at 832-373-6908. I have an invention that ready to produce, but I see a better option by using softphone with sip credential. I can pay you or join us as sub-contract to finalize this product. Thanks
July 12th, 2010 at 8:22 am
Tim I sent you a email.
July 15th, 2010 at 9:11 am
If any one find any other information / filters that need to be added to this script please let me know.
July 24th, 2010 at 2:51 am
Hi Michael.
Thank you for your amazing post.
i have one small question.
If i’ll find my MJ info, can i use it on my N95 nokia (symbian OS) ?
Thank you for your time.
Rami.
July 24th, 2010 at 11:00 am
Yes but: There is always a but. The SIP info alone will not work you will need to still use a proxy installed somewhere. Either mjproxy on linux and tomatoe based routers or mjmd5.exe on windows boxes.
The second but is you will need a softphone installed on your phone. The issue there is the only one I know of is fring and they do not support 20 char passwords.
August 11th, 2010 at 2:10 am
Thanks for your post and I got my password. But when I tried to connect from my iphone via Siphon it says credentils failed. Any suggestions? I configured siphon as per a post where some people got it success.
Thanks!
August 11th, 2010 at 8:29 am
Thanks. I use adore softphone on my ipad and iphone. The issue that you mention sounds like you are running the siphone without having a proxy running somewhere else. Many people forget even with the SIP credentials you have to still use a proxy. I suggest running mjmd5.exe on your desktop and testing again.
I hope that helps.
August 26th, 2010 at 12:45 am
Is this still working for everyone? i get multiple passwords and none of them work
August 26th, 2010 at 12:46 pm
This is still working as of this morning. I do several magic Jacks a day. If you have at the output please send it to me and I will look. The newer Jacks have added some more trash that I need to filter out I just have not had time to update my code on the site. I update locally as I find new strings to remove. If you send me your output I will add the strings and send it out. Also are you suing the proxy with the credentials, remember having the credentials is not the only thing you need. 99% of people don’t do that and blame my code. Remember this code is offered currently free of charge. I get close to 3k unique visitors a month and over 6k in repeat. But only a few ever support my efforts.
September 9th, 2010 at 12:09 pm
Thanks for the script and write up. It worked great for me on two magic jacks. I just wish I could get the credentials to work on my Android with sipdroid!
September 9th, 2010 at 12:37 pm
Luke,
I just got a droid and what I do is have it use sipdroid and register to my asterisk PBX. That is prob a bit more then you want to do. But you can always host mjmd5.exe on your home computer and open the port you have it listen on to your home computer on your router and use your public IP in the sipdroid settings.
September 14th, 2010 at 3:26 pm
Hi Michael
First thanks for the info.
Now after following your step by step. I get about 50 passwords in upper case form. When entering the password in fring on my Iphone 4 do I enter them in upper case or lower case. Final I’m using my MJ from Montreal Canada, after getting my proxy name from nslookup. It gave me vms03.dallas1.talk4free.com is that good or not.
Thanks
September 14th, 2010 at 3:27 pm
SORRY I forgot also do I have to enter all the password to see which one is right or is the last password the good one.
September 14th, 2010 at 4:50 pm
The one that repeats the most is usually the password. Case is not important. The issue you may have is fringe cant take a 20 char password unless a recent update fixed that. As far as the proxy that one is fine. Recent updates have made some major changes. Don’t be surprise if your password changes either as that was a issue a few weeks ago for many users.
September 14th, 2010 at 4:51 pm
Only one is right it usually standout like a sore thumb
September 15th, 2010 at 8:19 am
Thanks Michael
So if the password doesn’t work its because they have role over a new one. And I’ll have to go and do the mjsip.pl over again. Also the passwords are they all suppose to be your MJ phone number. Isn’t that very easy for other to hack to. Sorry if this sounds like a stupid question.
September 15th, 2010 at 11:43 am
Hi Michael
It look like that Fringe doesn’t like the user name or the Password like you have told me about 20 Char password problem. What other Iphone app is out there that I can try to make this work.
September 24th, 2010 at 8:46 am
I’ve taken most of the bits covered in all the replies, but no luck yet. I tried Blink on my mac, fring and adore softphone on my iphone – all seem to fail due to “authentication failure”. I tried EXXXXX..01 and EXXXX..02, but no luck. Password was taken from the perl script’s output that stood out of 3 others.
September 24th, 2010 at 8:50 am
Make sure you are using mjmd5.exe or mjproxy as those pieces of software alone will not encrypt the connection the way mj requires hence the failure.
June 2nd, 2011 at 10:09 am
Mike, I don’t know if its outdated now, but I’ve tried the process.
On the outset with SIPDUMP — I get no matching file were found in all sipdump txt files.
Any suggestions?
July 8th, 2011 at 8:08 pm
Does this still work as of the latest version? I’ve created many dumps using different methods but I never find any reference to “ProxyPassword” or any of the other mentioned parameters. Did the folks at MJ kill this? If so, are there other ways of obtaining the password?
July 27th, 2014 at 1:58 am
I tried it with the latest MajicJack and many passwords are found but non work (using X-Lite to test them it has MD5).
Any new leads. Fiddler, SIPDump, pmdump. all tried. For now no luck.
December 30th, 2015 at 5:02 pm
Trying to get credentials from my new Magicjack Go. So far, no luck. The audio quality of the GO is terrible, so I’d rather use my Asterisk box instead.
Anyone having luck as of 2015 ???