LEAP weaknesses
MS-CHAPv2 weaknesses:
No salt in stored NT (double MD4) hashes - permits pre-computed dictionary attacks
Weak DES key selection for challenge/response
Username is sent in clear-text
LEAP client-AP Challenge/response weaknesses:
The AP sends a random 8-byte challenge to the client
The client uses a 16 byte NT hash (MD4) of the user password to generate 3 DES keys (NT1-NT7) (NT8-NT14) (NT15-NT16+"\0\0\0\0\0")
Each DES key is used to encrypt the challenge (each generating 8 bytes of output) and the 24-byte response is sent back to the AP.
The AP responds with a success or failure message