802.11 Wireless Attacks & Detection/Defense  Home ToC Prev Up Next 
802.11 overview
Attacks
O/S/M Vulnerabilities
WEP Encryption
Passive Attacks
Active Attacks
IV Replay Attack
Bit-flipping Attack
MITM Attack
Cisco LEAP
LEAP weaknesses
+LEAP attack
WPA PSK attacks
Detection
Defense
Conclusion
  

LEAP attack

The 3rd DES key is weak (due to the 5 NULLs in every challenge/response) there are only 2^16 hash possibilites 

'grep "BN-1BN$" nthash-dict > possible-passwords'

  1. Take a large password list, calculate MD4 hashes and password+NT hash list

  2. Capture LEAP challenge/response, extract username, challenge, response, calculate the last 2 bytes of the NT hash from the response

  3. Search through password+hash list for hashes with matching bytes

  4. Use matching entries to encrypt the challenge - matching captured and calculated response will indicate the user's password
Copyright © 2005 Pavol Lupták, ICZ a.s.  Prev Next