802.11 Wireless Attacks  Home ToC Prev Up Next 
802.11
Attacks
O/S/M Vulnerabilities
WEP Encryption
Passive Attacks
Active Attacks
IV Reply Attack
Bit-flipping Attack
ManInTheMiddle
MITM Attack
Cisco LEAP
+LEAP weaknesses
LEAP attack
ICV issue
Passive WPA PSK
WPA PSK attacks
PSK attack tools
Conclusion
  

LEAP weaknesses

MS-CHAPv2 weaknesses:

  • No salt in stored NT (double MD4) hashes - permits pre-computed dictionary attacks

  • Weak DES key selection for challenge/response

  • Username is sent in the clear-text

LEAP client-AP Challenge/response weaknesses:

  1. The AP sends a random 8-byte challenge to the client

  2. The client uses 16 byte NT hash (MD4) of the user password to generate 3 DES keys (NT1-NT7) (NT8-NT14) (NT15-NT16+"\0\0\0\0\0")

  3. Each DES key is used to encrypt the challenge (each generating 8 bytes of output) and the 24-byte response is sent back to the AP.

  4. The AP responses with success or failure message
Copyright © 2005 Pavol Lupták, OpenWeekend 2005  Prev Next