Increased Visibility

Using Wireshark and John to Crack LEAP

By Jason • Sep 1st, 2009 • Category: SBN, Tools

The Lightweight Extensible Authentication Protocol, or LEAP, is a proprietary wireless LAN authentication method developed by Cisco. LEAP uses a modified version of MS-CHAP. In this case, the Challenge-Handshake Authentication Protocol (CHAP) is a three step process whereby an endpoint authenticates itself against a wireless access point (AP).

After the completion of the link establishment phase, the authenticator sends a “challenge” message to the peer. (The AP issues a random 8-byte challenge)
The peer responds with a value calculated using a one-way hash function. (The endpoint encrypts the 8-byte challenge 3 times, using the NT hash of their password as seed material. The endpoint then joins the 3DES outputs as a single 24-byte response.)
The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection. (The AP issues a success or failure message.)

Sniffing the air, we can observe this challenge and response process. Using Wireshark to analyze our wireless packet capture, we are able to collect these strings. We can then perform an offline dictionary and brute force password guessing attack against using John the Ripper.

I am going to assume you have already identified that LEAP is the authentication method being used, and that you have sniffed the wireless network obtaining the resulting packet capture files.

Load your packet capture file in Wireshark. We are going to use a filter so that we are only looking at the LEAP exchanges in Wireshark. In the filter field, enter this, and click Apply.

eap.type eq 17

LEAP sends the user identity information over the air in clear text. We are going to grab the username, the challenge, and the response from Wireshark.

Then, we are going to copy these values in to a text file. In our text file, we are going to use this format.

username::::response:challenge

Before running John the Ripper, you will increase your chances of quick success if you do two things. The first is build a dictionary that includes likely words your target could use. Include key words from your target’s website. Think about local sports teams. The second is configuring John to reflect the target’s password policy if you are privy to that information. If the target can only have 7 to 8 character passwords, spending time brute forcing anything else is a complete waste.

Save the file above in the John directory, run john requesting the NETNTLM format, and give it your text file.

./john –format=NETNTLM file.txt

John will make three passes against your input. It will run your dictionary, then your dictionary with appended characters, and finally a brute force attack. Press the space bar as john is running to see progress. The (1) (2) (3) will tell you which stage John is performing. Stage three will take a long time.