asleap
asleap copied to clipboard
joswr1ght
Does not work in current Kali distribution
Hello, I'm not sure if it's the good place to report, but asleap cannot find the last 2 bytes of hash when installed from latest Kali. At least this could help future users.
This issue was initially reported in https://github.com/OpenSecurityResearch/hostapd-wpe/issues/32 by @AdonisPro.
To reproduce:
- Download Kali (they have pre-built VMs)
- Run
sudo apt-get update && sudo apt-get install asleap - Try recovering the last 2 bytes of NT from a challenge/response
More details (for password abcd1234):
┌──(kali㉿kali)-[~]
└─$ asleap -C 53:7a:33:3a:a2:08:38:07 -R 95:e1:4a:5b:6c:0a:18:26:8e:18:7b:da:0b:30:c4:d8:af:d3:38:ad:c5:f3:86:ae
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.
┌──(kali㉿kali)-[~]
└─$ ldd /usr/bin/asleap
linux-vdso.so.1 (0x00007ffcb6fce000)
libpcap.so.0.8 => /lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f9b1301d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9b12e54000)
libdbus-1.so.3 => /lib/x86_64-linux-gnu/libdbus-1.so.3 (0x00007f9b12e00000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9b1309a000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9b12ddf000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007f9b12d0f000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f9b12d04000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f9b12cda000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f9b12bff000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f9b12bdc000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f9b12bd1000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f9b12a96000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f9b12a6c000)
┌──(kali㉿kali)-[~]
└─$ dpkg --status asleap
Package: asleap
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 230
Maintainer: Kali Developers <[email protected]>
Architecture: amd64
Version: 2.3~git20201128.254acab-0kali1
Depends: libc6 (>= 2.14), libpcap0.8 (>= 0.9.8)
Description: A tool for exploiting Cisco LEAP networks
Demonstrates a serious deficiency in proprietary Cisco LEAP networks.
Homepage: https://www.willhackforsushi.com/
I see it's version 2.3 (254acab) but I'm surprised libxcrypt is not reported by ldd nor dpkg :thinking:
@joswr1ght can I let you report this to Kali if you think it's not an issue with asleap itself?
I have seen this error before, I don't think it's something distro-specific. I think the MS-CHAPv2 challenge/response is calculated differently in some situations, though I've never been able to put my finger on exactly how or why.
Can you speak a little more about how you got the challenge and response values in this example? Can you test the sample pcap files to ensure they work as expected?
Thanks!
Hello @joswr1ght, there was a famous issue with hostapd-wpe about taking the domain into account when displaying the challenge/response (that I patched a while ago), but I don't think that's it.
On my local machine, asleep is able to find the 2 bytes of the NT just well (exact same command):
$ /asleap -C 53:7a:33:3a:a2:08:38:07 -R 95:e1:4a:5b:6c:0a:18:26:8e:18:7b:da:0b:30:c4:d8:af:d3:38:ad:c5:f3:86:ae
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
hash bytes: 4fef
[getmschappw] fopen: No such file or directory
Experienced an error in getmschappw, returned -1.
Although with some error, but the hash bytes part is right
In the example, the password is abcd1234 which has b3ec3e03e2a202cbd54fd104b8504fef as NT value, so the last 2 bytes are 4fef as found by my local asleap.
Can you speak a little more about how you got the challenge and response values in this example?
A user of hostapd-wpe captured them in https://github.com/OpenSecurityResearch/hostapd-wpe/issues/32 ; I have been able to check that the challenge-response are valid with my local asleap as well as other tools.
Can you test the sample pcap files to ensure they work as expected?
Output with the sample pcap files on the Kali VM:
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r joshlea.dump
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
Captured LEAP exchange information:
username: jwright
challenge: ceb69885c656590c
response: 7279f65aa49870f45822c89dcbdd73c1b89d377844caead4
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r leap.dump -s
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r leap2.dump -s
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
Captured LEAP exchange information:
username: RSAINI
challenge: afe811f2ae948bdb
response: 5b79dab8bf72ed434ebca8a784466bffb28f6e94280c918d
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r pptp.dump
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
Captured PPTP exchange information:
username: scott
auth challenge: e3a5d0775370bda51e16219a06b0278f
peer challenge: 84c4b33e00d9231645598acf91c38480
peer response: 565fe2492fd5fb88edaec934c00d282c046227406c31609b
challenge: 62f73d590f8b9199
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.