RE: LEAP

From: Jerry Shenk (jshenk@decommunications.com)
Date: Wed Feb 25 2004 - 22:13:39 EST

• Next message: Chris.McNab@trustmatta.com: "Re: loose source routed IP packets"
• Previous message: Joseph.Wulf: "RE: Scanning tool that will track and report diffs"
• In reply to: Chris.McNab@trustmatta.com: "LEAP"
• Next in thread: Moonen, Ralph: "RE: LEAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Joshua stated that this would not be available before April due to
wanting to give Cisco a chance to fix things first.

In your testing, you should at least be able to collect a number of
usernames, domains and MACs. Give the <sarcasm> high quality of
user-selected passwords </sarcasm> you may be able to just guess your
way into the network without even cracking it.

-----Original Message-----
From: Chris.McNab@trustmatta.com [mailto:Chris.McNab@trustmatta.com]
Sent: Tuesday, February 24, 2004 11:05 AM
To: pen-test@securityfocus.com
Subject: LEAP

Hey,

At Defcon last year, Joshua Wright released a paper documenting a number
of
flaws in LEAP, in particular relating to sniffing the challenge-response
traffic, compromising the username, and cracking the user password
offline.
His paper is available from
http://home.jwu.edu/jwright/presentations/asleap-defcon.pdf

I am currently undertaking a wireless test for a client who I've found
is
using LEAP. I've sniffed a number of LEAP challenge-response frames, and
it
would be great if I could perform some active attacks to spoof
LEAP-logoff
and STA deauthenticate frames, sniff more LEAP challenge-response
traffic,
and perform the offline cracking operation as described by Joshua
Wright.

Joshua wrote a tool called asleap / asleap-imp, which he demonstrated at
Defcon, but did not release. I have yet to find asleap available online,
although various media sources state that the tool will be available in
February. I even mailed Joshua, but he hasn't yet responsed.

My question is if anyone knows of any tools or hacks of software like
kismet that can perform any element of this LEAP attack?

Thanks,

Chris

Chris McNab
Technical Director

Matta Consulting Limited
18 Noel Street
London W1F 8GN

 08700 77 11 00

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Chris.McNab@trustmatta.com: "Re: loose source routed IP packets"
• Previous message: Joseph.Wulf: "RE: Scanning tool that will track and report diffs"
• In reply to: Chris.McNab@trustmatta.com: "LEAP"
• Next in thread: Moonen, Ralph: "RE: LEAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT