Kali is absolutely loaded with tools that each have their own function and role to fulfill. Asleap, however, is essentially specific cracking software that was designed with one sole purpose in mind: to take advantage of vulnerabilities found in LEAP. Furthermore, it can be used to break PPTP (Point-to-Point Tunneling Protocol).
Today, we’re going to be taking a closer look at this command, the vulnerability it was designed to break, its command syntax, and more. But before we begin, note that you are going to need a few things of your own in order to test this command out. First off, you’re going to need to download and run Kali, which is easy to come by since its completely free to use and run.
In addition, you’re going to need a wireless access point capable of running LEAP or a PPTP tunnel. Just remember that whatever device you’re trying to target has to be owned and operate by you. It have to warn you not to try using this tool out on a real-world target, because doing so would be immoral and illegal, and I don’t advocate breaking the law.
With that understanding, let’s take a closer look at the flaw that Asleap targets.
Vulnerabilities, MSCHAPv2, LEAP, and PPTP
LEAP stands for Lightweight Extensible Authentication Protocol, which is used to secure connections on wireless networks. Those of you who have passed the Security+ exam might even already know that LEAP uses a version of the MSCHAPv2 algorithm to authenticate the host at the other end of the connection.
Furthermore, you might have already heard that PPTP only offers weak encryption, and is one of the weakest VPN tunnel options available. You may have also heard that PPTP can be cracked using cheap software. Believe it or not, you can actually use
Asleap to target PPTP, since it uses MSCHAPv2. You see, PPTP was originally developed by a consortium developed by Microsoft Though they didn’t make the protocol proprietary, they did include it on most of their operating systems for free with the release of Windows NT and custom tailored their own version of CHAP to be used with PPTP.
That’s why the first two letters in the acronym stand for Microsoft, and the full names is the Microsoft Challenging Handshake Authentication Protocol. In fact, Asleap can be used to crack any protocol that uses MSCHAPv2 for authentication, and the protocol has been known to suffer from a fatal vulnerability for quite some time now. The world has known about MSCHAPv2 flaws for about 17 years, since the vulnerability was first documented by Bruce Schneier in 1999.
Though the whole flaw, vulnerability details, and inner workings of the protocol are rather complicated, just know that MSCHAPv2 is vulnerable to password attacks such as dictionary based attacks on the packets containing the challenge-response. Using Asleap (as well as other similar tools) makes it possible to form a handshake challenge that manipulates authentication in an unintended manner.
Options, Flags, and Command Syntax
First off, we need to take a look at the command syntax and options that are available for Asleap, then we will look at another tool that needs to be used in conjunction with Asleap. The following lists its syntax and possible flags/options:
Usage: asleap [options]
-r Read from a libpcap file
-i Interface to capture on
-f Dictionary file with NT hashes
-n Index file for NT hashes
-s Skip the check to make sure authentication was successful
-h Output this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
-C Challenge value in colon-delimited bytes
-R Response value in colon-delimited bytes
-W ASCII dictionary file (special purpose)
The command syntax is relatively simple and straighforward. However, note that we will also need to use genkeys in our demonstration, though genkeys is included in the Asleap package. It’s a pretty simple tool, and only has four options as follows:
genkeys: Must supply -r -f and -n
Usage: genkeys [options]
-r Input dictionary file, one word per line
-f Output pass+hash filename
-n Output index filename
-h Last 2 hash bytes to filter with (optional)
Usage Examples
Furthermore, you’re going to need to be able to run libpcap. You need a libpcap dump file to use as a parameter in the command syntax, which makes sense because you need to have captured data for the software to crack anyway. However, the first thing we need to do is use the genkeys tool as follows:
-
genkeys -r /usr/share/my-wordlist-file/nmap.lst -f output-file-name.dat -n output-index-name.idx
This command will simply generate hashes for passwords, making the process of the password attack exponentially faster. After using genkeys, the next thing to do (if you haven’t done it already) is to capture data from a protocol that uses MSCHAPv2, such as PPTP or LEAP.
Then, its finally time to plug the dumpfile and dictionary list into the command syntax for Asleap as follows:
-
asleap -r dump-file.dump -f asleap.dat -n asleap.idx -s
Note that the .dat and .idx files were created and custom-named by you in the genkeys step. If you were successful in your cracking attempt, the command promt will recover LEAP and PPTP password information such as its username, challenge key, response data, hash bytes, NT hash, and password.
And believe it or not, with exception to running the packet capture, there’s only two steps to the cracking procedure. However, how long it takes depends a great deal on your dictionary, the complexity of the password, and your hardware. If you’re trying to run Kali on an ancient system that only meets the bare minimum system requirements, things might take longer.
Final Thoughts
Because MSCHAPv2 and LEAP are so insecure, you should avoid them at all costs. In addition, you should avoid using PPTP to secure your VPN connections unless your data is inconsequential, because it’s possible for hackers to break the key in as little as a day.
I would also mention that though Asleap can crack LEAP, there are many other wireless cracking tools on Kali such as Reaver (among several others). Feel free to leave a comment below and let me know if you have any questions.
Leave a Reply