Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not work in current Kali distribution #8

Open
Rogdham opened this issue Feb 28, 2022 · 3 comments
Open

Does not work in current Kali distribution #8

Rogdham opened this issue Feb 28, 2022 · 3 comments

Comments

@Rogdham
Copy link

Rogdham commented Feb 28, 2022

Hello, I'm not sure if it's the good place to report, but asleap cannot find the last 2 bytes of hash when installed from latest Kali. At least this could help future users.

This issue was initially reported in OpenSecurityResearch/hostapd-wpe#32 by @AdonisPro.

To reproduce:

  • Download Kali (they have pre-built VMs)
  • Run sudo apt-get update && sudo apt-get install asleap
  • Try recovering the last 2 bytes of NT from a challenge/response

More details (for password abcd1234):

┌──(kali㉿kali)-[~]
└─$ asleap -C 53:7a:33:3a:a2:08:38:07 -R 95:e1:4a:5b:6c:0a:18:26:8e:18:7b:da:0b:30:c4:d8:af:d3:38:ad:c5:f3:86:ae
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
        Could not recover last 2 bytes of hash from the
        challenge/response.  Sorry it didn't work out.
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ ldd /usr/bin/asleap
        linux-vdso.so.1 (0x00007ffcb6fce000)
        libpcap.so.0.8 => /lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f9b1301d000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9b12e54000)
        libdbus-1.so.3 => /lib/x86_64-linux-gnu/libdbus-1.so.3 (0x00007f9b12e00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9b1309a000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9b12ddf000)
        libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007f9b12d0f000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f9b12d04000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f9b12cda000)
        libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f9b12bff000)
        liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f9b12bdc000)
        libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f9b12bd1000)
        libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f9b12a96000)
        libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f9b12a6c000)

┌──(kali㉿kali)-[~]
└─$ dpkg --status asleap
Package: asleap
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 230
Maintainer: Kali Developers <[email protected]>
Architecture: amd64
Version: 2.3~git20201128.254acab-0kali1
Depends: libc6 (>= 2.14), libpcap0.8 (>= 0.9.8)
Description: A tool for exploiting Cisco LEAP networks
 Demonstrates a serious deficiency in proprietary Cisco LEAP networks.
Homepage: https://www.willhackforsushi.com/

I see it's version 2.3 (254acab) but I'm surprised libxcrypt is not reported by ldd nor dpkg 🤔

@joswr1ght can I let you report this to Kali if you think it's not an issue with asleap itself?
@joswr1ght
Copy link
Owner

I have seen this error before, I don't think it's something distro-specific. I think the MS-CHAPv2 challenge/response is calculated differently in some situations, though I've never been able to put my finger on exactly how or why.

Can you speak a little more about how you got the challenge and response values in this example? Can you test the sample pcap files to ensure they work as expected?

Thanks!

@Rogdham
Copy link
Author

Rogdham commented Feb 28, 2022
edited
Loading

Hello @joswr1ght, there was a famous issue with hostapd-wpe about taking the domain into account when displaying the challenge/response (that I patched a while ago), but I don't think that's it.

On my local machine, asleep is able to find the 2 bytes of the NT just well (exact same command):

$  /asleap -C 53:7a:33:3a:a2:08:38:07 -R 95:e1:4a:5b:6c:0a:18:26:8e:18:7b:da:0b:30:c4:d8:af:d3:38:ad:c5:f3:86:ae
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>
	hash bytes:        4fef
[getmschappw] fopen: No such file or directory
Experienced an error in getmschappw, returned -1.

Although with some error, but the hash bytes part is right

In the example, the password is abcd1234 which has b3ec3e03e2a202cbd54fd104b8504fef as NT value, so the last 2 bytes are 4fef as found by my local asleap.

Can you speak a little more about how you got the challenge and response values in this example?

A user of hostapd-wpe captured them in OpenSecurityResearch/hostapd-wpe#32 ; I have been able to check that the challenge-response are valid with my local asleap as well as other tools.

Can you test the sample pcap files to ensure they work as expected?

Output with the sample pcap files on the Kali VM:

┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r joshlea.dump 
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>

Captured LEAP exchange information:
        username:          jwright
        challenge:         ceb69885c656590c
        response:          7279f65aa49870f45822c89dcbdd73c1b89d377844caead4
        Could not recover last 2 bytes of hash from the
        challenge/response.  Sorry it didn't work out.

┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r leap.dump -s
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>

Captured LEAP exchange information:
        username:          qa_leap
        challenge:         0786aea0215bc30a
        response:          7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
        Could not recover last 2 bytes of hash from the
        challenge/response.  Sorry it didn't work out.
                                                       
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r leap2.dump -s
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>

Captured LEAP exchange information:
        username:          RSAINI
        challenge:         afe811f2ae948bdb
        response:          5b79dab8bf72ed434ebca8a784466bffb28f6e94280c918d
        Could not recover last 2 bytes of hash from the
        challenge/response.  Sorry it didn't work out.
                                                                            
┌──(kali㉿kali)-[~/asleap/samples]
└─$ asleap -r pptp.dump    
asleap 2.3 - actively recover LEAP/PPTP passwords. <[email protected]>

Captured PPTP exchange information:
        username:          scott
        auth challenge:    e3a5d0775370bda51e16219a06b0278f
        peer challenge:    84c4b33e00d9231645598acf91c38480
        peer response:     565fe2492fd5fb88edaec934c00d282c046227406c31609b
        challenge:         62f73d590f8b9199
        Could not recover last 2 bytes of hash from the
        challenge/response.  Sorry it didn't work out.

@Rogdham Rogdham mentioned this issue Mar 4, 2022
Open
@Rogdham Rogdham mentioned this issue Mar 18, 2022
Closed
@OscarAkaElvis
Copy link

This is still happening in 2024. Current asleap packages in Kali and Parrot security repositories are broken.

asleap 2.3 is failing and old asleap 2.2 is working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joswr1ght @Rogdham @OscarAkaElvis