Friday, August 10, 2007

Attacking LEAP with ASLEAP

The ASLEAP tool was written by Joshua Wright and is designed to crack passwords used by wireless networks being secured with proprietary Cisco LEAP (Lightweight Extensible Authentication Protocol). I had a chance to see a BOF session at SANS San Diego 2007 that was presented by Joshua and it was amazing. He went non-stop for at least an hour on many problems with Bluetooth and even 'toyed' with sending HTML to his phone via Bluetooth to show that it could be vulnerable to a XSS attack.

Anyway, back to ASLEAP... Here are some of the features that ASLEAP has to offer (Check out
http://asleap.sourceforge.net/ for a complete list, plus PPTP support).
  • Recovers weak LEAP passwords (duh).
  • Can read live from any wireless interface in RFMON mode.
  • Can monitor a single channel, or perform channel hopping to look for targets.
  • Will actively deauthenticate users on LEAP networks, forcing them to reauthenticate. This makes the capture of LEAP passwords very fast.
  • Will only deauth users who have not already been seen, doesn't waste time on users who are not running LEAP.
  • Can read from stored libpcap files, or AiroPeek NX files (1.X or 2.X files).
Here is some information on what LEAP is: LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked).

AFX RootKit (2003 & 2005)

Continuing my studying for my GCIH I will move on to the next Rootkit: AFX RootKit (2003 & 2005). My review of this little gem will not be as detailed as the adore-ng rootkit as I do not have a separate Windows system to trash as a full test. What I will note are the details of the rootkit that are posted on many places already.

The rootkit hides the following:
  1. Processes
  2. Handles
  3. Modules
  4. Files & Folders
  5. Registry Values
  6. Services
  7. TCP/UDP Sockets
  8. Systray Icons
The installer copies itself to the system directory and extracts 2 DLL files from it's resources. It saves the files as "iexplore.exe" and "explorer.exe". The first dll is loaded into "explorer.exe" which then installs hooks contained in "explorer.dll". The included ReadMe.txt has detailed instructions on how to install the rootkit.

Detection of the rootkit can be accomplished by the presence of
iexplore.dll and/or explorer.dll.

-ab