"The THC LEAP Cracker Tool suite
contains tools to break the NTChallengeResponse encryption technique e.g. used
by Cisco Wireless
LEAP Authentication. Also tools
for spoofing challenge-packets from Access Points are included, so you are able
to perform dictionary
attacks against all users."
-The Hackers Choice
Download latest stable code from
tar zxvf thc-leapcracker-[version].tar.gz
(tested with thc-leapcracker-0.1.tar.gz)
When prompted "Do you want to compile the
AirJack based tools (getleap
Answer no, unless you do actually have
the AirJack driver installed.
All of the leapcracker switches are
explained in detail within the tool's usage (./leapcracker).
Basically the tool offers both a
wordlist and brute force attack mode against NTChallengeResponse encryption.
In the example below the -t
(NT challenge response) and -c (challenge) would have been sniffed from
For your own dictionary attacks you
will need to provide comprehensive wordlist.txt file (the file included with
leapcracker is limited).
NOTE: The NT challenge and challenge response
used in this example were taken from
As you can see above the LEAP password
qaleap was found.
For more detailed information about the tool
and the LEAP protocol itself see LEAP-attack.pdf
which can be found in the
THC-LEAPcracker tar.gz archive (thc-leapcracker/docs/LEAP-attack.pdf).