forked from ports/contrib
asleap: initial commit, v2.2
This commit is contained in:
parent
b65ea1ca41
commit
883ae422f0
4
asleap/.footprint
Normal file
4
asleap/.footprint
Normal file
@ -0,0 +1,4 @@
|
||||
drwxr-xr-x root/root usr/
|
||||
drwxr-xr-x root/root usr/bin/
|
||||
-rwxr-xr-x root/root usr/bin/asleap
|
||||
-rwxr-xr-x root/root usr/bin/genkeys
|
10
asleap/.signature
Normal file
10
asleap/.signature
Normal file
@ -0,0 +1,10 @@
|
||||
untrusted comment: verify with /etc/ports/contrib.pub
|
||||
RWSagIOpLGJF38h2kkZiIapG5jZjf/5DOuTAKdFIOfCA0Kx1lIhhZxCqTu5Bk9NAIUkUYpTWVy7O3s5t5oFPE9BLtksdALKT+Qg=
|
||||
SHA256 (Pkgfile) = 11e1a5d2ce33fff87bfb49e04d61bc4e8060377a5cbf4f0e6cec26b1bde96b0e
|
||||
SHA256 (.footprint) = b31157fba0cda15600581075a0517c0b713a65e09a1aa1adbd0dbfea51c0414f
|
||||
SHA256 (asleap-2.2.tgz) = 92beb6495a856884ca343787ab2f7c9d4b9d3aba21526c2e1f6ba38736c67a23
|
||||
SHA256 (0001-fix-build-for-CRUX.patch) = 8f3aa419a503a72c2efa941ac0c90d466e045f3c48672a282e60bd1cbc5ee9cc
|
||||
SHA256 (001_add_simple_password_bruteforcing_option.patch) = 9842820e414927993ddce29964ac351d5662cb627d3690fb6e2acd937166eb1e
|
||||
SHA256 (002_added_the_possibility_to_verify_MSCHAP-V2_authentication.patch) = 3470f6cdabe99642368e1d221c8cfd33ca0bfdf902ce9f16149aa39248d1835e
|
||||
SHA256 (003_fix_and_improve_bruteforce_option.patch) = 5923f8a90be632d257243aa9c31de7ba9b8865b7fd772748dfd42397b1b8c024
|
||||
SHA256 (004_add_user_opt_and_pptp_chal_resp_cmdline_parsing.patch) = 0f9a96e57a95925716206c6bf06b15ac9c7e82bcaae49e8f3b8b77604e670059
|
50
asleap/0001-fix-build-for-CRUX.patch
Normal file
50
asleap/0001-fix-build-for-CRUX.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From ff9f30db21733aa019c6205536b21c246178d40a Mon Sep 17 00:00:00 2001
|
||||
From: Stamatin Cristina <dear.volgk@gmail.com>
|
||||
Date: Sun, 20 Sep 2020 19:46:58 +0300
|
||||
Subject: [PATCH] fix build for CRUX
|
||||
|
||||
---
|
||||
Makefile | 12 ++++++------
|
||||
utils.c | 2 +-
|
||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 5d34ed6..3492abc 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -7,13 +7,13 @@
|
||||
# <dragorn> i think thats all anyone does
|
||||
# <dragorn> make is a twisted beast
|
||||
##################################
|
||||
-LDLIBS = -lpcap -lcrypt
|
||||
-CFLAGS = -pipe -Wall -D_LINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -I../../..
|
||||
-CFLAGS += -D_OPENSSL_MD4
|
||||
+LDLIBS = -lpcap -lxcrypt -lssl
|
||||
+CFLAGS += -D_LINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
|
||||
+CFLAGS += -D_OPENSSL_MD4 -I/usr/lib/libxcrypt2.4/include -L/usr/lib/libxcrypt2.4
|
||||
+CFLAGS += -Wl,-rpath=/usr/lib/libxcrypt2.4
|
||||
LDLIBS += -lcrypto
|
||||
-CFLAGS += -g3 -ggdb -g
|
||||
-PROGOBJ = asleap.o genkeys.o utils.o common.o sha1.o
|
||||
-PROG = asleap genkeys
|
||||
+PROGOBJ = asleap.o genkeys.o utils.o common.o sha1.o
|
||||
+PROG = asleap genkeys
|
||||
|
||||
all: $(PROG) $(PROGOBJ)
|
||||
|
||||
diff --git a/utils.c b/utils.c
|
||||
index 4941514..799a2a7 100644
|
||||
--- a/utils.c
|
||||
+++ b/utils.c
|
||||
@@ -27,7 +27,7 @@
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
-#include <crypt.h>
|
||||
+#include <xcrypt.h>
|
||||
#include <unistd.h>
|
||||
#include <ctype.h>
|
||||
#include <netinet/in.h> /* for ntohs() */
|
||||
--
|
||||
2.28.0
|
||||
|
131
asleap/001_add_simple_password_bruteforcing_option.patch
Normal file
131
asleap/001_add_simple_password_bruteforcing_option.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From 286cdcb625493b0bf2ab700715785207d51afad4 Mon Sep 17 00:00:00 2001
|
||||
From: lager <machv@cesnet.cz>
|
||||
Date: Wed, 17 Apr 2019 09:30:07 +0200
|
||||
Subject: [PATCH] add simple password bruteforcing option
|
||||
|
||||
---
|
||||
asleap.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
asleap.h | 2 ++
|
||||
2 files changed, 63 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/asleap.c b/asleap.c
|
||||
index f0c8b07..4804346 100644
|
||||
--- a/asleap.c
|
||||
+++ b/asleap.c
|
||||
@@ -69,6 +69,9 @@ struct pcap_pkthdr h;
|
||||
char errbuf[PCAP_ERRBUF_SIZE];
|
||||
int success = 0; /* For return status of attack */
|
||||
unsigned long pcount=0;
|
||||
+/* for password generation */
|
||||
+const char * charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
+
|
||||
|
||||
/* prototypes */
|
||||
void usage(char *message);
|
||||
@@ -92,6 +95,8 @@ int testpptpchal(struct asleap_data *asleap_ptr, int plen, int offset);
|
||||
int testpptpresp(struct asleap_data *asleap_ptr, int plen, int offset);
|
||||
int testpptpsuccess(struct asleap_data *asleap_ptr, int plen, int offset);
|
||||
void genchalhash(struct asleap_data *asleap);
|
||||
+int trypasswords(struct asleap_data *asleap_ptr);
|
||||
+int permute(struct asleap_data *asleap_ptr, int level, char * password);
|
||||
|
||||
|
||||
int stripname(char *name, char *stripname, int snamelen, char delim)
|
||||
@@ -360,6 +365,54 @@ int getmschapbrute(struct asleap_data *asleap_ptr)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* try generating passwords and hashes based on command line params */
|
||||
+int trypasswords(struct asleap_data *asleap_ptr)
|
||||
+{
|
||||
+ char password[MAX_NT_PASSWORD + 1] = {0}; /* should be dynamically allocated based on input param */
|
||||
+ int ret;
|
||||
+
|
||||
+ for(int i = 0; i < asleap_ptr->pass_len; i++) { /* iterate password length from 1 to desired length */
|
||||
+ ret = permute(asleap_ptr, i, password);
|
||||
+
|
||||
+ if(ret == 0)
|
||||
+ printf("no matching password found for length %d\n", i + 1);
|
||||
+ else
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/* generate all possible charset combinations */
|
||||
+int permute(struct asleap_data *asleap_ptr, int level, char * password)
|
||||
+{
|
||||
+ const char* charset_ptr = charset;
|
||||
+ unsigned char pwhash[MD4_SIGNATURE_SIZE];
|
||||
+
|
||||
+ if(level == -1) { /* got generated password */
|
||||
+ /* debug */
|
||||
+ /* printf("%s\n", password); */
|
||||
+ NtPasswordHash(password, strlen(password), pwhash);
|
||||
+
|
||||
+ if (pwhash[14] != asleap_ptr->endofhash[0] ||
|
||||
+ pwhash[15] != asleap_ptr->endofhash[1])
|
||||
+ return 0;
|
||||
+
|
||||
+ if (testchal(asleap_ptr, pwhash) == 0) {
|
||||
+ /* Found a matching password! w00t! */
|
||||
+ memcpy(asleap_ptr->nthash, pwhash, 16);
|
||||
+ strncpy(asleap_ptr->password, password,
|
||||
+ strlen(password));
|
||||
+ return (1);
|
||||
+ }
|
||||
+ } else
|
||||
+ while(password[level] = *(charset_ptr++)) /* keep going */
|
||||
+ if(permute(asleap_ptr, level - 1, password) == 1)
|
||||
+ return 1; /* found */
|
||||
+
|
||||
+ return 0; /* nothing found */
|
||||
+}
|
||||
+
|
||||
/* Brute-force all the matching NT hashes to discover the clear-text password */
|
||||
int getmschappw(struct asleap_data *asleap_ptr)
|
||||
{
|
||||
@@ -942,6 +995,9 @@ int attack_leap(struct asleap_data *asleap)
|
||||
if (!IsBlank(asleap->wordfile)) {
|
||||
/* Attack MS-CHAP exchange with a straight dictionary list */
|
||||
getmschappwret = getmschapbrute(asleap);
|
||||
+ } else if(asleap->gen_password) {
|
||||
+ /* Attack MS-CHAP exchange with brute-force password generation */
|
||||
+ getmschappwret = trypasswords(asleap);
|
||||
} else {
|
||||
getmschappwret = getmschappw(asleap);
|
||||
}
|
||||
@@ -1413,7 +1469,7 @@ int main(int argc, char *argv[])
|
||||
printf("asleap %s - actively recover LEAP/PPTP passwords. "
|
||||
"<jwright@hasborg.com>\n", VER);
|
||||
|
||||
- while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:W:C:R:")) != EOF) {
|
||||
+ while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:W:C:R:G:")) != EOF) {
|
||||
switch (c) {
|
||||
case 's':
|
||||
asleap.skipeapsuccess = 1;
|
||||
@@ -1492,6 +1548,10 @@ int main(int argc, char *argv[])
|
||||
strncpy(asleap.wordfile, optarg,
|
||||
sizeof(asleap.wordfile) - 1);
|
||||
break;
|
||||
+ case 'G':
|
||||
+ asleap.gen_password = 1;
|
||||
+ sscanf(optarg, "%d", &asleap.pass_len); /* save desired password lentgh */
|
||||
+ break;
|
||||
default:
|
||||
usage("");
|
||||
exit(1);
|
||||
diff --git a/asleap.h b/asleap.h
|
||||
index 1225fec..0c3666e 100644
|
||||
--- a/asleap.h
|
||||
+++ b/asleap.h
|
||||
@@ -61,6 +61,8 @@ struct asleap_data {
|
||||
int eapsuccess;
|
||||
int skipeapsuccess; /* Don't bother checking for success after auth */
|
||||
int verbose;
|
||||
+ int gen_password;
|
||||
+ int pass_len;
|
||||
char dictfile[255];
|
||||
char dictidx[255];
|
||||
char wordfile[255];
|
@ -0,0 +1,314 @@
|
||||
diff -ur a/asleap.c b/asleap.c
|
||||
--- a/asleap.c 2019-09-22 16:40:10.211884000 +0300
|
||||
+++ b/asleap.c 2019-09-22 16:42:39.063433095 +0300
|
||||
@@ -45,6 +45,7 @@
|
||||
#include <netpacket/packet.h>
|
||||
#include <linux/if.h>
|
||||
#include <linux/wireless.h>
|
||||
+#include <openssl/sha.h>
|
||||
|
||||
#include "asleap.h"
|
||||
#include "utils.h"
|
||||
@@ -303,12 +304,33 @@
|
||||
{
|
||||
|
||||
unsigned char cipher[8];
|
||||
+ int j;
|
||||
|
||||
DesEncrypt(asleap_ptr->challenge, zpwhash, cipher);
|
||||
+
|
||||
+ printf("\tgiven hash 1: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", cipher[j]);
|
||||
+ printf("\n");
|
||||
+ printf("\tresponse hash 1: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", asleap_ptr->response[j]);
|
||||
+ printf("\n");
|
||||
+
|
||||
if (memcmp(cipher, asleap_ptr->response, 8) != 0)
|
||||
return (1);
|
||||
|
||||
DesEncrypt(asleap_ptr->challenge, zpwhash + 7, cipher);
|
||||
+
|
||||
+ printf("\tgiven hash 2: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", cipher[j]);
|
||||
+ printf("\n");
|
||||
+ printf("\tresponse hash 2: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", asleap_ptr->response[j+8]);
|
||||
+ printf("\n");
|
||||
+
|
||||
if (memcmp(cipher, asleap_ptr->response + 8, 8) != 0)
|
||||
return (1);
|
||||
|
||||
@@ -948,23 +970,40 @@
|
||||
void genchalhash(struct asleap_data *asleap)
|
||||
{
|
||||
|
||||
- SHA1_CTX context;
|
||||
unsigned char digest[SHA1_MAC_LEN];
|
||||
char strippedname[256];
|
||||
int j;
|
||||
|
||||
+ memset(digest, 0, SHA1_MAC_LEN);
|
||||
+ memset(strippedname, 0, 256);
|
||||
+
|
||||
/* RFC2759 indicates a username "BIGCO\johndoe" must be stripped to
|
||||
contain only the username for the purposes of generating the 8-byte
|
||||
challenge. Section 4, */
|
||||
stripname(asleap->username, strippedname, sizeof(strippedname), '\\');
|
||||
|
||||
+/* SHA1_CTX context;
|
||||
SHA1Init(&context);
|
||||
SHA1Update(&context, asleap->pptppeerchal, 16);
|
||||
SHA1Update(&context, asleap->pptpauthchal, 16);
|
||||
SHA1Update(&context, (uint8_t *)strippedname, strlen(strippedname));
|
||||
SHA1Final(digest, &context);
|
||||
|
||||
- memcpy(&asleap->challenge, digest, 8);
|
||||
+ printf("\tchallenge: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", digest[j]);
|
||||
+ printf("\n");
|
||||
+
|
||||
+ memcpy(asleap->challenge, digest, 8);*/
|
||||
+
|
||||
+ uint8_t str[300];
|
||||
+ memcpy(str, asleap->pptppeerchal, 16);
|
||||
+ memcpy(str+16, asleap->pptpauthchal, 16);
|
||||
+ memcpy(str+32, strippedname, strlen(strippedname));
|
||||
+
|
||||
+ SHA1(str, 32 + strlen(strippedname), digest);
|
||||
+
|
||||
+ memcpy(asleap->challenge, digest, 8);
|
||||
|
||||
printf("\tchallenge: ");
|
||||
for (j = 0; j < 8; j++)
|
||||
@@ -1455,6 +1494,7 @@
|
||||
unsigned int findlpexchret = 0;
|
||||
int ret=0;
|
||||
extern int success;
|
||||
+ uint8_t verifypassword = 0;
|
||||
|
||||
memset(dictfile, 0, sizeof(dictfile));
|
||||
memset(dictidx, 0, sizeof(dictidx));
|
||||
@@ -1469,41 +1509,108 @@
|
||||
printf("asleap %s - actively recover LEAP/PPTP passwords. "
|
||||
"<jwright@hasborg.com>\n", VER);
|
||||
|
||||
- while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:W:C:R:G:")) != EOF) {
|
||||
+ while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:W:C:R:G:A:B:U:P:")) != EOF) {
|
||||
switch (c) {
|
||||
case 's':
|
||||
asleap.skipeapsuccess = 1;
|
||||
break;
|
||||
case 'C':
|
||||
- if (strlen(optarg) != 23) {
|
||||
- usage("Incorrect challenge input length "
|
||||
- "specified.\n");
|
||||
- exit(1);
|
||||
- }
|
||||
- if (str2hex(optarg, asleap.challenge,
|
||||
+ if (strlen(optarg) == 23) {
|
||||
+ if (str2hex(optarg, asleap.challenge,
|
||||
sizeof(asleap.challenge)) < 0) {
|
||||
- usage("Malformed value specified as "
|
||||
+ usage("Malformed value specified as "
|
||||
"challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else if (strlen(optarg) == 16) {
|
||||
+ if (decodeHexString(optarg, asleap.challenge,
|
||||
+ sizeof(asleap.challenge)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else {
|
||||
+ usage("Incorrect challenge input length "
|
||||
+ "specified.\n");
|
||||
exit(1);
|
||||
}
|
||||
+
|
||||
asleap.leapchalfound=1;
|
||||
asleap.manualchalresp=1;
|
||||
break;
|
||||
case 'R':
|
||||
- if (strlen(optarg) != 71) {
|
||||
- usage("Incorrect response input length "
|
||||
- "specified.\n");
|
||||
- exit(1);
|
||||
- }
|
||||
- if (str2hex(optarg, asleap.response,
|
||||
+ if (strlen(optarg) == 71) {
|
||||
+ if (str2hex(optarg, asleap.response,
|
||||
+ sizeof(asleap.response)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "response.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else if (strlen(optarg) == 48) {
|
||||
+ if (decodeHexString(optarg, asleap.response,
|
||||
sizeof(asleap.response)) < 0) {
|
||||
- usage("Malformed value specified as "
|
||||
+ usage("Malformed value specified as "
|
||||
"response.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else {
|
||||
+ usage("Incorrect response input length "
|
||||
+ "specified.\n");
|
||||
exit(1);
|
||||
}
|
||||
+
|
||||
asleap.leaprespfound=1;
|
||||
asleap.manualchalresp=1;
|
||||
break;
|
||||
+ case 'A':
|
||||
+ if (strlen(optarg) == 47) {
|
||||
+ if (str2hex(optarg, asleap.pptppeerchal,
|
||||
+ sizeof(asleap.pptppeerchal)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else if (strlen(optarg) == 32) {
|
||||
+ if (decodeHexString(optarg, asleap.pptppeerchal,
|
||||
+ sizeof(asleap.pptppeerchal)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else {
|
||||
+ usage("Incorrect challenge input length "
|
||||
+ "specified.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ break;
|
||||
+ case 'B':
|
||||
+ if (strlen(optarg) == 47) {
|
||||
+ if (str2hex(optarg, asleap.pptpauthchal,
|
||||
+ sizeof(asleap.pptpauthchal)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else if (strlen(optarg) == 32) {
|
||||
+ if (decodeHexString(optarg, asleap.pptpauthchal,
|
||||
+ sizeof(asleap.pptpauthchal)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else {
|
||||
+ usage("Incorrect challenge input length "
|
||||
+ "specified.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ break;
|
||||
+ case 'U':
|
||||
+ memcpy(asleap.username, optarg, strlen(optarg));
|
||||
+ break;
|
||||
+ case 'P':
|
||||
+ verifypassword = 1;
|
||||
+ memcpy(asleap.password, optarg, strlen(optarg));
|
||||
+ break;
|
||||
case 'i':
|
||||
if (atoi(optarg) == 0) {
|
||||
device = optarg;
|
||||
@@ -1563,7 +1670,7 @@
|
||||
strncpy(asleap.dictfile, dictfile, sizeof(asleap.dictfile) - 1);
|
||||
strncpy(asleap.dictidx, dictidx, sizeof(asleap.dictidx) - 1);
|
||||
|
||||
- if (IsBlank(device) && IsBlank(pcapfile) && !asleap.manualchalresp) {
|
||||
+ if (IsBlank(device) && IsBlank(pcapfile) && !asleap.manualchalresp && !verifypassword) {
|
||||
usage ("Must supply an interface with -i, or a stored file "
|
||||
"with -r");
|
||||
exit(1);
|
||||
@@ -1594,6 +1701,37 @@
|
||||
return(attack_leap(&asleap));
|
||||
}
|
||||
|
||||
+ if (verifypassword) {
|
||||
+
|
||||
+ int j;
|
||||
+
|
||||
+ genchalhash(&asleap);
|
||||
+
|
||||
+ /*uint8_t challenge[8] = {0xD0, 0x2E, 0x43, 0x86, 0xBC, 0xE9, 0x12, 0x26};
|
||||
+ memcpy(asleap.challenge, challenge, 8);
|
||||
+
|
||||
+ printf("\tchallenge: ");
|
||||
+ for (j = 0; j < 8; j++)
|
||||
+ printf("%02x", challenge[j]);
|
||||
+ printf("\n");*/
|
||||
+
|
||||
+ unsigned char pwhash[MD4_SIGNATURE_SIZE];
|
||||
+ NtPasswordHash(asleap.password, strlen(asleap.password), pwhash);
|
||||
+
|
||||
+ int result = testchal(&asleap, pwhash);
|
||||
+
|
||||
+ print_pptpexch(&asleap);
|
||||
+
|
||||
+ printf("\tpassword hash: ");
|
||||
+ for (j = 0; j < MD4_SIGNATURE_SIZE; j++)
|
||||
+ printf("%02x", pwhash[j]);
|
||||
+ printf("\n");
|
||||
+
|
||||
+ printf("Result is %i\n", result);
|
||||
+
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/* If the user passed the -r flag, open the filename as a captured pcap
|
||||
file. Otherwise open live from the supplied device name */
|
||||
if (!IsBlank(pcapfile)) {
|
||||
diff -ur a/utils.c b/utils.c
|
||||
--- a/utils.c 2016-08-30 16:01:23.000000000 +0300
|
||||
+++ b/utils.c 2019-09-22 16:41:08.725279000 +0300
|
||||
@@ -243,3 +243,35 @@
|
||||
|
||||
return(1);
|
||||
}
|
||||
+
|
||||
+int decodeHexString (char *hexstr, uint8_t *result, int len)
|
||||
+{
|
||||
+ char *ptr, *next;
|
||||
+ unsigned long val;
|
||||
+ int i;
|
||||
+
|
||||
+ char tmp[3];
|
||||
+ tmp[2] = '\0';
|
||||
+
|
||||
+ if (strlen(hexstr) != 2*len) {
|
||||
+ errno = EINVAL;
|
||||
+ return(-1);
|
||||
+ }
|
||||
+
|
||||
+ ptr = next = hexstr;
|
||||
+ for(i=0;i < len;i++) {
|
||||
+ memcpy(tmp, ptr, 2);
|
||||
+ if((val = strtoul(tmp, NULL, 16)) > 255) {
|
||||
+ errno = EINVAL;
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ result[i] = (unsigned int)val;
|
||||
+ ptr += 2;
|
||||
+ if((ptr[0] == '\0' || ptr[1] == '\0') && (i != len - 1)) {
|
||||
+ errno = EINVAL;
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return(1);
|
||||
+}
|
||||
diff -ur a/utils.h b/utils.h
|
||||
--- a/utils.h 2016-08-30 16:01:23.000000000 +0300
|
||||
+++ b/utils.h 2019-09-22 16:41:08.725279000 +0300
|
||||
@@ -33,3 +33,4 @@
|
||||
int IsBlank(char *s);
|
||||
char *printmac(unsigned char *mac);
|
||||
int str2hex (char *string, uint8_t *hexstr, int len);
|
||||
+int decodeHexString (char *hexstr, uint8_t *result, int len);
|
155
asleap/003_fix_and_improve_bruteforce_option.patch
Normal file
155
asleap/003_fix_and_improve_bruteforce_option.patch
Normal file
@ -0,0 +1,155 @@
|
||||
Binary files ../asleap-2.2.orig/asleap and ./asleap differ
|
||||
diff '--color=always' '--color=never' -pruN ../asleap-2.2.orig/asleap.c ./asleap.c
|
||||
--- ../asleap-2.2.orig/asleap.c 2020-09-30 15:29:57.712000000 +0300
|
||||
+++ ./asleap.c 2020-09-30 15:13:52.758000000 +0300
|
||||
@@ -70,9 +70,7 @@ struct pcap_pkthdr h;
|
||||
char errbuf[PCAP_ERRBUF_SIZE];
|
||||
int success = 0; /* For return status of attack */
|
||||
unsigned long pcount=0;
|
||||
-/* for password generation */
|
||||
-const char * charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
-
|
||||
+const char *alphanum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
|
||||
/* prototypes */
|
||||
void usage(char *message);
|
||||
@@ -138,7 +136,10 @@ void usage(char *message)
|
||||
"\t-V \tPrint program version and exit\n"
|
||||
"\t-C \tChallenge value in colon-delimited bytes\n"
|
||||
"\t-R \tResponse value in colon-delimited bytes\n"
|
||||
- "\t-W \tASCII dictionary file (special purpose)\n" "\n");
|
||||
+ "\t-W \tASCII dictionary file (special purpose)\n"
|
||||
+ "\t-G \tBruteforce attack\n"
|
||||
+ "\t-g \tBruteforce charset (default: a-zA-Z0-9)\n"
|
||||
+ "\n");
|
||||
}
|
||||
|
||||
void print_pptpexch(struct asleap_data *asleap_ptr)
|
||||
@@ -307,7 +308,7 @@ int testchal(struct asleap_data *asleap_
|
||||
int j;
|
||||
|
||||
DesEncrypt(asleap_ptr->challenge, zpwhash, cipher);
|
||||
-
|
||||
+/*
|
||||
printf("\tgiven hash 1: ");
|
||||
for (j = 0; j < 8; j++)
|
||||
printf("%02x", cipher[j]);
|
||||
@@ -316,12 +317,12 @@ int testchal(struct asleap_data *asleap_
|
||||
for (j = 0; j < 8; j++)
|
||||
printf("%02x", asleap_ptr->response[j]);
|
||||
printf("\n");
|
||||
-
|
||||
+*/
|
||||
if (memcmp(cipher, asleap_ptr->response, 8) != 0)
|
||||
return (1);
|
||||
|
||||
DesEncrypt(asleap_ptr->challenge, zpwhash + 7, cipher);
|
||||
-
|
||||
+/*
|
||||
printf("\tgiven hash 2: ");
|
||||
for (j = 0; j < 8; j++)
|
||||
printf("%02x", cipher[j]);
|
||||
@@ -330,7 +331,7 @@ int testchal(struct asleap_data *asleap_
|
||||
for (j = 0; j < 8; j++)
|
||||
printf("%02x", asleap_ptr->response[j+8]);
|
||||
printf("\n");
|
||||
-
|
||||
+*/
|
||||
if (memcmp(cipher, asleap_ptr->response + 8, 8) != 0)
|
||||
return (1);
|
||||
|
||||
@@ -408,12 +409,13 @@ int trypasswords(struct asleap_data *asl
|
||||
/* generate all possible charset combinations */
|
||||
int permute(struct asleap_data *asleap_ptr, int level, char * password)
|
||||
{
|
||||
- const char* charset_ptr = charset;
|
||||
+ const char* charset_ptr =
|
||||
+ asleap_ptr->custom_charset ? asleap_ptr->charset : alphanum;
|
||||
unsigned char pwhash[MD4_SIGNATURE_SIZE];
|
||||
|
||||
if(level == -1) { /* got generated password */
|
||||
/* debug */
|
||||
- /* printf("%s\n", password); */
|
||||
+ /*printf("%s\n", password);*/
|
||||
NtPasswordHash(password, strlen(password), pwhash);
|
||||
|
||||
if (pwhash[14] != asleap_ptr->endofhash[0] ||
|
||||
@@ -1029,14 +1031,16 @@ int attack_leap(struct asleap_data *asle
|
||||
}
|
||||
|
||||
if (asleap->verbose)
|
||||
- printf("\tStarting dictionary lookups.\n");
|
||||
+ printf(asleap->gen_password
|
||||
+ ? "\tStarting bruteforce.\n"
|
||||
+ :"\tStarting dictionary lookups.\n");
|
||||
|
||||
- if (!IsBlank(asleap->wordfile)) {
|
||||
+ if (asleap->gen_password) {
|
||||
+ /* Attack MS-CHAP exchange with brute-force password generation */
|
||||
+ getmschappwret = trypasswords(asleap);
|
||||
+ } else if (!IsBlank(asleap->wordfile)) {
|
||||
/* Attack MS-CHAP exchange with a straight dictionary list */
|
||||
getmschappwret = getmschapbrute(asleap);
|
||||
- } else if(asleap->gen_password) {
|
||||
- /* Attack MS-CHAP exchange with brute-force password generation */
|
||||
- getmschappwret = trypasswords(asleap);
|
||||
} else {
|
||||
getmschappwret = getmschappw(asleap);
|
||||
}
|
||||
@@ -1085,7 +1089,10 @@ int attack_pptp(struct asleap_data *asle
|
||||
if (asleap->verbose)
|
||||
printf("\tStarting dictionary lookups.\n");
|
||||
|
||||
- if (!IsBlank(asleap->wordfile)) {
|
||||
+ if (asleap->gen_password) {
|
||||
+ /* Attack MS-CHAP exchange with brute-force password generation */
|
||||
+ getmschappwret = trypasswords(asleap);
|
||||
+ } else if (!IsBlank(asleap->wordfile)) {
|
||||
/* Attack MS-CHAP exchange with a straight dictionary list */
|
||||
getmschappwret = getmschapbrute(asleap);
|
||||
} else {
|
||||
@@ -1509,7 +1516,7 @@ int main(int argc, char *argv[])
|
||||
printf("asleap %s - actively recover LEAP/PPTP passwords. "
|
||||
"<jwright@hasborg.com>\n", VER);
|
||||
|
||||
- while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:W:C:R:G:A:B:U:P:")) != EOF) {
|
||||
+ while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:g:W:C:R:G:A:B:U:P:")) != EOF) {
|
||||
switch (c) {
|
||||
case 's':
|
||||
asleap.skipeapsuccess = 1;
|
||||
@@ -1657,7 +1664,11 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
case 'G':
|
||||
asleap.gen_password = 1;
|
||||
- sscanf(optarg, "%d", &asleap.pass_len); /* save desired password lentgh */
|
||||
+ sscanf(optarg, "%d", &asleap.pass_len); /* save desired password length */
|
||||
+ break;
|
||||
+ case 'g':
|
||||
+ asleap.custom_charset = 1;
|
||||
+ strncpy(asleap.charset, optarg, sizeof(asleap.charset) - 1);
|
||||
break;
|
||||
default:
|
||||
usage("");
|
||||
Binary files ../asleap-2.2.orig/.asleap.c.un~ and ./.asleap.c.un~ differ
|
||||
diff '--color=always' '--color=never' -pruN ../asleap-2.2.orig/asleap.h ./asleap.h
|
||||
--- ../asleap-2.2.orig/asleap.h 2020-09-30 15:29:57.706000000 +0300
|
||||
+++ ./asleap.h 2020-09-30 15:09:52.307000000 +0300
|
||||
@@ -63,9 +63,11 @@ struct asleap_data {
|
||||
int verbose;
|
||||
int gen_password;
|
||||
int pass_len;
|
||||
+ int custom_charset;
|
||||
char dictfile[255];
|
||||
char dictidx[255];
|
||||
char wordfile[255];
|
||||
+ char charset[255];
|
||||
|
||||
/* Tracking values */
|
||||
uint8_t leapchalfound;
|
||||
Binary files ../asleap-2.2.orig/.asleap.h.un~ and ./.asleap.h.un~ differ
|
||||
Binary files ../asleap-2.2.orig/asleap.o and ./asleap.o differ
|
||||
Binary files ../asleap-2.2.orig/common.o and ./common.o differ
|
||||
Binary files ../asleap-2.2.orig/genkeys and ./genkeys differ
|
||||
Binary files ../asleap-2.2.orig/genkeys.o and ./genkeys.o differ
|
||||
Binary files ../asleap-2.2.orig/sha1.o and ./sha1.o differ
|
||||
Binary files ../asleap-2.2.orig/utils.o and ./utils.o differ
|
209
asleap/004_add_user_opt_and_pptp_chal_resp_cmdline_parsing.patch
Normal file
209
asleap/004_add_user_opt_and_pptp_chal_resp_cmdline_parsing.patch
Normal file
@ -0,0 +1,209 @@
|
||||
Binary files ../asleap-2.2.orig/asleap and ./asleap differ
|
||||
diff '--color=always' '--color=never' -pruN ../asleap-2.2.orig/asleap.c ./asleap.c
|
||||
--- ../asleap-2.2.orig/asleap.c 2020-10-02 14:57:07.512000000 +0300
|
||||
+++ ./asleap.c 2020-10-02 15:01:55.719000000 +0300
|
||||
@@ -136,6 +136,7 @@ void usage(char *message)
|
||||
"\t-V \tPrint program version and exit\n"
|
||||
"\t-C \tChallenge value in colon-delimited bytes\n"
|
||||
"\t-R \tResponse value in colon-delimited bytes\n"
|
||||
+ "\t-U \tUsername (required if PPTP Challenge/Response specified)\n"
|
||||
"\t-W \tASCII dictionary file (special purpose)\n"
|
||||
"\t-G \tBruteforce attack\n"
|
||||
"\t-g \tBruteforce charset (default: a-zA-Z0-9)\n"
|
||||
@@ -1502,11 +1503,14 @@ int main(int argc, char *argv[])
|
||||
int ret=0;
|
||||
extern int success;
|
||||
uint8_t verifypassword = 0;
|
||||
+ int username_specified = 0;
|
||||
|
||||
memset(dictfile, 0, sizeof(dictfile));
|
||||
memset(dictidx, 0, sizeof(dictidx));
|
||||
memset(pcapfile, 0, sizeof(pcapfile));
|
||||
memset(&asleap, 0, sizeof(asleap));
|
||||
+ asleap.challenge = asleap.leapchallenge;
|
||||
+ asleap.response = asleap.leapresponse;
|
||||
device = NULL;
|
||||
|
||||
signal(SIGINT, cleanup);
|
||||
@@ -1516,57 +1520,94 @@ int main(int argc, char *argv[])
|
||||
printf("asleap %s - actively recover LEAP/PPTP passwords. "
|
||||
"<jwright@hasborg.com>\n", VER);
|
||||
|
||||
- while ((c = getopt(argc, argv, "DsoavhVi:f:n:r:w:c:t:g:W:C:R:G:A:B:U:P:")) != EOF) {
|
||||
+ while ((c = getopt(argc, argv,
|
||||
+ "DsoavhVi:f:n:r:w:c:t:g:W:C:R:G:A:B:U:P:")) != EOF) {
|
||||
switch (c) {
|
||||
case 's':
|
||||
asleap.skipeapsuccess = 1;
|
||||
break;
|
||||
case 'C':
|
||||
- if (strlen(optarg) == 23) {
|
||||
- if (str2hex(optarg, asleap.challenge,
|
||||
- sizeof(asleap.challenge)) < 0) {
|
||||
+ if (strlen(optarg) == 47) {
|
||||
+ if (str2hex(optarg, asleap.pptpchallenge,
|
||||
+ sizeof(asleap.pptpchallenge)) < 0) {
|
||||
usage("Malformed value specified as "
|
||||
- "challenge.\n");
|
||||
+ "pptp challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ asleap.challenge = asleap.pptpchallenge;
|
||||
+ asleap.pptpchalfound=1;
|
||||
+ } else if (strlen(optarg) == 32) {
|
||||
+ if (decodeHexString(optarg, asleap.pptpchallenge,
|
||||
+ sizeof(asleap.pptpchallenge)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "pptp challenge.\n");
|
||||
exit(1);
|
||||
}
|
||||
+ asleap.challenge = asleap.pptpchallenge;
|
||||
+ asleap.pptpchalfound=1;
|
||||
+ } else if (strlen(optarg) == 23) {
|
||||
+ if (str2hex(optarg, asleap.leapchallenge,
|
||||
+ sizeof(asleap.leapchallenge)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "leap challenge.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ asleap.leapchalfound=1;
|
||||
} else if (strlen(optarg) == 16) {
|
||||
- if (decodeHexString(optarg, asleap.challenge,
|
||||
- sizeof(asleap.challenge)) < 0) {
|
||||
+ if (decodeHexString(optarg, asleap.leapchallenge,
|
||||
+ sizeof(asleap.leapchallenge)) < 0) {
|
||||
usage("Malformed value specified as "
|
||||
- "challenge.\n");
|
||||
+ "leap challenge.\n");
|
||||
exit(1);
|
||||
}
|
||||
+ asleap.leapchalfound=1;
|
||||
} else {
|
||||
usage("Incorrect challenge input length "
|
||||
"specified.\n");
|
||||
exit(1);
|
||||
}
|
||||
-
|
||||
- asleap.leapchalfound=1;
|
||||
asleap.manualchalresp=1;
|
||||
break;
|
||||
case 'R':
|
||||
- if (strlen(optarg) == 71) {
|
||||
- if (str2hex(optarg, asleap.response,
|
||||
- sizeof(asleap.response)) < 0) {
|
||||
+ if (strlen(optarg) == 146) {
|
||||
+ if (str2hex(optarg, asleap.pptpresponse,
|
||||
+ sizeof(asleap.pptpresponse)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "pptp response1.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ asleap.response = asleap.pptpresponse;
|
||||
+ asleap.pptprespfound=1;
|
||||
+ } else if (strlen(optarg) == 98) {
|
||||
+ if (decodeHexString(optarg, asleap.pptpresponse,
|
||||
+ sizeof(asleap.pptpresponse)) < 0) {
|
||||
+ usage("Malformed value specified as "
|
||||
+ "pptp response2.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ asleap.response = asleap.pptpresponse;
|
||||
+ asleap.pptprespfound=1;
|
||||
+ } else if (strlen(optarg) == 71) {
|
||||
+ if (str2hex(optarg, asleap.leapresponse,
|
||||
+ sizeof(asleap.leapresponse)) < 0) {
|
||||
usage("Malformed value specified as "
|
||||
- "response.\n");
|
||||
+ "leap response.\n");
|
||||
exit(1);
|
||||
}
|
||||
+ asleap.leaprespfound=1;
|
||||
} else if (strlen(optarg) == 48) {
|
||||
- if (decodeHexString(optarg, asleap.response,
|
||||
- sizeof(asleap.response)) < 0) {
|
||||
+ if (decodeHexString(optarg, asleap.leapresponse,
|
||||
+ sizeof(asleap.leapresponse)) < 0) {
|
||||
usage("Malformed value specified as "
|
||||
- "response.\n");
|
||||
+ "leap response.\n");
|
||||
exit(1);
|
||||
}
|
||||
+ asleap.leaprespfound=1;
|
||||
} else {
|
||||
usage("Incorrect response input length "
|
||||
"specified.\n");
|
||||
exit(1);
|
||||
}
|
||||
-
|
||||
- asleap.leaprespfound=1;
|
||||
asleap.manualchalresp=1;
|
||||
break;
|
||||
case 'A':
|
||||
@@ -1613,6 +1654,7 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
case 'U':
|
||||
memcpy(asleap.username, optarg, strlen(optarg));
|
||||
+ username_specified=1;
|
||||
break;
|
||||
case 'P':
|
||||
verifypassword = 1;
|
||||
@@ -1704,7 +1746,7 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (asleap.leapchalfound && asleap.leaprespfound &&
|
||||
+ if (asleap.leapchalfound && asleap.leaprespfound &&
|
||||
asleap.manualchalresp) {
|
||||
/* User specified manual challenge/response on the command
|
||||
* line (aka, the "Jay Beale" feature).
|
||||
@@ -1712,6 +1754,23 @@ int main(int argc, char *argv[])
|
||||
return(attack_leap(&asleap));
|
||||
}
|
||||
|
||||
+ if (asleap.pptpchalfound && asleap.pptprespfound &&
|
||||
+ asleap.manualchalresp) {
|
||||
+ if (!username_specified) {
|
||||
+ usage("PPTP Challenge/Reponse requires "
|
||||
+ "Username (-U option) to be specified.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ uint8_t peerresp[24];
|
||||
+ memcpy(peerresp, asleap.pptpresponse + 24, 24);
|
||||
+ memcpy(asleap.pptpauthchal, asleap.pptpchallenge, 16);
|
||||
+ memcpy(asleap.pptppeerchal, asleap.pptpresponse, 16);
|
||||
+ //memset(asleap.pptpresponse, 0, sizeof(asleap.pptpresponse));
|
||||
+ memcpy(asleap.pptpresponse, peerresp, 24);
|
||||
+ return(attack_pptp(&asleap));
|
||||
+ }
|
||||
+
|
||||
if (verifypassword) {
|
||||
|
||||
int j;
|
||||
Binary files ../asleap-2.2.orig/.asleap.c.un~ and ./.asleap.c.un~ differ
|
||||
diff '--color=always' '--color=never' -pruN ../asleap-2.2.orig/asleap.h ./asleap.h
|
||||
--- ../asleap-2.2.orig/asleap.h 2020-10-02 14:57:07.514000000 +0300
|
||||
+++ ./asleap.h 2020-10-02 14:05:28.630000000 +0300
|
||||
@@ -47,8 +47,12 @@
|
||||
struct asleap_data {
|
||||
char username[256 + 1];
|
||||
uint8_t eapid;
|
||||
- uint8_t challenge[8];
|
||||
- uint8_t response[24];
|
||||
+ uint8_t pptpchallenge[16];
|
||||
+ uint8_t pptpresponse[49];
|
||||
+ uint8_t leapchallenge[8];
|
||||
+ uint8_t leapresponse[24];
|
||||
+ uint8_t *challenge;
|
||||
+ uint8_t *response;
|
||||
uint8_t endofhash[2];
|
||||
char password[32];
|
||||
uint8_t nthash[16];
|
||||
Binary files ../asleap-2.2.orig/.asleap.h.un~ and ./.asleap.h.un~ differ
|
||||
Binary files ../asleap-2.2.orig/asleap.o and ./asleap.o differ
|
||||
Binary files ../asleap-2.2.orig/common.o and ./common.o differ
|
||||
Binary files ../asleap-2.2.orig/genkeys and ./genkeys differ
|
||||
Binary files ../asleap-2.2.orig/genkeys.o and ./genkeys.o differ
|
||||
Binary files ../asleap-2.2.orig/sha1.o and ./sha1.o differ
|
||||
Binary files ../asleap-2.2.orig/.utils.c.un~ and ./.utils.c.un~ differ
|
||||
Binary files ../asleap-2.2.orig/utils.o and ./utils.o differ
|
32
asleap/Pkgfile
Normal file
32
asleap/Pkgfile
Normal file
@ -0,0 +1,32 @@
|
||||
# Description: Actively recover LEAP/PPTP passwords
|
||||
# URL: https://www.willhackforsushi.com/?page_id=41
|
||||
# Maintainer: Alexandr Savca, alexandrsavca89 at gmail dot com
|
||||
# Depends on: openssl libpcap libxcrypt2.4
|
||||
|
||||
name=asleap
|
||||
version=2.2
|
||||
release=1
|
||||
source=(http://www.willhackforsushi.com/code/$name/$version/$name-$version.tgz
|
||||
0001-fix-build-for-CRUX.patch
|
||||
001_add_simple_password_bruteforcing_option.patch
|
||||
002_added_the_possibility_to_verify_MSCHAP-V2_authentication.patch
|
||||
003_fix_and_improve_bruteforce_option.patch
|
||||
004_add_user_opt_and_pptp_chal_resp_cmdline_parsing.patch)
|
||||
|
||||
build() {
|
||||
cd $name-$version
|
||||
|
||||
patch -p1 -i $SRC/0001-fix-build-for-CRUX.patch
|
||||
patch -p1 -i $SRC/001_add_simple_password_bruteforcing_option.patch
|
||||
patch -p1 -i $SRC/002_added_the_possibility_to_verify_MSCHAP-V2_authentication.patch
|
||||
patch -p1 -i $SRC/003_fix_and_improve_bruteforce_option.patch
|
||||
patch -p1 -i $SRC/004_add_user_opt_and_pptp_chal_resp_cmdline_parsing.patch
|
||||
|
||||
sed -i -e "s/#define VER \"\(.*\)\"/#define VER \"${version}.${release}\"/" \
|
||||
version.h
|
||||
|
||||
make
|
||||
|
||||
install -D asleap $PKG/usr/bin/asleap
|
||||
install -D genkeys $PKG/usr/bin/genkeys
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user