Password Attacksleappptppasswordrecoverywirelessciscont-hash

asleap

asleap is a tool for actively recovering LEAP and PPTP passwords by exploiting deficiencies in Cisco LEAP networks. It uses dictionary files with NT hashes and libpcap captures to crack authentication credentials.

Description

asleap demonstrates a serious deficiency in proprietary Cisco LEAP networks, allowing recovery of passwords from captured authentication exchanges. The tool works with LEAP and PPTP protocols by processing challenge-response pairs against precomputed hash dictionaries generated by the companion genkeys utility.

Primary use cases include wireless security testing against legacy Cisco LEAP deployments and recovering credentials from captured network traffic. It requires a libpcap capture file containing LEAP authentication exchanges or direct challenge/response values. The tool supports both file-based dictionary attacks and real-time capture processing.

The workflow typically involves generating a hash lookup database with genkeys from a wordlist, then using asleap to match captured authentication data against this database. This offline cracking approach efficiently recovers NT hashes and plaintext passwords from LEAP exchanges.

How It Works

asleap recovers LEAP passwords by matching captured challenge-response pairs against a precomputed lookup table of NT hashes generated from wordlists by genkeys. LEAP authentication uses a challenge-response mechanism where the client computes NTLM hash responses to server challenges. asleap parses libpcap captures to extract username, challenge, and 24-byte response values, then performs binary searches on the indexed hashfile using the last two hash bytes as a filter. Successful matches reveal the corresponding NT hash and original plaintext password. The -s flag skips post-authentication verification checks.

Installation

bash

sudo apt install asleap

Flags

-rRead from a libpcap file

-iInterface to capture on

-fDictionary file with NT hashes

-nIndex file for NT hashes

-sSkip the check to make sure authentication was successful

-hOutput this help information and exit

-vPrint verbose information (more -v for more verbosity)

-VPrint program version and exit

-CSpecify challenge value directly

-RSpecify response value directly

-WUse wordlist mode with specified file

Examples

Generate hash lookup files from nmap wordlist for use with asleap

genkeys -r /usr/share/wordlists/nmap.lst -f asleap.dat -n asleap.idx

Process libpcap capture file leap.dump using hashfile asleap.dat and index, skipping authentication check. Recovered password: qaleap

asleap -r leap.dump -f asleap.dat -n asleap.idx -s

Crack specific challenge-response pair from freeradius using password.lst wordlist. Recovered password: password

asleap -C 58:16:d5:ac:4b:dc:e4:0f -R 50:ae:a3:0a:10:9e:28:f9:33:1b:44:b1:3d:9e:20:91:85:e8:2e:c3:c5:4c:00:23 -W password.lst

Display help information and usage for asleap

asleap -h

Display help information for genkeys utility

genkeys -h

Generate hash lookup filtered by specific last 2 hash bytes (optional filter)

genkeys -r /usr/share/wordlists/nmap.lst -f asleap.dat -n asleap.idx -h 4a39

Updated 2026-04-16kali.org ↗