OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ballowe, Charles (CBalloweusg.com)
Date: Tue Sep 18 2001 - 19:08:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well -- I figured out how to enable LEAP without using
    Cisco's software (since they haven't managed to compile
    theirs for ARM and I need LEAP to make my iPAQ useful.)

    Cisco was kind enough to compile their tools with -g
    leaving lots of goodies waiting to be found in an objdump
    of their binaries.
    With the help of objdump, gdb, driver source, and a venti
    iced mocha + 3 extra shots, I managed to hack up something
    that works for me -- my code isn't cleaned up and has
    chunks of the environment here hard coded in so I'm not
    going to post it here, maybe if I get some sleep and there's
    no pressing emergencies at work the next couple of days
    I'll clean it up and generalize it. The key details follow.

    Details:

    This struct is necessary:

    typedef struct {
            u16 len; /* sizeof(UserPass) */
            u16 act; /* strlen(data) */
            unsigned char data[32];
    } UserPass;

    (it is tdsRidLeapUsername and tdsRidLeapPassword if you
    are looking at an objdump from one of Cisco's binary tools,
    they're the same struct with different names. This definition
    was found by searching with google for tdsRidLeapUsername.)
    (let there be:
    ConfigRid cfg; UserPass up;)

    The first thing that needs to be done is set the card config
    for your environment using AIROGCFG and AIROPCFG commands
    to AIROIOCTL. The key portion of this is setting
            cfg.authType = 0x1101 /* found with airorid eth0 1 on
                                            my x86 */

    Then use the UserPass "up" with username in up.data as data for
    a AIROPLEAPUSR command to AIROIOCTL.

    Now -- take the password, assuming the passwd is c1...cn
    fill an array with {c1, 0x0, c2, 0x0,...,cn,0x0} and compute
    it's md4 checksum, md4p1. now compute the md4 checksum of md4p1
    and let that be md4p2. concatenate md4p1 and md4p2 into
    the data element of a UserPass struct (each is 16 bytes),
    set UserPass.act = 32 and pass it as data to a AIROPLEAPPASS
    AIROIOCTL.

    Feel free to e-mail me with any questions.
    If i get some free time, I might try to write some clones of
    the commandline tools from cisco.

    -Charlie
    _______________________________________________
    Aironet mailing list - Aironetcsl.cse.ucsc.edu
    http://csl.cse.ucsc.edu/mailman/listinfo/aironet