CWNP
Your Account   |   View Cart
Search:   
Hacking & Solutions: Cracking Cisco LEAP Authentication PDF Print
Add to: RSS FeedRSS Feed DeliciousDelicious DiggDigg NewsVineNewsVine YahooMyWebYahooMyWeb
Written by Devin Akin   
Tuesday, 12 February 2008

This article is presented as part of hacking + solution track for Wireless Security Expo 2008. The hacking video is available here .

By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is.  It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools. 

 

Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs.  LEAP is, by far, the easiest version of 802.1X/EAP to implement.  It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities.  There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS.  LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.

The reason for this insecurity is that LEAP relies on users to choose a "strong" password.  Users don't like strong passwords because they are too difficult to remember.  Instead, users like common words, phrases, and names.  If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.

Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced.  Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:

  • A minimum of ten characters
  • A mixture of uppercase and lowercase letters
  • At least one numeric character or one non-alphanumeric character (Example: !#@$%)
  • No form of the user's name or user ID
  • A word that is not found in the dictionary (domestic or foreign)

Cisco offers these examples of strong passwords:

  • cnw84FriDAY, from "cannot wait for Friday"
  • 4yosc10cP!, from "for your own safety choose 10 character password!"

If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network.  Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols.  All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.

Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.
Comments (32)Add Comment
...
written by Harry Pearson, February 12, 2008
I thought it would be easy, but not quite this easy. Good information.
...
written by TOM RUUHELA, February 12, 2008
GREAT INFO
THANKS
...
written by Noel Foster, February 12, 2008
Do you have advice for use of other EAP options, like EAP-TLS for example (vs. EAP-TTLS). Use of EAP-TLS is a requirement in DoD WLAN policy, probably in an attempt to maintain interoperability.
...
written by Homyar, February 12, 2008
Wow, did not think it would be this easy. Great job!!
...
written by Tom Thumser, February 12, 2008
Devin,

Great presentation, I very much enjoyed it!

Tom
...
written by Santiago, February 12, 2008
Piece of cake, in new generation aironet it doesn´t happen, aironet 1100 series have this troubles...
...
written by Curtis Lehman, February 12, 2008
I'm not clear on the role the dictionary part played in the demonstration. With the approach shown in the video, if the password file doesn't contain the actual password used, will this approach fail to crack the password?

Will the above examples of a strong password still be cracked by the steps in the video?

How much difference does the above passwords make in cracking leap? (A few seconds longer to crack, several hours longer to crack, not possible to crack at)
...
written by Anna, February 12, 2008
Thought it was interesting.
...
written by Jeannine B., February 12, 2008
This was a very informative telecast. Thank you
...
written by Curtis Lehman, February 12, 2008
I attended the web seminar that this article references and I am not clear on the role the dictionary plays in the video demonstration on how to crack leap. I have twosimple questions.

1. If the password used in the leap was not listed in the dictionary file used in the attack, would the attack still eventually crack the password?

2. (Assume yes above) If the strong password was used does anyone have any idea how the strong password would help? (i.e. the attach would still only take a few seconds, now take hours, or the attack would fail?)
...
written by Michael Wilson, February 12, 2008
Is their any reasoning behind choosing the Trendnet 501pc card, or was that just personal preference? Does anyone know if this card supports packet injection?

Thanks, newbie and eager!
...
written by Barre KABORE, February 12, 2008
I'm on my way to deploying a wireless network, and that's valuable information for me. Thanks a lot !!
...
written by Joe, February 12, 2008
A great presentation
...
written by Deb H., February 12, 2008
It would be nice is to have this presentation broken down into more precise steps. Such as what are all the pre-reqs (software pkgs to be installed ahead of time, resources on pc etc). And then to see ASLEAP be run against the actual requires of LEAP, (using a 10 alpha-num passphrase). The presentation used only numbers as its example...
...
written by mr.markowen, February 12, 2008
Curtis:

The asleap application uses a dictionary hash file to match the hash in the captured packets. If the password is not in the initial dictionary file, asleap will not be able to determine the password. By using non-dictionary words and adding complexity, the amount of time required to generate the hashes to match will grow considerably; took two minutes for 1 - 9,999,999, imagine how long it would take to generate for a-z,A-Z,0-9,~!@#$%^&*,etc. On the downside, it may be already possible to download pre-generated hash files (rainbow tables.)

The stronger the password, the more time it will take to generate the hashes, and in hence crack. A stronger CPU can help accelerate the discovery, but a strong enough password could still take years to break. Additionally, if it was possible to salt the hashes that Cisco uses, all dictionary files and rainbow tables would be moot, unless the cracker knew the phrase to salt the password phrases.

Michael,
It is probably for promiscuous support and available accessories. Quite a few wireless chip sets do not support promiscuous mode, which is necessary for sniffing all packets. Additionally, the 501pc card appears to support the connectivity of an external antenna, useful for dB gain for attacks at a distance greater than what would usually be possible. This isn't limited to the Trendnet as any card with the same chip set (Atheros Communications, Inc. AR5413) would essentially do the same. Additionally, other chip sets would work as well (orinoco, prism, etc.)


Mark
...
written by J. McPhail, February 12, 2008
Interesting
...
written by Muhammad Q Shahzad, February 12, 2008
That was an informative session
...
written by Heath Novak, February 12, 2008
Mark Owen answered the password question posed by a couple people here before I had a chance. Spot on, Mark!

It was a good presentation. It is important to note that although it seems easy to crack LEAP it took an experienced and talented individual time and effort to write some code to make it this easy. I believe Joshua Wright is the man's name. Joshua Wright also teaches some SANS courses on wireless security.

Thanks for the presentation, Devin, well done...

Heath
...
written by LaQuetta Glaze, February 12, 2008
Very informative and detailed! Thanks!
...
written by Mehdi Fahandezh, February 12, 2008
That was a good presentation
...
written by pankaj belsare, February 12, 2008
very informative it was much more complex than i expectec it to be..
...
written by Makhat, February 13, 2008
Excellent Webinar
Thanks
...
written by Rajesh, February 13, 2008
The presentation was Great. However if it was broken into more simple steps to explain us about where to download the tools(dictionary tool - just for suggestion)if mentioned any would have been good to try and the making of that particular numbers7.txt file..... I am a beginner, so i felt this was little difficult to understand, however will try the steps and make myself comfortable. Please provide the steps in more detail as a doc if possible. Great Video!!!

Thanks for sharing the great stuff:)
...
written by Idoko E.mmanuel, February 13, 2008
nice presentation, very helpful.

thanks
...
written by sayed, February 13, 2008
thanx alot for these important information ... really excellent effort
...
written by Varun kumar C, February 13, 2008
Great information and it was explained with good narration.
...
written by Slipshod, February 13, 2008
Keep in mind that while PEAP and TTLS can be secure, it is very common to configure them to be completely INsecure. Never use a self-signed certificate on your radius server for a real deployment - it allows people to perform a trivial man-in-the-middle attack. If you do this with PEAP-MSCHAPv2 the attacker gets access. If you do this with TTLS-PAP the attacker gets the username and password. Not good!

You're also not generally safe using Internet CA signed certificates because windows will prompt the user to accept new certificates signed by the same CA by default. All the attacker has to do is purchase a new certificate for a domain he owns, signed by the same CA you use, and he can start attacking again.

Best practice would be to use your own certificate authority. Microsoft has a pretty good solution integrated into active directory, which works fine with non-MS clients as well. Makes life very easy for clients that are part of the domain with automatic certificate distribution, and it's included with Windows server. OpenSSL is another option, but is very cryptic.
...
written by Safiyyullah Bello, February 13, 2008
Interesting, although some details are still with held, nonetheless really appreciated.
...
written by Aditya, February 14, 2008
It was really a great presentation and was very informative!

Thanks

ADITYA
...
written by abubakar newcommer, February 17, 2008
the event is wonderful and solution for solving problems are accurate
...
written by John Chomyn, February 18, 2008
Hi:
This session informative, and its made awhere of what tools are out there. Also this has made awhere that if you think like a hacker, that your network will much more secured
Thanks, again
...
written by Everett Scott, February 20, 2008
Hi-
I had only heard of asleap a couple of years ago but never saw it in action. Thanks for the presentation.

Write comment
quote
bold
italicize
underline
strike
url
image
quote
quote

security code
Write the displayed characters


busy
 
< Prev   Next >

Google wireless search

Google Wireless Search
Google our favorite wireless sites for answers and information:

Suggest a site


Add this feed to your online news reader