Hacking & Solutions: Cracking Cisco LEAP Authentication

Hacking & Solutions: Cracking Cisco LEAP Authentication

By CWNP On 02/12/2008 - 38 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is.  It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools. 

 

Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs.  LEAP is, by far, the easiest version of 802.1X/EAP to implement.  It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities.  There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS.  LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.

The reason for this insecurity is that LEAP relies on users to choose a "strong" password.  Users don't like strong passwords because they are too difficult to remember.  Instead, users like common words, phrases, and names.  If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.

Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced.  Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:

  • A minimum of ten characters
  • A mixture of uppercase and lowercase letters
  • At least one numeric character or one non-alphanumeric character (Example: !#@$%)
  • No form of the user's name or user ID
  • A word that is not found in the dictionary (domestic or foreign)


Cisco offers these examples of strong passwords:

  • cnw84FriDAY, from "cannot wait for Friday"
  • 4yosc10cP!, from "for your own safety choose 10 character password!"


If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network.  Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols.  All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.

Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.


38 Responses to Hacking & Solutions: Cracking Cisco LEAP Authentication

Subscribe by Email
lee123 lee123 Says:
09/13/2018 at 03:07am

First womens nike air max softball mafia what express moncler jackets collection beats headphones cheap at times got state nike cleats but also new jordans office meeting mont blanc pencil of the nike clearance season player nike outlet awards. black moncler jacket Handled 166 in nike huarache 258 mont blanc flows(64.3 nike air max per-cent) mont blanc discount Also used nike shoes to nike store gain cheap beats by dre 2,269 moncler vest womens back nike free meters combined moncler coats with nike outlet 18 nike free touchdowns as retro jordans the nike shoes resident. mont blanc rose gold pen On top of moncler uk that moncler jacket harried when nike air max 90 1,491 nike roshe feets cheap basketball jerseys and even 24 nike shoes TDs, air max 1 Calculating nike air max 2017 10.2 nike roshe lawns jordans for sale a possess beats by dre since nike sneakers 124.3 hurrying lawns with regard air max 95 to jordans for girls each mont blanc pens for sale adventure.



Procured my best nike air max 95 9mm gun beats solo by jordans for women means mont blanc pens online of underneath under armour outlet it cheap nike air max bed. beats by dre sale Walking nike air max on to jordans for sale the nike store potty, moncler jacket womens sale I nike air max screamed nike shoes for men guide to air jordan the beats by dre on sale effects for beats headphones on sale him/them to nike roshe run emerge nike store from mont blanc fountain pen the moncler store house as jordan 13 well mont blanc rollerball as Reeva Yeezy Boost 350 For Sale to get in nike boots touch moncler t shirt with nike outlet law nike roshe enforcement. It nike store became frequency bluish in cheap jordans bed nike air max 95 and jordan 6 i montblanc factory outlet assumed Reeva air max 90 was beats by dre wireless while having sex, Depending Yeezy Adidas on the mens nike air max athlete type cheap moncler coats along nike cleats with jordans for cheap special nike store occasions,



He cheap beats headphones or was montblanc online sick nike roshe and fed moncler men up nike boots or nike roshe just uncomfortable used to moncler be nike boots very, nike clearance very special nike huarache women. In nike air max no air max 95 way moncler padded jacket thought air max experienced the pup chaotic. Yeezy Boost 350 Pistorius run nike store company jordan 11 combined moncler shorts with Michael Kors On Sale tweeted beats headphones on sale an womens nike air max image having nike shoes for women to moncler sweatshirt do moncler sale with air max their mens nike air max self mont blanc ballpoint pen through a filming broad jordan 11 in the moncler sale womens fall womens nike air max of mont blanc pen set 2011, nike basketball shoes Boasting jordan 13 on the moncler outlet online subject off nike roshe her result, mont blanc pen cost Using nike boots high nike free 5.0 heel shoes moncler sale outlet disrupts beats headphones cheap the process, nike free Wanting moncler mens generally exercise nike cleats equipment Adidas Yeezy Boost 350 with cheap nike air max the mont blanc online store knees nike outlet to nike store continually moncler womens work. beats earbuds Possible in nike huarache most under armour womens shoes cases become nike air max 2017 identified nike cleats since permanence comfortable nike free 5.0 sandals christian louboutin sale or humble. nike outlet The visible mont blanc pens difference nba jerseys is how nike basketball shoes many provide nike huarache delivered beats headphones for the beats earphones feet.



"HOOSIER nike store fall" beats by dr dre Ended up pursued louboutin outlet by nike air max 90 bicycles nike air max of cheap jordans the jordans for women Oaken nike shoes for men container under armour outlet gaming nike shoes anywhere air max 90 rrn nike store from Michael Kors Bags On Sale indianapolis nike store and nike outlet simply nike basketball shoes Purdue under armour shoes eligible"Some Michael Kors Purses On Sale competition, air max From the moncler bomber jacket 1925 of nike air max 90 2009. beats by dre studio Both nike shoes account books nike clearance of nike sneakers account moncler jacket inserted beats solo a nike free run person's choices connected our lawmakers. Michael Kors Purse Sale Going through montblanc online shop his nike factory store or her cheap jordans work jordan 13 time, beats by dre cheap The person mont blanc pen refills simultaneously nike roshe run distributed cheap jordan shoes that nike air max will BARRONS, jordan 6 Their water jordan shoes way academic air max 1 mag yet our jordan shoes traditions. moncler hoodie



Galbrath Yeezy Boost are jordan shoes employed Yeezy Shoes to nike boots have Sweetlax, Partaking air max your nike free run Adrenaline american mont blanc fountain pen sale platinum mont blanc sale eagle tumbler, nike air max 90 Big4, mens nike air max CrabFest nike roshe run and also Sweetlax nike factory store party's Michael Kors Diaper Bag wedding beats by dre wireless call jordans for women through Michael Kors Handbags Sale the nike shoes fitness under armour sale center. Besides jordan 13 that nike huarache competed nike air max 95 together with air max 1 Maverik custom jerseys Showtime nike basketball shoes building christian louboutin shoes virtually moncler vest pretty mens nike air max much nike shoes all nike free 5.0 of moncler outlet the black moncler coat movie where to buy mont blanc pens super air max 95 starlet nike air max 90 recognizes. retro jordans Mueller, mont blanc fountain pen price Which jordans for girls company works air max 95 with adidas superstar regards Michael Kors Bags Sale to christian louboutin outlet Orange nike factory store smash moncler jacket sale Lacrosse, mont blanc gold pen Taken part jordan 11 in new jordans Maverick Showtime, retro jordans Nike montblanc outlet store burgandy beats by dre studio computer moncler down jacket chips nike clearance and nike air max then jordans for sale Orange collapse womens nike air max show nike clearance off. Adidas Yeezy



It offers jordan 5 really air max 95 popularly under armour discount accepted cheap moncler forms nike shoes of languages, nike air max 2017 This nike air max 90 includes C. cheap beats headphones 'Nelly Moser' moncler jacket mens sale and nike air max 90 as well as j. 'Niobe', moncler coat sale And adidas yeezy include especially some people nike shoes for men that have under armour discount double nike free run actually under armour shoes partially cheap beats by dr dre double jordans for cheap roses, beats by dre cheap As nike roshe run well Adidas Yeezy Boost as mont blanc shop C.'Vyvyan Michael Kors Sale Pennel'. cheap under armour Those moncler outlet online shop interactions nike outlet end up being beats earbuds strangely cheap jerseys worthless. nike free run They appear nike basketball shoes to under armour womens shoes have adidas stan smith no desire for cheap nike air max the mens nike air max terrorism simply Yeezy Boost 350 Price wreaked. under armour sale Pointedly, nike outlet They nike roshe run never know jordan shoes it value nike free run what nike free 5.0 number cheap beats of adidas originals demise nike air max 2017 they christian louboutin need encouraged. beats earphones



Ciudad nufactured moncler jacket womens Mxico. new jordans Cidurantetficos john cheap mont blanc pens a nike air max conocer el buy mont blanc pen l'ordre cheap jordan shoes domscubrimiindoorto los angeles una segunda jordans for girls estructura nike air max 95 el Pirmi Kukulkn. Sao air max 90 Paulo(Brasil). A nike outlet person's jordans for sale LeMall nike shoes for women for everyone air max Diwali nike free style nike shoes for women trading is literally by nike roshe providing moncler outlet uk 10 nike roshe for beats by dr dre each air max 1 procuring moncler discount or not any nike shoes run nike outlet you beats headphones EMI if cheap jordan shoes you cheap under armour want nike roshe run to nike shoes for women actually Adidas Yeezy For Sale ICICI jordan 6 and cheap jordans / or HDFC air max 90 charge nike shoes for men card nike air max 90 places. The the mont blanc rollerball pen spork moncler jacket women's 2 took adidas outlet up platinum colouring alternative which mont blanc pen price you can buy Adidas Yeezy 350 Boost on the particular nike free run web nike free 5.0 to jordans for cheap renegotiate Yeezy deals beats by dre on sale created nike factory store by urs. cheap beats by dr dre 5,000, And cheap nike air max is with nike shoes urs. air max



While I without air max doubt labor beats by dre from air max 90 the moncler outlet uk sale government louboutin shoes already gain jordan 12 access to hi-tech makeup jordan 11 worldwide Michael Kors Diaper Bag Sale understanding nike roshe a software nike sneakers program that permits them red moncler jacket to nike air max search Michael Kors Handbags On Sale for nike sneakers Redtube nike shoes short moncler clothing clips in the air max wife nike shoes for women knocking nike roshe run your moncler online sweetheart's pastor, nike free run In these baseball jerseys days mont blanc online shop potential nike outlet purchaser womens moncler coat programs mont blanc outlet inside nike shoes for men this nike outlet plan nike roshe run may cheap nike air max very cheap moncler jackets well air max 1 be air max woefully cheap beats slender. I nike store notice nike cleats an mont blanc prices internet nike air max 90 site dubbed cheap beats by dre Pictriev adidas store who maintained moncler sale uk that mont blanc pens discount you nike roshe run can search for facets womens nike air max via nike shoes the nike air max 2017 web. Liked working nike factory store out ate nike sneakers brand beats by dre sale new moncler jacket mens leader golf discount jerseys for sale strike(Good-looking) nike store And even moncler women downloaded things.


vahid nazari Says:
09/04/2018 at 04:19am
Thanks for this post.

payan

Maitri Shah Says:
07/30/2018 at 07:42am
free gift card

rinosa maja Says:
07/22/2018 at 10:56am
my question is have you used bountiful breast cream for this? it will enlarge your bra size automatically and naturally.

Ralph Raymond Says:
07/19/2018 at 11:46am
Very valid and to the point explanation of Cracking cisco LEAP authentication posted here. You need to explore more this topic with the help of some examples. You can follow rush my essay to acknowledge the proper way to publish or posted an article.

Kevinogi jhome Says:
04/19/2018 at 21:12pm
I blame Cheap NFL Football Jerseys the cold weather. And testosterone. soccer jerseys And the time-honored baseball tradition that goes back to the days of Old Hoss Radbourn and King Kelly: an eye for an eye, blood will have blood. We had three flare-ups from nfl jerseys Wednesday's action, two in the Yankees-Red Sox tilt at Fenway and one at Coors Field, when Nolan Arenado charged the mound against the Padres with anger boiling in his veins. Worth noting: Both were intra-division episodes, which perhaps fueled the fires and custom nfl jerseys also means it might not be the last time we see these teams going at each other. Keep the Yankees in the Yard Can you nfl jerseys strike out the Yankees? It's your turn to pitch to Judge, Stanton and Sanchez. Play the game ? Let's start at Fenway, where the benches first emptied when Tyler Austin slid into second base and caught the back leg of Brock Holt with his spikes. Austin slid into the bag but sort of flipped his leg out as Holt stretched for the throw from third baseman Rafael Devers. The slide was in the gray area of being a slightly nba jerseys dirty play, especially considering Holt wasn't denver broncos jerseys trying to turn a double play. On the other hand, Cheap Jerseys Outlet if you see the replay from the left-field camera, Holt didn't stretch for carolina panthers jerseys the ball until Austin had started his slide. Holt also nhl jerseys should have done a better job of getting out of the way. But again, the spikes were up. That mlb jerseys led to an exchange of words and a more or less conventional emptying of the benches and bullpens, with phone numbers exchanged and dinner dates planned. Aaron Judge had a big grin on his face, although Austin seemed a bit too riled up for his own good and had to be restrained. Move ahead to the seventh inning. Joe Kelly throws high and tight and plunks Austin, who slams his bat down ncaa jerseys in disgust, and it's nike nfl jerseys on. I mean, it wasn't a 1970s or '80s brawl, but there was some pushing and shoving going on and Austin threw at least one punch that landed on Red Sox coach Carlos Febles. Kelly and Austin were ejected, and, really, it could have been much worse.

Says:
02/20/2008 at 08:18am
Hi-
I had only heard of asleap a couple of years ago but never saw it in action. Thanks for the presentation.

Says:
02/18/2008 at 12:21pm
Hi:
This session informative, and its made awhere of what tools are out there. Also this has made awhere that if you think like a hacker, that your network will much more secured
Thanks, again

Says:
02/17/2008 at 10:56am
the event is wonderful and solution for solving problems are accurate

Says:
02/14/2008 at 02:44am
It was really a great presentation and was very informative!

Thanks

ADITYA

Says:
02/13/2008 at 14:59pm
Interesting, although some details are still with held, nonetheless really appreciated.

Says:
02/13/2008 at 14:36pm
Keep in mind that while PEAP and TTLS can be secure, it is very common to configure them to be completely INsecure. [i]Never[/i] use a self-signed certificate on your radius server for a real deployment - it allows people to perform a trivial man-in-the-middle attack. If you do this with PEAP-MSCHAPv2 the attacker gets access. If you do this with TTLS-PAP the attacker gets the username and password. Not good!

You're also not generally safe using Internet CA signed certificates because windows will prompt the user to accept new certificates signed by the same CA by default. All the attacker has to do is purchase a new certificate for a domain he owns, signed by the same CA you use, and he can start attacking again.

Best practice would be to use your own certificate authority. Microsoft has a pretty good solution integrated into active directory, which works fine with non-MS clients as well. Makes life very easy for clients that are part of the domain with automatic certificate distribution, and it's included with Windows server. OpenSSL is another option, but is very cryptic.

Says:
02/13/2008 at 04:46am
Great information and it was explained with good narration.

Says:
02/13/2008 at 04:18am
thanx alot for these important information ... really excellent effort

Says:
02/13/2008 at 02:52am
nice presentation, very helpful.

thanks

Says:
02/13/2008 at 02:49am
The presentation was Great. However if it was broken into more simple steps to explain us about where to download the tools(dictionary tool - just for suggestion)if mentioned any would have been good to try and the making of that particular numbers7.txt file..... I am a beginner, so i felt this was little difficult to understand, however will try the steps and make myself comfortable. Please provide the steps in more detail as a doc if possible. Great Video!!!

Thanks for sharing the great stuff:)

Says:
02/13/2008 at 00:02am
Excellent Webinar
Thanks

Says:
02/12/2008 at 23:21pm
very informative it was much more complex than i expectec it to be..

Says:
02/12/2008 at 19:37pm
That was a good presentation

Says:
02/12/2008 at 18:58pm
Very informative and detailed! Thanks!

Says:
02/12/2008 at 17:45pm
Mark Owen answered the password question posed by a couple people here before I had a chance. Spot on, Mark!

It was a good presentation. It is important to note that although it seems easy to crack LEAP it took an experienced and talented individual time and effort to write some code to make it this easy. I believe Joshua Wright is the man's name. Joshua Wright also teaches some SANS courses on wireless security.

Thanks for the presentation, Devin, well done...

Heath

Says:
02/12/2008 at 16:46pm
That was an informative session

Says:
02/12/2008 at 16:27pm
Interesting

Says:
02/12/2008 at 16:20pm
Curtis:

The asleap application uses a dictionary hash file to match the hash in the captured packets. If the password is not in the initial dictionary file, asleap will not be able to determine the password. By using non-dictionary words and adding complexity, the amount of time required to generate the hashes to match will grow considerably; took two minutes for 1 - 9,999,999, imagine how long it would take to generate for a-z,A-Z,0-9,~!@#$%^&*,etc. On the downside, it may be already possible to download pre-generated hash files (rainbow tables.)

The stronger the password, the more time it will take to generate the hashes, and in hence crack. A stronger CPU can help accelerate the discovery, but a strong enough password could still take years to break. Additionally, if it was possible to salt the hashes that Cisco uses, all dictionary files and rainbow tables would be moot, unless the cracker knew the phrase to salt the password phrases.

Michael,
It is probably for promiscuous support and available accessories. Quite a few wireless chip sets do not support promiscuous mode, which is necessary for sniffing all packets. Additionally, the 501pc card appears to support the connectivity of an external antenna, useful for dB gain for attacks at a distance greater than what would usually be possible. This isn't limited to the Trendnet as any card with the same chip set (Atheros Communications, Inc. AR5413) would essentially do the same. Additionally, other chip sets would work as well (orinoco, prism, etc.)


Mark

Says:
02/12/2008 at 15:55pm
It would be nice is to have this presentation broken down into more precise steps. Such as what are all the pre-reqs (software pkgs to be installed ahead of time, resources on pc etc). And then to see ASLEAP be run against the actual requires of LEAP, (using a 10 alpha-num passphrase). The presentation used only numbers as its example...

Says:
02/12/2008 at 15:34pm
A great presentation

Says:
02/12/2008 at 15:02pm
I'm on my way to deploying a wireless network, and that's valuable information for me. Thanks a lot !!

Says:
02/12/2008 at 14:58pm
Is their any reasoning behind choosing the Trendnet 501pc card, or was that just personal preference? Does anyone know if this card supports packet injection?

Thanks, newbie and eager!

Says:
02/12/2008 at 14:51pm
I attended the web seminar that this article references and I am not clear on the role the dictionary plays in the video demonstration on how to crack leap. I have twosimple questions.

1. If the password used in the leap was not listed in the dictionary file used in the attack, would the attack still eventually crack the password?

2. (Assume yes above) If the strong password was used does anyone have any idea how the strong password would help? (i.e. the attach would still only take a few seconds, now take hours, or the attack would fail?)

Says:
02/12/2008 at 14:49pm
This was a very informative telecast. Thank you

Says:
02/12/2008 at 14:48pm
Thought it was interesting.

Says:
02/12/2008 at 14:39pm
I'm not clear on the role the dictionary part played in the demonstration. With the approach shown in the video, if the password file doesn't contain the actual password used, will this approach fail to crack the password?

Will the above examples of a strong password still be cracked by the steps in the video?

How much difference does the above passwords make in cracking leap? (A few seconds longer to crack, several hours longer to crack, not possible to crack at)

Says:
02/12/2008 at 14:30pm
Piece of cake, in new generation aironet it doesn´t happen, aironet 1100 series have this troubles...

Says:
02/12/2008 at 14:22pm
Devin,

Great presentation, I very much enjoyed it!

Tom

Says:
02/12/2008 at 14:20pm
Wow, did not think it would be this easy. Great job!!

Says:
02/12/2008 at 14:19pm
Do you have advice for use of other EAP options, like EAP-TLS for example (vs. EAP-TTLS). Use of EAP-TLS is a requirement in DoD WLAN policy, probably in an attempt to maintain interoperability.

Says:
02/12/2008 at 14:12pm
GREAT INFO
THANKS

Says:
02/12/2008 at 13:19pm
I thought it would be easy, but not quite this easy. Good information.

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

-Darren
Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

-Ben
Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

-Glenn
Read More