Hacking & Solutions: Cracking Cisco LEAP Authentication

Hacking & Solutions: Cracking Cisco LEAP Authentication

By CWNP On 02/12/2008 - 33 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is.  It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools. 

 

Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs.  LEAP is, by far, the easiest version of 802.1X/EAP to implement.  It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities.  There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS.  LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.

The reason for this insecurity is that LEAP relies on users to choose a "strong" password.  Users don't like strong passwords because they are too difficult to remember.  Instead, users like common words, phrases, and names.  If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.

Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced.  Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:

  • A minimum of ten characters
  • A mixture of uppercase and lowercase letters
  • At least one numeric character or one non-alphanumeric character (Example: !#@$%)
  • No form of the user's name or user ID
  • A word that is not found in the dictionary (domestic or foreign)


Cisco offers these examples of strong passwords:

  • cnw84FriDAY, from "cannot wait for Friday"
  • 4yosc10cP!, from "for your own safety choose 10 character password!"


If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network.  Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols.  All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.

Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.


33 Responses to Hacking & Solutions: Cracking Cisco LEAP Authentication

Subscribe by Email
Kevinogi jhome Says:
04/19/2018 at 21:12pm
I blame Cheap NFL Football Jerseys the cold weather. And testosterone. soccer jerseys And the time-honored baseball tradition that goes back to the days of Old Hoss Radbourn and King Kelly: an eye for an eye, blood will have blood. We had three flare-ups from nfl jerseys Wednesday's action, two in the Yankees-Red Sox tilt at Fenway and one at Coors Field, when Nolan Arenado charged the mound against the Padres with anger boiling in his veins. Worth noting: Both were intra-division episodes, which perhaps fueled the fires and custom nfl jerseys also means it might not be the last time we see these teams going at each other. Keep the Yankees in the Yard Can you nfl jerseys strike out the Yankees? It's your turn to pitch to Judge, Stanton and Sanchez. Play the game ? Let's start at Fenway, where the benches first emptied when Tyler Austin slid into second base and caught the back leg of Brock Holt with his spikes. Austin slid into the bag but sort of flipped his leg out as Holt stretched for the throw from third baseman Rafael Devers. The slide was in the gray area of being a slightly nba jerseys dirty play, especially considering Holt wasn't denver broncos jerseys trying to turn a double play. On the other hand, Cheap Jerseys Outlet if you see the replay from the left-field camera, Holt didn't stretch for carolina panthers jerseys the ball until Austin had started his slide. Holt also nhl jerseys should have done a better job of getting out of the way. But again, the spikes were up. That mlb jerseys led to an exchange of words and a more or less conventional emptying of the benches and bullpens, with phone numbers exchanged and dinner dates planned. Aaron Judge had a big grin on his face, although Austin seemed a bit too riled up for his own good and had to be restrained. Move ahead to the seventh inning. Joe Kelly throws high and tight and plunks Austin, who slams his bat down ncaa jerseys in disgust, and it's nike nfl jerseys on. I mean, it wasn't a 1970s or '80s brawl, but there was some pushing and shoving going on and Austin threw at least one punch that landed on Red Sox coach Carlos Febles. Kelly and Austin were ejected, and, really, it could have been much worse.

Says:
02/20/2008 at 08:18am
Hi-
I had only heard of asleap a couple of years ago but never saw it in action. Thanks for the presentation.

Says:
02/18/2008 at 12:21pm
Hi:
This session informative, and its made awhere of what tools are out there. Also this has made awhere that if you think like a hacker, that your network will much more secured
Thanks, again

Says:
02/17/2008 at 10:56am
the event is wonderful and solution for solving problems are accurate

Says:
02/14/2008 at 02:44am
It was really a great presentation and was very informative!

Thanks

ADITYA

Says:
02/13/2008 at 14:59pm
Interesting, although some details are still with held, nonetheless really appreciated.

Says:
02/13/2008 at 14:36pm
Keep in mind that while PEAP and TTLS can be secure, it is very common to configure them to be completely INsecure. [i]Never[/i] use a self-signed certificate on your radius server for a real deployment - it allows people to perform a trivial man-in-the-middle attack. If you do this with PEAP-MSCHAPv2 the attacker gets access. If you do this with TTLS-PAP the attacker gets the username and password. Not good!

You're also not generally safe using Internet CA signed certificates because windows will prompt the user to accept new certificates signed by the same CA by default. All the attacker has to do is purchase a new certificate for a domain he owns, signed by the same CA you use, and he can start attacking again.

Best practice would be to use your own certificate authority. Microsoft has a pretty good solution integrated into active directory, which works fine with non-MS clients as well. Makes life very easy for clients that are part of the domain with automatic certificate distribution, and it's included with Windows server. OpenSSL is another option, but is very cryptic.

Says:
02/13/2008 at 04:46am
Great information and it was explained with good narration.

Says:
02/13/2008 at 04:18am
thanx alot for these important information ... really excellent effort

Says:
02/13/2008 at 02:52am
nice presentation, very helpful.

thanks

Says:
02/13/2008 at 02:49am
The presentation was Great. However if it was broken into more simple steps to explain us about where to download the tools(dictionary tool - just for suggestion)if mentioned any would have been good to try and the making of that particular numbers7.txt file..... I am a beginner, so i felt this was little difficult to understand, however will try the steps and make myself comfortable. Please provide the steps in more detail as a doc if possible. Great Video!!!

Thanks for sharing the great stuff:)

Says:
02/13/2008 at 00:02am
Excellent Webinar
Thanks

Says:
02/12/2008 at 23:21pm
very informative it was much more complex than i expectec it to be..

Says:
02/12/2008 at 19:37pm
That was a good presentation

Says:
02/12/2008 at 18:58pm
Very informative and detailed! Thanks!

Says:
02/12/2008 at 17:45pm
Mark Owen answered the password question posed by a couple people here before I had a chance. Spot on, Mark!

It was a good presentation. It is important to note that although it seems easy to crack LEAP it took an experienced and talented individual time and effort to write some code to make it this easy. I believe Joshua Wright is the man's name. Joshua Wright also teaches some SANS courses on wireless security.

Thanks for the presentation, Devin, well done...

Heath

Says:
02/12/2008 at 16:46pm
That was an informative session

Says:
02/12/2008 at 16:27pm
Interesting

Says:
02/12/2008 at 16:20pm
Curtis:

The asleap application uses a dictionary hash file to match the hash in the captured packets. If the password is not in the initial dictionary file, asleap will not be able to determine the password. By using non-dictionary words and adding complexity, the amount of time required to generate the hashes to match will grow considerably; took two minutes for 1 - 9,999,999, imagine how long it would take to generate for a-z,A-Z,0-9,~!@#$%^&*,etc. On the downside, it may be already possible to download pre-generated hash files (rainbow tables.)

The stronger the password, the more time it will take to generate the hashes, and in hence crack. A stronger CPU can help accelerate the discovery, but a strong enough password could still take years to break. Additionally, if it was possible to salt the hashes that Cisco uses, all dictionary files and rainbow tables would be moot, unless the cracker knew the phrase to salt the password phrases.

Michael,
It is probably for promiscuous support and available accessories. Quite a few wireless chip sets do not support promiscuous mode, which is necessary for sniffing all packets. Additionally, the 501pc card appears to support the connectivity of an external antenna, useful for dB gain for attacks at a distance greater than what would usually be possible. This isn't limited to the Trendnet as any card with the same chip set (Atheros Communications, Inc. AR5413) would essentially do the same. Additionally, other chip sets would work as well (orinoco, prism, etc.)


Mark

Says:
02/12/2008 at 15:55pm
It would be nice is to have this presentation broken down into more precise steps. Such as what are all the pre-reqs (software pkgs to be installed ahead of time, resources on pc etc). And then to see ASLEAP be run against the actual requires of LEAP, (using a 10 alpha-num passphrase). The presentation used only numbers as its example...

Says:
02/12/2008 at 15:34pm
A great presentation

Says:
02/12/2008 at 15:02pm
I'm on my way to deploying a wireless network, and that's valuable information for me. Thanks a lot !!

Says:
02/12/2008 at 14:58pm
Is their any reasoning behind choosing the Trendnet 501pc card, or was that just personal preference? Does anyone know if this card supports packet injection?

Thanks, newbie and eager!

Says:
02/12/2008 at 14:51pm
I attended the web seminar that this article references and I am not clear on the role the dictionary plays in the video demonstration on how to crack leap. I have twosimple questions.

1. If the password used in the leap was not listed in the dictionary file used in the attack, would the attack still eventually crack the password?

2. (Assume yes above) If the strong password was used does anyone have any idea how the strong password would help? (i.e. the attach would still only take a few seconds, now take hours, or the attack would fail?)

Says:
02/12/2008 at 14:49pm
This was a very informative telecast. Thank you

Says:
02/12/2008 at 14:48pm
Thought it was interesting.

Says:
02/12/2008 at 14:39pm
I'm not clear on the role the dictionary part played in the demonstration. With the approach shown in the video, if the password file doesn't contain the actual password used, will this approach fail to crack the password?

Will the above examples of a strong password still be cracked by the steps in the video?

How much difference does the above passwords make in cracking leap? (A few seconds longer to crack, several hours longer to crack, not possible to crack at)

Says:
02/12/2008 at 14:30pm
Piece of cake, in new generation aironet it doesn´t happen, aironet 1100 series have this troubles...

Says:
02/12/2008 at 14:22pm
Devin,

Great presentation, I very much enjoyed it!

Tom

Says:
02/12/2008 at 14:20pm
Wow, did not think it would be this easy. Great job!!

Says:
02/12/2008 at 14:19pm
Do you have advice for use of other EAP options, like EAP-TLS for example (vs. EAP-TTLS). Use of EAP-TLS is a requirement in DoD WLAN policy, probably in an attempt to maintain interoperability.

Says:
02/12/2008 at 14:12pm
GREAT INFO
THANKS

Says:
02/12/2008 at 13:19pm
I thought it would be easy, but not quite this easy. Good information.

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

-Darren
Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

-Ben
Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

-Glenn
Read More