Hacking & Solutions: Cracking Cisco LEAP AuthenticationBy CWNP On 02/12/2008 - 32 Comments
This article is presented as part of hacking + solution track for Wireless Security Expo 2008.
By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is. It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools.
Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs. LEAP is, by far, the easiest version of 802.1X/EAP to implement. It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities. There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS. LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.
The reason for this insecurity is that LEAP relies on users to choose a "strong" password. Users don't like strong passwords because they are too difficult to remember. Instead, users like common words, phrases, and names. If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.
Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced. Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:
- A minimum of ten characters
- A mixture of uppercase and lowercase letters
- At least one numeric character or one non-alphanumeric character (Example: !#@$%)
- No form of the user's name or user ID
- A word that is not found in the dictionary (domestic or foreign)
Cisco offers these examples of strong passwords:
- cnw84FriDAY, from "cannot wait for Friday"
- 4yosc10cP!, from "for your own safety choose 10 character password!"
If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network. Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols. All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.
Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.