Hacking & Solutions: Cracking Cisco LEAP Authentication

Hacking & Solutions: Cracking Cisco LEAP Authentication

By CWNP On 02/12/2008 - 32 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is.  It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools. 


Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs.  LEAP is, by far, the easiest version of 802.1X/EAP to implement.  It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities.  There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS.  LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.

The reason for this insecurity is that LEAP relies on users to choose a "strong" password.  Users don't like strong passwords because they are too difficult to remember.  Instead, users like common words, phrases, and names.  If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.

Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced.  Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:

  • A minimum of ten characters
  • A mixture of uppercase and lowercase letters
  • At least one numeric character or one non-alphanumeric character (Example: !#@$%)
  • No form of the user's name or user ID
  • A word that is not found in the dictionary (domestic or foreign)

Cisco offers these examples of strong passwords:

  • cnw84FriDAY, from "cannot wait for Friday"
  • 4yosc10cP!, from "for your own safety choose 10 character password!"

If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network.  Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols.  All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.

Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.

32 Responses to Hacking & Solutions: Cracking Cisco LEAP Authentication

Subscribe by Email
02/20/2008 at 08:18am
I had only heard of asleap a couple of years ago but never saw it in action. Thanks for the presentation.

02/18/2008 at 12:21pm
This session informative, and its made awhere of what tools are out there. Also this has made awhere that if you think like a hacker, that your network will much more secured
Thanks, again

02/17/2008 at 10:56am
the event is wonderful and solution for solving problems are accurate

02/14/2008 at 02:44am
It was really a great presentation and was very informative!



02/13/2008 at 14:59pm
Interesting, although some details are still with held, nonetheless really appreciated.

02/13/2008 at 14:36pm
Keep in mind that while PEAP and TTLS can be secure, it is very common to configure them to be completely INsecure. [i]Never[/i] use a self-signed certificate on your radius server for a real deployment - it allows people to perform a trivial man-in-the-middle attack. If you do this with PEAP-MSCHAPv2 the attacker gets access. If you do this with TTLS-PAP the attacker gets the username and password. Not good!

You're also not generally safe using Internet CA signed certificates because windows will prompt the user to accept new certificates signed by the same CA by default. All the attacker has to do is purchase a new certificate for a domain he owns, signed by the same CA you use, and he can start attacking again.

Best practice would be to use your own certificate authority. Microsoft has a pretty good solution integrated into active directory, which works fine with non-MS clients as well. Makes life very easy for clients that are part of the domain with automatic certificate distribution, and it's included with Windows server. OpenSSL is another option, but is very cryptic.

02/13/2008 at 04:46am
Great information and it was explained with good narration.

02/13/2008 at 04:18am
thanx alot for these important information ... really excellent effort

02/13/2008 at 02:52am
nice presentation, very helpful.


02/13/2008 at 02:49am
The presentation was Great. However if it was broken into more simple steps to explain us about where to download the tools(dictionary tool - just for suggestion)if mentioned any would have been good to try and the making of that particular numbers7.txt file..... I am a beginner, so i felt this was little difficult to understand, however will try the steps and make myself comfortable. Please provide the steps in more detail as a doc if possible. Great Video!!!

Thanks for sharing the great stuff:)

02/13/2008 at 00:02am
Excellent Webinar

02/12/2008 at 23:21pm
very informative it was much more complex than i expectec it to be..

02/12/2008 at 19:37pm
That was a good presentation

02/12/2008 at 18:58pm
Very informative and detailed! Thanks!

02/12/2008 at 17:45pm
Mark Owen answered the password question posed by a couple people here before I had a chance. Spot on, Mark!

It was a good presentation. It is important to note that although it seems easy to crack LEAP it took an experienced and talented individual time and effort to write some code to make it this easy. I believe Joshua Wright is the man's name. Joshua Wright also teaches some SANS courses on wireless security.

Thanks for the presentation, Devin, well done...


02/12/2008 at 16:46pm
That was an informative session

02/12/2008 at 16:27pm

02/12/2008 at 16:20pm

The asleap application uses a dictionary hash file to match the hash in the captured packets. If the password is not in the initial dictionary file, asleap will not be able to determine the password. By using non-dictionary words and adding complexity, the amount of time required to generate the hashes to match will grow considerably; took two minutes for 1 - 9,999,999, imagine how long it would take to generate for a-z,A-Z,0-9,~!@#$%^&*,etc. On the downside, it may be already possible to download pre-generated hash files (rainbow tables.)

The stronger the password, the more time it will take to generate the hashes, and in hence crack. A stronger CPU can help accelerate the discovery, but a strong enough password could still take years to break. Additionally, if it was possible to salt the hashes that Cisco uses, all dictionary files and rainbow tables would be moot, unless the cracker knew the phrase to salt the password phrases.

It is probably for promiscuous support and available accessories. Quite a few wireless chip sets do not support promiscuous mode, which is necessary for sniffing all packets. Additionally, the 501pc card appears to support the connectivity of an external antenna, useful for dB gain for attacks at a distance greater than what would usually be possible. This isn't limited to the Trendnet as any card with the same chip set (Atheros Communications, Inc. AR5413) would essentially do the same. Additionally, other chip sets would work as well (orinoco, prism, etc.)


02/12/2008 at 15:55pm
It would be nice is to have this presentation broken down into more precise steps. Such as what are all the pre-reqs (software pkgs to be installed ahead of time, resources on pc etc). And then to see ASLEAP be run against the actual requires of LEAP, (using a 10 alpha-num passphrase). The presentation used only numbers as its example...

02/12/2008 at 15:34pm
A great presentation

02/12/2008 at 15:02pm
I'm on my way to deploying a wireless network, and that's valuable information for me. Thanks a lot !!

02/12/2008 at 14:58pm
Is their any reasoning behind choosing the Trendnet 501pc card, or was that just personal preference? Does anyone know if this card supports packet injection?

Thanks, newbie and eager!

02/12/2008 at 14:51pm
I attended the web seminar that this article references and I am not clear on the role the dictionary plays in the video demonstration on how to crack leap. I have twosimple questions.

1. If the password used in the leap was not listed in the dictionary file used in the attack, would the attack still eventually crack the password?

2. (Assume yes above) If the strong password was used does anyone have any idea how the strong password would help? (i.e. the attach would still only take a few seconds, now take hours, or the attack would fail?)

02/12/2008 at 14:49pm
This was a very informative telecast. Thank you

02/12/2008 at 14:48pm
Thought it was interesting.

02/12/2008 at 14:39pm
I'm not clear on the role the dictionary part played in the demonstration. With the approach shown in the video, if the password file doesn't contain the actual password used, will this approach fail to crack the password?

Will the above examples of a strong password still be cracked by the steps in the video?

How much difference does the above passwords make in cracking leap? (A few seconds longer to crack, several hours longer to crack, not possible to crack at)

02/12/2008 at 14:30pm
Piece of cake, in new generation aironet it doesn´t happen, aironet 1100 series have this troubles...

02/12/2008 at 14:22pm

Great presentation, I very much enjoyed it!


02/12/2008 at 14:20pm
Wow, did not think it would be this easy. Great job!!

02/12/2008 at 14:19pm
Do you have advice for use of other EAP options, like EAP-TLS for example (vs. EAP-TTLS). Use of EAP-TLS is a requirement in DoD WLAN policy, probably in an attempt to maintain interoperability.

02/12/2008 at 14:12pm

02/12/2008 at 13:19pm
I thought it would be easy, but not quite this easy. Good information.

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More