Cisco's LEAP Authentication Cracked

mtrisk writes "Just a day after Cisco released a security warning about its WLSE access point management tool, a tool to crack wi-fi networks using LEAP authentication has been released, reports Wi-Fi Networking News. The tool, called Asleap and developed by Beyond-Security, actively de-authenticates users, sniffs the network when the user re-auntheticates, and performs an offline dictionary attack upon the password."

Not Cisco's week

[Novanix]

Man to say this isn't Cisco's week would be an understatement. It can also read saved libpcap and airopeek captures. It also can save the required data only to a file for later processing so you can use it on a Palm or WinCE device. Also, for those who just want to get started: Windows Binary | Source.

Re:Not Cisco's week

[nova2]

Better links: Windows | Source

Re:Insight appreciated?

Your WEP 64 is already trivial to defeat with sufficient captured data (numbers fail me at the moment.. though something tells me that it may be in the many hundreds of megs captured).

Moreso if your router is older and produces the 'weak' packets that programs like Kismet detect (in which case, hundreds of megs becomes hundreds of kilobytes :-P )

Re:Insight appreciated?

[AKnightCowboy]

Cisco now owns Linksys. Can anyone alleviate my "phears" and tell me that this vulnerability is more for the hardware found in big companies like Bell Canada, and not my WEP 64 wireless?

This is for Cisco wireless products (their Aironet series for example), not Linksys products. I'm sure they're still pretty seperate companies even though Linksys may be a wholly owned subsidiary. i.e. Linksys access points don't run IOS (hell, some run Linux). Plus, your Linksys box wouldn't support LEAP anyway. Now, the problem with you is that 64-bit WEP is already easy to crack with enough data so it's a thin veil of security, nothing more. Don't rely on it to encrypt your traffic! If you're doing anything that needs encryption then use higher layers like SSL or even IPSEC.

Re:Insight appreciated?

[FauxPasIII]

> hardware found in big companies like Bell Canada, and not my WEP 64 wireless

Correct; asleap won't crack your network. However, airsnort will.

http://airsnort.shmoo.com/

So far as I'm aware, there hasn't been a link-layer security protocol for wireless made yet that
hasn't been cracked. That's why I run ipsec.

WPA-PSK at risk in similar circumstances

[eggboard]

The LEAP problem is pretty egregious because PEAP and EAP-TTLS are in wide use -- both of which encrypt the authentication process protecting against just sucking down a transaction for offline analysis. PEAP was supposedly supported by Microsoft and Cisco, but I don't see how Cisco is supporting it by releasing EAP-FAST, which is an alternate approach that's not as strong as PEAP. (PEAP is also supported by Mac OS X 10.3, just by the way, as well as third parties who made 802.1X authentication software clients.)

But remember that this problem isn't limited to LEAP. As Robert Moskowitz of ICSA Labs wrote last November, poor WPA preshared key passphrase choice can allow WPA keys to be cracked. WPA (Wi-Fi Protected Access) is a fix to WEP that involves dramatically more complexity and sophistication in deriving per-packet keys.

However, if you choose a dictionary-crackable passphrase of under 20 characters in WPA, you hit the same problem as LEAP: a cracker can trigger a deauthentication, capture the reauthentication in less than a minute, and then crack at their leisure.

WPA-PSK will probably only be used in home and small office networks, where passphrases may be poorly chosen. I have spoken to manufacturers about changing the presentation layer: don't let users pick bad passwords. So far, to no avail. Not even a recommendation from the Wi-Fi Alliance.