Cisco's LEAP Authentication Cracked 162
mtrisk writes "Just a day after Cisco released a security warning about its WLSE access point management tool, a tool to crack wi-fi networks using LEAP authentication has been released, reports Wi-Fi Networking News. The tool, called Asleap and developed by Beyond-Security, actively de-authenticates users, sniffs the network when the user re-auntheticates, and performs an offline dictionary attack upon the password."
Not Cisco's week (Score:5, Informative)
Re:Not Cisco's week (Score:5, Informative)
Re:Insight appreciated? (Score:5, Informative)
The easiest way to see if you are affected by this issue is to get the model number of your access point, and go to the Linksys website. See what capabilities your AP has, and if the AP supports the LEAP authentication protocol.
If it does not, you are probably immune to this particular disorder. Beyond that I would say do not manage your AP over the wifi connection, without another encryption, and if possible disable login to the AP from the Internet. Beyond that I would recomend getting a good book on WiFi security, some have been reviewed here, though how good they are, I can't really judge.
-Rusty
Re:Insight appreciated? (Score:5, Informative)
Moreso if your router is older and produces the 'weak' packets that programs like Kismet detect (in which case, hundreds of megs becomes hundreds of kilobytes
Re:Insight appreciated? (Score:5, Informative)
This is for Cisco wireless products (their Aironet series for example), not Linksys products. I'm sure they're still pretty seperate companies even though Linksys may be a wholly owned subsidiary. i.e. Linksys access points don't run IOS (hell, some run Linux). Plus, your Linksys box wouldn't support LEAP anyway. Now, the problem with you is that 64-bit WEP is already easy to crack with enough data so it's a thin veil of security, nothing more. Don't rely on it to encrypt your traffic! If you're doing anything that needs encryption then use higher layers like SSL or even IPSEC.
Re:Insight appreciated? (Score:4, Informative)
I haven't seen any Linksys hardware that uses LEAP but I haven't bought or used any since Cisco bought them out -- not out of distrust or dislike of Cisco -- just haven't had the chance or reason to.
I have used LEAP before in the Aironet 350 series AP from Cisco. My hunch says that LEAP is still limited to the Aironet line (Linksys is more targetted at home users while Aironet is for Enterprises) but I could be wrong. In any case I wouldn't call your Linksys AP secure just because it doesn't support LEAP. There are other ways to break WEP/mac address protection that have been discussed here before.
I purposely leave an AP on my home network. I figure it's an easy out if I get busted for downloading mp3s or Windows source code ;)
Re:Insight appreciated? (Score:5, Informative)
Correct; asleap won't crack your network. However, airsnort will.
http://airsnort.shmoo.com/
So far as I'm aware, there hasn't been a link-layer security protocol for wireless made yet that
hasn't been cracked. That's why I run ipsec.
This has been in the wild for months (Score:5, Informative)
Re:Yeah but, don't worry. (Score:3, Informative)
Cisco also has IDS software that will detect intrusions and update access lists on the appropriate routers on the fly. I think that qualifies for self securing and defending.
Cisco WLAN AP != LEAP in all cases (Score:4, Informative)
Re:Yeah but, don't worry. (Score:3, Informative)
Re:Does the US government want insecure WiFi? (Score:3, Informative)
On the Chinese front, you're way off base. The problem is that the Chinese government requires that foreign companies provide their intellectual property (chip designs, etc.) to one of a dozen Chinese firms that are licensed to create WAPI. So it's not a matter of just adding code to firmware, in which case it might be Yet Another Redundant Standard. Instead, the Chinese government is requiring that non-Chinese firms essentially give away their technological advances.
Offline Dictionary Attacks (Score:1, Informative)
WPA-PSK at risk in similar circumstances (Score:5, Informative)
But remember that this problem isn't limited to LEAP. As Robert Moskowitz of ICSA Labs wrote last November, poor WPA preshared key passphrase choice can allow WPA keys to be cracked [wifinetnews.com]. WPA (Wi-Fi Protected Access) is a fix to WEP that involves dramatically more complexity and sophistication in deriving per-packet keys.
However, if you choose a dictionary-crackable passphrase of under 20 characters in WPA, you hit the same problem as LEAP: a cracker can trigger a deauthentication, capture the reauthentication in less than a minute, and then crack at their leisure.
WPA-PSK will probably only be used in home and small office networks, where passphrases may be poorly chosen. I have spoken to manufacturers about changing the presentation layer: don't let users pick bad passwords. So far, to no avail. Not even a recommendation from the Wi-Fi Alliance.
Re:Insight appreciated? (Score:2, Informative)
The vulnerability is if you use 802.1X authentication with the LEAP protocol.
The Access Point doesn't have a security flaw in it, the LEAP protocol does. If you have a Radius server that is configured to do LEAP and you have a wireless supplicant that supports LEAP and a wireless card that works with that supplicant, then you can do LEAP.
It used to only be the Cisco cards that could do LEAP, but I've noticed that changing lately.
But, you have a 64 bit WEP network, probably not doing 802.1x. I'd worry about that. And the thing is, that's worse than having a network secured with the security flawed LEAP protocol. You have no authentication and probably no key rotation going on. WEP is known to be horribly flawed. With LEAP you at least has authentication (although proven to be crackable by an offline dictionary attack) and WEP key rotation.
At least try and upgrade to WPA-PSK, with TKIP or AES. WPA w/Radius and TKIP or AES is preferred though. Some people say to use VPN's instead. I don't like that idea much... but that's just me, it seems to work great for some people.
Allways on the ball (Score:5, Informative)
The limiting factor is how fast your attack machine can read your pre-computed dictionaries off the disk.
- RustyTaco
Re:Not Cisco's week (Score:4, Informative)
Re:Not quite a crack (Score:3, Informative)
Re:Need to move to PEAP ASAP (Score:2, Informative)
I have seen a lot of half-truths in responses here.
PEAP is not an open standard. But there are Linux clients available for PEAP. Meetinghouse sells one, for example.
Cisco and Microsoft competed for different PEAP standards, while Funk Software competed with PEAP using a EAP-TTLS standard.
PEAP (protected EAP) is suppose to be the succecessor for LEAP (light EAP, which may explain why Cisco has not released any type of update for LEAP yet.
Also, Cisco is also releasing an EAP-FAST to help with secure hand-offs with their 7290 wifi phones.
All variants of EAP (Extensible Authentication Protocol) were designed to create an encrypted authentication using the IEEE 802.1x standard.