[ISN] Expert releases Cisco wireless hacking tool

InfoSec News isn at c4i.org
Fri Apr 9 04:08:43 EDT 2004


http://www.computerworld.com/securitytopics/security/story/0,10801,92049,00.html

News Story by Paul Roberts
APRIL 08, 2004
IDG NEWS SERVICE

One day after it disclosed a security vulnerability in a wireless
networking product, Cisco Systems Inc. must contend with a new threat
-- the long-promised release of a hacking tool that targets wireless
networks running its LEAP wireless authentication protocol.

The tool, called Asleap, allows users to scan the wireless network
broadcast spectrum for networks using LEAP (Lightweight Extensible
Authentication Protocol), capture wireless network traffic and crack
user passwords, according to a message posted to the Bugtraq online
security discussion group yesterday.

Cisco didn't immediately respond to requests for comment.

The tool was designed to compromise WLANs using LEAP with so-called
dictionary attacks that exploit weakly protected passwords, according
to the message, which purports to be from Joshua Wright, a network
engineer at Johnson & Wales University in Providence, R.I. Wright made
headlines last year after he publicized the password vulnerability in
LEAP (see story).

A demonstration of the Asleap tool in August at the DEFCON security
conference prompted Cisco to issue a bulletin to customers warning of
LEAP's vulnerability to dictionary attacks.

The tool uses off-line dictionary attacks to break LEAP passwords. In
such attacks, malicious users must capture WLAN traffic in which
legitimate users try to access the network. Next, the attacker
analyzes that traffic off-line and tries to guess the password by
testing long lists of possible values from a "dictionary" of terms,
eventually "guessing" the correct value.

Wright's tool makes it easy to capture the required log-in traffic by
allowing attackers to spot WLANs using LEAP and then deauthenticate
users on the WLAN, forcing them to reconnect and re-enter their user
name and password. That makes capturing the wireless traffic with
hidden password information easy, Wright said.

The tool also allows attackers to scour large dictionaries of terms,
comparing approximately 45 million possible values per second to the
captured authentication traffic to guess the password and break LEAP's
security, he said.

After sending a copy of the tool to Cisco in August, Wright agreed to
wait for the company to find a more secure replacement for the
protocol before releasing his tool to the public. In February, Cisco
unveiled a new WLAN security protocol designed to stop dictionary
attacks called Extensible Authentication Protocol-Flexible
Authentication via Secure Tunneling (EAP-FAST) (see story).

In his latest message, Wright said he was releasing the tool to the
public to help LEAP users "evaluate the risks of using LEAP as a
mechanism to protect the security of wireless networks." Wright also
posted a link to a Web page where interested parties can download both
Linux and Windows versions of Asleap.

Wright said he publicized the vulnerabilities in LEAP because he
believed that Cisco encouraged customers to use its proprietary LEAP
protocol over more secure mechanisms such as the Protected Extensible
Authentication Protocol because "it made more money for them."

In February, Cisco submitted a draft version of EAP-FAST to the
Internet Engineering Task Force for inclusion in the upcoming 802.1x
WLAN security standard. The company has also built native support for
EAP-FAST into many of its Aironet wireless access points and promised
versions of its network client devices, such as wireless networking
cards, that support the protocol in the first quarter of 2004.

Cisco couldn't immediately confirm availability of Aironet clients
supporting EAP-FAST.





More information about the ISN mailing list