LEAP Cracking Tool Released
April 09, 2004
Cisco sends warning: asleap, a tool for cracking 802.1X systems using their proprietary LEAP protocol, is now available.
knew it was coming and this week it has finally arrived: a hacking tool for performing
dictionary attacks on 802.1X systems using Cisco's LEAP protocol is now available.
LEAP, short for Lightweight EAP, is one of many Extensible Authentication Protocol (EAP) used to relay port access requests between clients, switches, access points and RADIUS servers on wired and wireless systems using 802.1X for authentication. LEAP is owned by Cisco, so vendors who want to use it must pay a licensing fee -- and many vendors have done so. But last year it was reported to Cisco that LEAP was vulnerable to hackers "dictionary attack" <DEFINE: dictionary attack>, wherein weak passwords -- words that can be easily found in the dictionary -- can be easily pilfered.
The released hacking tool, called asleap, runs on Linux and makes it simple for hackers to go scan the network. According to a post a Bugtraq at Insecure.org, the tool was written in August of 2003 by network engineer Joshua Wright, who demonstrated it that month at the DEFCON conference. He said using the tool he "was able to search through large dictionary files very quickly for user passwords (~45 million passwords per second on meager hardware.)"Wright didn't immediately release asleap, but instead informed Cisco. The company asked him to wait a few months before making it publicly available, giving Cisco time to create EAP-FAST.
EAP-Fast (Flexible Authentication via Secure Tunneling) is not a fix for LEAP, but a whole new protocol. It doesn't use certificates and Cisco is making the specification available without licensing fees. FAST will also be part of future versions of Cisco Compatible Extensions (CCX), the set of specifications Cisco wants vendors from chip makers to laptop manufacturers to build into their Wi-Fi products. CCX is meant to ensure Wi-Fi products will work seamlessly with the Cisco infrastructure products.
As of this week, Wright has released the source code for asleap version 1.0, and included a port to the Win32 platform. In his post at Bugtraq, Wright says "I encourage LEAP users to install and use asleap to evaluate the risks of using LEAP as a mechanism to protect the security of wireless networks."
He adds at the SourceForge.net site: "I'm releasing asleap now to motivate the non-believers into moving away from LEAP."
The release of Asleap comes on the heels of another vulnerability in Cisco wireless products, which the company notified customers about this week. Default user names and passwords that are "hardwired" into the Cisco Wireless LAN Solution Engine make some products vulnerable to anyone who wants to log on. Cisco says it found the flaw itself and doesn't know of anyone using it in real-world networks. A software release is available to fix the problem.