A LEAP vulnerability assessment tool has been released: "The THC LEAP Cracker Tool suite contains tools to break the NTChallengeResponse encryption technique e.g. used by Cisco Wireless LEAP Authentication. Also tools for spoofing challenge-packets from Access Points are included, so you are able to perform dictionary attacks against all users."
Some good information in LEAP-attack.pdf included with the source code. http://www.thc.org/releases.php On Tue, 14 Oct 2003, Frank Keeney wrote: > > fyi > > > Detail Page > > TRACKING ID > 2003-10-027 > SUBMITTAL TYPE Vulnerability > SEVERITY Normal > RISK 3 (Normal: 0-7 Urgent: 8-9 Critical: 10) > INDUSTRY TYPE > DATE/TIME REPORTED 10/09/2003 21:24:04 GMT > EVENT SUBJECT CISCO LEAP Dictionary Attack > > EVENT SUMMARY CISCO's Light Extensible Authentication Protocol (LEAP) > is vulnerable to remote dictionary attacks. The LEAP authentication > protocol is used for Remote Authentication Dial-in User Service > (RADIUS) server. It is designed to provide better security than WEP. > > EVENT DESCRIPTION The exploit takes advantage of new methods of > reducing the complexity of a dictionary attack. LEAP is based on the > flawed MS-CHAPv2 protocol, which is relatively easier to crack than > other authentication protocols. This attack was presented at DEFCON 11 > last August. The exploit itself was published October 3. > > Vulnerability previously reported in the SAFE Architecture White Paper > on Wireless LAN Security, section Standard EAP with TKIP WLAN > (December 2001): > > http://www.cisco.com/application/pdf/en/us/guest/netsol/ns314/c654/ccmigrati > on_09186a008009c8b3.pdf > > References: > http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml > http://securitytracker.com/alerts/2003/Aug/1007370.html > Risk Explanation: An exploit has been published, that brute forces > Microsoft's Active Directory authentication used in conjunction with > the Cisco LEAP authentication on Cisco wireless access points. Cisco > has provided mitigation procedures, and strong password policies will > make this attack more difficult. > > HOW DETECTED ISAC Advisory > CATEGORIES > RECOMMENDATIONS Vendor recommends implementing procedures documented > in the 802.11 Wire-less LAN Security White Paper, Section 5.2, Cisco > LEAP Deployment: > > > http://www.cisco.com/en/US/netsol/ns110/ns175/ns176/ns178/networking_solutio > ns_white_paper09186a00800b469f.shtml > > 1. Review organization's security policies, specifically password and > account management policies. 2. Implement strong passwords and > password expiration requirements. > > CORRECTIVE ACTION > http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml > > LESSONS LEARNED > > HARDWARE > OPERATING SYSTEMS > IOS > PLATFORMS > Miscellaneous > APPLICATIONS > IMPACT ON IT Remote user gains system access > > >
