Look Before You LEAP

One of the highlights of the first-ever Unstrung Live conference in New York today was the demonstration -- by a real, live hacker (albeit one on the side of the angels) -- of just how easy it is to break into Cisco Systems Inc.'s (Nasdaq: CSCO) proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless LAN security mechanism and gain unauthorized access to supposedly secure 802.11 networks.

Joshua Wright, an information security architect (who humorously referred to himself as a hacker several times during the presentation) from Johnson & Wales University in Providence, demonstrated -- to an audience of around 200 people -- a tool he has developed to exploit flaws in the LEAP technology.

"I call it ‘Asleep’ -- as in asleep at the wheel," Wright quipped.

This kind of hack involves the use of two applications. The first is the Kismet Linux wireless LAN network sniffer, which is similar to the popular Netstumbler tool that is available on Windows. Wright says he uses this tool to track down Cisco access points that are broadcasting in the area.

After locating his prey, it's time to bring out the big gun: the Asleep tool. This application exploits the challenge/response technique used by a Cisco system when it is trying to authenticate a client connecting to the wireless network. "Challenge/response leaks information about the network," Wright bluntly notes.

This enables a tooled-up hacker to run a so-called "dictionary attack" against the LEAP system. Wright showed two data feeds where he ran massive lists of words -- and even numbers -- against the Maginot Line of the Cisco defenses. In minutes, even seconds, the Asleep tool had found the passwords it needed to gain access to the network.

After compromising the wireless LAN, Wright says, a hacker can often leap onto other parts of a network, because a user may well have the same password to access various directories and applications.

Wright says he informed Cisco about the flaw in LEAP several months ago. In response, the firm issued a brief warning on their Website and asked for more time before he released the tool to the public. Wright now says that the tool will be generally available in a couple of months.

"They've known about this for years -- and that's what really bothers me -- [that] I had to go and point it out to them," Wright says.

— Dan Jones, Senior Editor, Unstrung

jdelaney44 12/5/2012 | 2:26:35 AM
re: Look Before You LEAP I agree 120% that stronger passwords need to be enforced. But this needs to be tempered with reality. We already subject end users to a ridiculous level of complexity. It's the ultimate piss off to make it hard for someone to get to their information. Remember, these systems are not ours. They belong to the end users. Us IT types are too arrogant about the fact that we have the keys to the car when someone else has the pink slip.
rwever 12/4/2012 | 11:22:16 PM
re: Look Before You LEAP I am sure we'd all like to keep an eye on this tool. Could there already exist a litle more description on the vulnerability; so far, this sounds nothing more than a weakness in the passwords themselves, which admins can reduce its risk by using (and forcing their users) strong passwords, not typically found by dictionary attacks.
I also suppose Cisco development could use the approach of revoking access to expecific (by MAC address perhaps) to possible attackers who tried more than (customizable) number of wrong passwords?
Chalke 12/4/2012 | 11:22:07 PM
re: Look Before You LEAP Since this was a dictionary attack, couldn't it have just been prevented with better passwords?
mteeple 12/4/2012 | 11:21:56 PM
re: Look Before You LEAP Naturally an informed security expert knows hacking techniques, but that does not make them a hacker per se.
An ethical security expert informs the vendor involved, and the security alert centers, but does not release the hacking code to the public.
Mr Wright showed me the general nature of the AsLEAP attack a few months ago, and noted that it had been hard to get Cisco's attention regarding the problem.
Cisco's response, if you can even find it on their web site is merely an admonishment to use strong passwords!
And, in case anybody should try to diminish the severity of the risk (and in answer to a post yesterday that subsequently vanished) it is not necessary to make multiple logon attempts to the victim system: Capturing one logon transaction, due to the weak algorithms involved, allows two bytes of the password to bne cracked by brute force in a few seconds, and the rest of the hashed password compared to a large dictionary in about 20 more seconds. The slightest weakness in a password used on a busy system yields an entree :(
jjared 12/4/2012 | 11:21:37 PM
re: Look Before You LEAP I have been told that this was done offline. Is this true? If so does that mean you can capture traffic during an authentication attempt and then use the dictionary attack offline to get the username/password and therefore bypass any password policy that would disable an account after a number of failed login attempts?
mpmartin 12/4/2012 | 11:21:15 PM
re: Look Before You LEAP The problem here isn't really that passwords are poor (which can be a problem anywhere passwords are used) but that it is easy to tell when and where passwords are sent. Discovering stored password hashes on an OS is one thing, but a secure network protocol should completely obscure the authentication process, making it impossible to even tell where the hash occurs in the data stream. If this tool can pull encrypted passwords out of the ether and attack them at leisure, this is a serious problem.
spc_burn00501 12/4/2012 | 11:20:24 PM
re: Look Before You LEAP This is exactly what happens. It pulls the authentication out of the datastream, then uses an offline attack to crack the password.

Stronger passwords would certainly help, but being able to see the authentication in the data stream is certainly a security issue.
WizzKid 12/4/2012 | 11:20:17 PM
re: Look Before You LEAP They are no security measures against dumb selection of passwords. Exhaustive search attacks can be made enormously difficult with the use of 1024 bit (or more non-repeating/random) Nonce, and using SHA-1 instead of MD5 based Keyed MACs, but if even a small percentage of admins are DUMB enough to use dictionary words as passwords, it takes a small effort to build the list of SHA-1 hashes of all dictionary words offline, capture the LEAP (or any other auth) packets, encrypt the nonce and compare them, to beat any "well-designed" security system.

The Solution -
It should be "Mandatory" to select Mixed Case Alpha-Numeric passwords, and use of punctuation characters should always be "Recommended", otherwise strong cryptography cannot take you any further in protecting your network assets from Hackers.

--- WizzKid.

Sign In