Expert releases Cisco wireless hacking tool

IDG News Service - One day after it disclosed a security vulnerability in a wireless networking product (see story), Cisco Systems Inc. must contend with a new threat -- the long-promised release of a hacking tool that targets wireless networks running its LEAP wireless authentication protocol.
The tool, called Asleap, allows users to scan the wireless network broadcast spectrum for networks using LEAP (Lightweight Extensible Authentication Protocol), capture wireless network traffic and crack user passwords, according to a message posted to the Bugtraq online security discussion group yesterday.
Cisco didn't immediately respond to requests for comment.
The tool was designed to compromise WLANs using LEAP with so-called dictionary attacks that exploit weakly protected passwords, according to the message, which purports to be from Joshua Wright, a network engineer at Johnson & Wales University in Providence, R.I. Wright made headlines last year after he publicized the password vulnerability in LEAP (see story).
A demonstration of the Asleap tool in August at the DEFCON security conference prompted Cisco to issue a bulletin to customers warning of LEAP's vulnerability to dictionary attacks.
The tool uses off-line dictionary attacks to break LEAP passwords. In such attacks, malicious users must capture WLAN traffic in which legitimate users try to access the network. Next, the attacker analyzes that traffic off-line and tries to guess the password by testing long lists of possible values from a "dictionary" of terms, eventually "guessing" the correct value.
Wright's tool makes it easy to capture the required log-in traffic by allowing attackers to spot WLANs using LEAP and then deauthenticate users on the WLAN, forcing them to reconnect and re-enter their user name and password. That makes capturing the wireless traffic with hidden password information easy, Wright said.
The tool also allows attackers to scour large dictionaries of terms, comparing approximately 45 million possible values per second to the captured authentication traffic to guess the password and break LEAP's security, he said.
After sending a copy of the tool to Cisco in August, Wright agreed to wait for the company to find a more secure replacement for the protocol before releasing his tool to the public. In February, Cisco unveiled a new WLAN security protocol designed to stop dictionary attacks called Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) (see story).
In his latest message, Wright said he was releasing the tool to the public to help LEAP users "evaluate the risks of using LEAP as a mechanism to protect the security of wireless networks." Wright also posted a link to a Web page where

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.