Expert releases Cisco wireless hacking tool

IDG News Service - One day after it disclosed a security vulnerability in a wireless networking product (see story), Cisco Systems Inc. must contend with a new threat -- the long-promised release of a hacking tool that targets wireless networks running its LEAP wireless authentication protocol.
The tool, called Asleap, allows users to scan the wireless network broadcast spectrum for networks using LEAP (Lightweight Extensible Authentication Protocol), capture wireless network traffic and crack user passwords, according to a message posted to the Bugtraq online security discussion group yesterday.
Cisco didn't immediately respond to requests for comment.
The tool was designed to compromise WLANs using LEAP with so-called dictionary attacks that exploit weakly protected passwords, according to the message, which purports to be from Joshua Wright, a network engineer at Johnson & Wales University in Providence, R.I. Wright made headlines last year after he publicized the password vulnerability in LEAP (see story).
A demonstration of the Asleap tool in August at the DEFCON security conference prompted Cisco to issue a bulletin to customers warning of LEAP's vulnerability to dictionary attacks.
The tool uses off-line dictionary attacks to break LEAP passwords. In such attacks, malicious users must capture WLAN traffic in which legitimate users try to access the network. Next, the attacker analyzes that traffic off-line and tries to guess the password by testing long lists of possible values from a "dictionary" of terms, eventually "guessing" the correct value.
Wright's tool makes it easy to capture the required log-in traffic by allowing attackers to spot WLANs using LEAP and then deauthenticate users on the WLAN, forcing them to reconnect and re-enter their user name and password. That makes capturing the wireless traffic with hidden password information easy, Wright said.
The tool also allows attackers to scour large dictionaries of terms, comparing approximately 45 million possible values per second to the captured authentication traffic to guess the password and break LEAP's security, he said.
After sending a copy of the tool to Cisco in August, Wright agreed to wait for the company to find a more secure replacement for the protocol before releasing his tool to the public. In February, Cisco unveiled a new WLAN security protocol designed to stop dictionary attacks called Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) (see story).
In his latest message, Wright said he was releasing the tool to the public to help LEAP users "evaluate the risks of using LEAP as a mechanism to protect the security of wireless networks." Wright also posted a link to a Web page where interestedparties can download both Linux and Windows versions of Asleap.
Wright said he publicized the vulnerabilities in LEAP because he believed that Cisco encouraged customers to use its proprietary LEAP protocol over more secure mechanisms such as the Protected Extensible Authentication Protocol because "it made more money for them."
In February, Cisco submitted a draft version of EAP-FAST to the Internet Engineering Task Force for inclusion in the upcoming 802.1x WLAN security standard. The company has also built native support for EAP-FAST into many of its Aironet wireless access points and promised versions of its network client devices, such as wireless networking cards, that support the protocol in the first quarter of 2004.
Cisco couldn't immediately confirm availability of Aironet clients supporting EAP-FAST.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.