Date: 8 Apr 2004 08:00:08 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [TOOL] Asleap - Cisco Attack Tool
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Asleap - Cisco Attack Tool
------------------------------------------------------------------------
SUMMARY
DETAILS
In August 2003, Joshua wrote a tool called asleap for Linux systems to
exploit a weakness in the Cisco LEAP authentication protocol. Using this
tool, an attacker can actively compromise Cisco LEAP networks by mounting
an offline dictionary attack against weak user passwords. In his testing,
Joshua was able to search through large dictionary files very quickly for
user passwords (~45 million passwords per second on meager hardware).
A quick summary of asleap features are as follows:
+ Can read live from any wireless interface in RFMON mode with libpcap.
+ Can monitor a single channel, or perform channel hopping to look for
target networks running LEAP.
+ Will actively de-authenticate users on LEAP networks, forcing them to
re-authenticate. This makes the capture of LEAP passwords very fast.
+ Will only de-authenticate users who have not already been seen, doesn't
waste time on users who are not running LEAP.
+ Can read from stored libpcap files, or AiroPeek NX files (1.X or 2.X
files).
+ Uses a dynamic database table and index to make lookups on large files
very fast. Reduces the worst-case search time to .0015% as opposed to
lookups in a flat file.
+ Can write *just* the LEAP exchange information to a libpcap file. This
could be used to capture LEAP credentials with a device short on disk
space (like an iPaq), and then process the LEAP credentials stored in the
libpcap file on a system with more storage resources to mount the
dictionary attack.
Upon advising the Cisco PSIRT team, Joshua was asked to wait for six
months until February 2004 before making the tool publicly available. In
the end of January 2004, Cisco PSIRT asked me to wait another few months
while they finished testing the EAP-FAST protocol, the designated
replacement for the flawed LEAP protocol.
After working out a release date with Cisco, Joshua is making the source
for asleap v1.0 available including a partial-functionality Win32 port.
Joshua encourages LEAP users to install and use asleap to evaluate the
risks of using LEAP as a mechanism to protect the security of wireless
networks.
Windows users can use third-party wireless sniffer tools including
AiroPeek NX to capture the LEAP authentication exchange to test the
security of LEAP user passwords.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jwright@hasborg.com.> Joshua
Wright.
The source and Win32 binary distribution are available at:
<http://asleap.sourceforge.net>; http://asleap.sourceforge.net
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
