[ISN] Expert releases Cisco wireless hacking tool

From: InfoSec News (isn@private)
Date: Fri Apr 09 2004 - 01:08:43 PDT

  • Next message: InfoSec News: "[ISN] Tracking the Blackout bug"

    http://www.computerworld.com/securitytopics/security/story/0,10801,92049,00.html
    
    News Story by Paul Roberts
    APRIL 08, 2004
    IDG NEWS SERVICE
    
    One day after it disclosed a security vulnerability in a wireless
    networking product, Cisco Systems Inc. must contend with a new threat
    -- the long-promised release of a hacking tool that targets wireless
    networks running its LEAP wireless authentication protocol.
    
    The tool, called Asleap, allows users to scan the wireless network
    broadcast spectrum for networks using LEAP (Lightweight Extensible
    Authentication Protocol), capture wireless network traffic and crack
    user passwords, according to a message posted to the Bugtraq online
    security discussion group yesterday.
    
    Cisco didn't immediately respond to requests for comment.
    
    The tool was designed to compromise WLANs using LEAP with so-called
    dictionary attacks that exploit weakly protected passwords, according
    to the message, which purports to be from Joshua Wright, a network
    engineer at Johnson & Wales University in Providence, R.I. Wright made
    headlines last year after he publicized the password vulnerability in
    LEAP (see story).
    
    A demonstration of the Asleap tool in August at the DEFCON security
    conference prompted Cisco to issue a bulletin to customers warning of
    LEAP's vulnerability to dictionary attacks.
    
    The tool uses off-line dictionary attacks to break LEAP passwords. In
    such attacks, malicious users must capture WLAN traffic in which
    legitimate users try to access the network. Next, the attacker
    analyzes that traffic off-line and tries to guess the password by
    testing long lists of possible values from a "dictionary" of terms,
    eventually "guessing" the correct value.
    
    Wright's tool makes it easy to capture the required log-in traffic by
    allowing attackers to spot WLANs using LEAP and then deauthenticate
    users on the WLAN, forcing them to reconnect and re-enter their user
    name and password. That makes capturing the wireless traffic with
    hidden password information easy, Wright said.
    
    The tool also allows attackers to scour large dictionaries of terms,
    comparing approximately 45 million possible values per second to the
    captured authentication traffic to guess the password and break LEAP's
    security, he said.
    
    After sending a copy of the tool to Cisco in August, Wright agreed to
    wait for the company to find a more secure replacement for the
    protocol before releasing his tool to the public. In February, Cisco
    unveiled a new WLAN security protocol designed to stop dictionary
    attacks called Extensible Authentication Protocol-Flexible
    Authentication via Secure Tunneling (EAP-FAST) (see story).
    
    In his latest message, Wright said he was releasing the tool to the
    public to help LEAP users "evaluate the risks of using LEAP as a
    mechanism to protect the security of wireless networks." Wright also
    posted a link to a Web page where interested parties can download both
    Linux and Windows versions of Asleap.
    
    Wright said he publicized the vulnerabilities in LEAP because he
    believed that Cisco encouraged customers to use its proprietary LEAP
    protocol over more secure mechanisms such as the Protected Extensible
    Authentication Protocol because "it made more money for them."
    
    In February, Cisco submitted a draft version of EAP-FAST to the
    Internet Engineering Task Force for inclusion in the upcoming 802.1x
    WLAN security standard. The company has also built native support for
    EAP-FAST into many of its Aironet wireless access points and promised
    versions of its network client devices, such as wireless networking
    cards, that support the protocol in the first quarter of 2004.
    
    Cisco couldn't immediately confirm availability of Aironet clients
    supporting EAP-FAST.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri Apr 09 2004 - 03:18:32 PDT