No announcement yet.

Cisco LEAP Vulnerabilities + Cisco's Response

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco LEAP Vulnerabilities + Cisco's Response

    This is old news, as far as the brute force attack on LEAP is concerned.

    Joshua Wright demonstrated this at Defcon; however until recently code was not made publicly available.

    Code was posted to bugtraq, that allows you to bruteforce LEAP.

    The unique thing is that you need only match the last 2 bytes of the hash. This makes bruteforcing very easy.

    Anyways, I spoke with some cisco rep's about this, because we own a couple of 1200's and want to throw them out to the mass public. Originally we planned on using LEAP; however now it looks like we need to use EAP + PKI + Radius or something else.

    Cisco plans on releasing a firmware update to address these issues (with the weak password hash) in march. In the meantime, anybody using LEAP has their digital fly unzipped.

    If you depend on LEAP for security, be VERY VERY cautious.

    In a recent security audit that I did against our 1200,using LEAP
    It took all of 6 minutes to capture a challenge / response, and crack it against a 10MB dictionary file.

    (after tons of research, and getting it to work right =p)

    I'm interested in anybody else's take, experiences, opinions on this matter. I think that it's pretty shitty that tons of companies depend on LEAP, and that a fix won't be available for months.


  • #2
    The funny thing is, Cisco (at least in the city where I was working) was distancing themselves from LEAP last year. You couldn't find anything official online, or in writing, but their reps basically said LEAP is old news, and they were pushing PEAP.

    At this point, I'd say if you want a reasonably secure WLAN and don't want to deal with an IPSec VPN over WLAN, use PEAP. You don't need much of a PKI (just enough for server certs), the client side is built into Windows as of the latest service packs (for 2000+, at least), and it's supported by Cisco's ACS and Microsoft's IAS.

    Of course, that does you no good if you're a linux/BSD/Mac shop (but then, do the linux aironet drivers support LEAP?).

    Personally, I was more of a fan of TTLS, but I think Funk buggered themselves by charging for the client. It's hard enough to fight Cisco+MS without handicapping yourself.


    • #3
      From what I am hearing LEAP is acually easyer to crack then WEP, somewhat funny for something that is toted as being a "advanced" security option. I am going to try and secure a cisco ap to test this....damn there expensive, but chrismas is right around the corner.
      I would like to meet a 1 to keep my 0 company.