Close Panel


802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

  • Supplicant An end-user station, often a laptop, that runs 802.1x client software.
  • Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
  • Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

Cisco Switch


The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion. EAP-LEAP is a Cisco proprietary protocol, with its implementation code open for supplicant software and RADIUS servers, but not for authenticators. Thus, when using EAP-LEAP, deployment of Catalyst switches or Cisco Aironet access points is necessary. EAP-LEAP is also a very common security protocol, since it appeared in the early days of 802.1x, when its only competitor was EAP-MD5, a first and highly vulnerable EAP version. You can still encounter a lot of wireless LANs using EAP-LEAP when wardriving, and you’ll see companies planning to install new wireless networks with EAP-LEAP–based authentication, despite the development of a more secure Cisco Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) as well as other, more modern, nonproprietary EAP types. It is remarkable that EAP-LEAP was the first EAP type that started to support generation and distribution of dynamic Wired Equivalent Privacy (WEP) keys, which together with a popularity of Cisco Aironet wireless equipment, promoted the spread of this protocol in wireless networking. Nowadays, dynamic Temporal Key Integrity Protocol (TKIP) keys can be used with EAP-LEAP instead of insecure WEP.EAP-LEAP provides mutual authentication via a shared secret, which is a password known to both connecting user and RADIUS server. Of course, bad passwords can fall to dictionary attacks. In fact, the first tool written for attacking EAP-LEAP was a simple Perl dictionary attack utility called LeapCrack, which is a wrapper for the ancontrol BSD command. However, an easy-to-guess password is a user or administrator’s fault, not the authentication protocol’s fault. If, however, we could deduce at least a part of a password by cryptanalysis, so that a shorter word becomes available for further dictionary or bruteforce attacks, it becomes an entirely different matter. This is exactly the kind of exploitation we are going to discuss here.

EAP-LEAP Cracking

The root of the problem is EAP-LEAP using Microsoft Challenge Handshake Authentication Protocol v2 (MS-CHAPv2) in the clear to authenticate users. Thus, several known MS-CHAPv2 flaws are inherited, including sending plaintext usernames (half of the guesswork gone), weak challenge/response Data Encryption Standard (DES) key selection, and an absence of salt in the stored NT hashes. All these flaws can be exploited to make cracking EAP-LEAP shared keys a much easier task. Let’s have a look at challenge/response process first.In the beginning, the authenticator issues a random 8-bit nonce to the supplicant. Then the supplicant uses a 16-byte MD4 hash of a shared secret to generate three DES keys:

  • NT1 – NT7
  • NT8 – NT14
  • NT15 – NT16 + \0 \0 \0 \0 \0

After that, each produced DES key is employed to encrypt the challenge nonce, generating 8 bytes of output per key; then a 24-byte response is sent back to the authenticator, which then issues a success or failure frame to the supplicant after consulting the RADIUS server.The first problem here is that the third DES key is weak. The five nulls mentioned are present in every challenge/response. This leaves us a DES key size of 16 bits only. Cracking a 16-bit DES knowing the plaintext challenge is easy—in fact, it can be done within a second. This helps to calculate two out of eight MD4 hash bytes; as a result, only six are left. They can be cracked using a dictionary attack against a large prebuilt MD4 hash table. Considering the speed of the MD4 cipher, such a table would not take a lot of time to generate.To summarize, here is an actual attack:

  • Build a large list of MD4-hashed passwords.
  • Sniff out EAP-LEAP challenge/response frames.
  • Obtain challenge, response, and username from the frames.
  • Use the response to calculate the last two bits of the MD hash.
  • Launch the dictionary attack against the remaining six bits of the hash, using the list from Step 1.

A few tools can be used to implement this attack – namely Joshua Wright’s asleap-imp, THC-leapcrack, and leap by DaBubble, Bishop, and Evol. Asleap-imp was the first tool to be described to the general public (at DEFCON 11) and is very mature. Thus, we will center on this particular piece of software here.

Asleap-imp consists of two utilities: Genkeys generates a list of MD4 hashes from a supplied password list. This list is created as a “password ?Tab? hash” table and is useful for dictionary-type attacks against any MD4 password file. The second utility, asleap, implements the practical attack itself in the following way:

  • The data is taken from a wireless interface in the RFMON (radio frequency monitoring) mode or a pcap format dump file, such as Kismet or Ettercap dump:
    arhontus / # ./asleap -D
    arhontus / # ./asleap -i <interface name> -o -t 10 -v
    arhontus# ./asleap -r <pcap dumpfile> -v
  • EAP-LEAP challenge/response frames are flagged out.
  • The last two bits of the MD4 hash are calculated using the third weak DES key.
  • Cracked and remaining bits are compared against the password:hash table generated by genkeys. Found passwords are reported.

Since waiting for legitimate EAP-LEAP logins can take plenty of time, asleap-imp can knock the authenticated wireless users offline by scanning through all 802.11 channels, identifying connected clients, and sending spoofed EAP-LEAP logoff frames to them. This is followed by spoofed deauthentication frames to drop clients from wireless LANs (WLAN) and triggering a new challenge/response exchange. The exchange is dumped as a pcap format file to allow further password cracking on a more powerful machine. An option to specify this “active attack” is -a; AirJack drivers are required for spoofed EAP-LEAP and deauthentication frames injection.

THC-leapcracker is similar in functionality to asleap-imp, but with a few twists. For example, its getleap utility can spoof the access point LEAP response, so the targets are fed the attacker-defined nonce to calculate the challenge response. A possible advantage of this functionality is that the nonce is identical for all wireless users, which means the attacker can use a single precompiled password/hash table for all targets. THC-leapcracker also has its own wordlist generator (wordgen) and a utility to do mass user deauthentication. The main utility of this tool is leap-cracker itself.

THC-leapcracker requires AirJack drivers to run active attacks, and without AirJack being installed, both get-leap and all-deauth tools will not compile.

Both asleap-imp and THC-leapcracker can be used to attack wired switched networks just as well. Obviously, you won’t be able to deauthenticate Ethernet users, but sending EAP-LEAP logoff frames is still a valid option, as well as a variety of efficient DoS attacks on LANs, such as ARP-based ones.

Taken From : Hacking Cisco Network Exposed Book.

Email this author | All posts by | Subscribe to Entries (RSS)


» Comments are closed.