lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40737106.3010901@hasborg.com>
Date: Tue, 06 Apr 2004 23:09:58 -0400
From: Joshua Wright <jwright@...borg.com>
To: bugtraq@...urityfocus.com
Subject: Release of Cisco Attack tool Asleap


In August 2003, I wrote a tool called asleap for Linux systems to
exploit a weakness in the Cisco LEAP authentication protocol.  Using
this tool, an attacker can actively compromise Cisco LEAP networks
by mounting an offline dictionary attack against weak user
passwords.  In my testing, I was able to search through large
dictionary files very quickly for user passwords (~45 million
passwords per second on meager hardware.)

A quick summary of asleap features are as follows:

+ Can read live from any wireless interface in RFMON mode with
   libpcap.
+ Can monitor a single channel, or perform channel hopping to look
   for target networks running LEAP.
+ Will actively deauthenticate users on LEAP networks, forcing them
   to reauthenticate.  This makes the capture of LEAP passwords very
   fast.
+ Will only deauth users who have not already been seen, doesn't
   waste time on users who are not running LEAP.
+ Can read from stored libpcap files, or AiroPeek NX files (1.X or
   2.X files).
+ Uses a dynamic database table and index to make lookups on large
   files very fast.  Reduces the worst-case search time to .0015% as
   opposed to lookups in a flat file.
+ Can write *just* the LEAP exchange information to a libpcap file.
   This could be used to capture LEAP credentials with a device short
   on disk space (like an iPaq), and then process the LEAP
   credentials stored in the libpcap file on a system with more
   storage resources to mount the dictionary attack.

Upon advising the Cisco PSIRT team, I was asked to wait for six
months until February 2004 before making the tool publicly
available.  In the end of January 2004, Cisco PSIRT asked me to wait
another few months while they finished testing the EAP-FAST
protocol, the designated replacement for the flawed LEAP protocol.

After working out a release date with Cisco, I am making the source
for asleap v1.0 available including a partial-functionality Win32
port.  I encourage LEAP users to install and use asleap to evaluate
the risks of using LEAP as a mechanism to protect the security of
wireless networks.

Windows users can use third-party wireless sniffer tools including
AiroPeek NX to capture the LEAP authentication exchange to test the
security of LEAP user passwords.

The source and Win32 binary distribution are available at
http://asleap.sourceforge.net, along with documentation and a
user-support mailing list.  I welcome your comments, suggestions or
bug reports.

-Josh
-- 
-Joshua Wright
jwright@...borg.com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ