Expert releases Cisco wireless hacking tool

One day after it disclosed a security vulnerability in a wireless networking product, Cisco Systems must contend with a new threat - the long-promised release of a hacking tool that targets wireless networks running its LEAP wireless authentication protocol.

The tool, called "Asleap," allows users to scan the wireless network broadcast spectrum for networks using LEAP (Lightweight Extensible Authentication Protocol), capture wireless network traffic and crack user passwords, according to a message posted to the Bugtraq online security discussion group on Wednesday.

Cisco did not immediately respond to requests for comment.

The tool was designed to compromise WLANs using LEAP using so-called "dictionary attacks" to exploit weakly protected passwords, according to the message, which purports to be from Joshua Wright, a network engineer at Johnson & Wales University in Providence, Rhode Island. Wright made headlines in August after he publicized the password vulnerability in LEAP.

A demonstration of the Asleap tool in August, 2003, at the DEFCON security conference prompted Cisco to issue a bulletin to customers warning of LEAP's vulnerability to dictionary attacks.

The tool uses "off-line" dictionary attacks to break LEAP passwords. In such attacks, malicious users must capture WLAN traffic in which legitimate users try to access the network. Next, the attacker analyzes that traffic off-line and tries to guess the password by testing long lists of possible values from a "dictionary" of terms, eventually "guessing" the correct value.

Wright's tool makes it easy to capture the required login traffic by allowing attackers to spot WLANs using LEAP and then deauthenticate users on the WLAN, forcing them to reconnect and re-enter their user name and password. That makes capturing the wireless traffic with hidden password information easy, Wright said.

The tool also allows attackers to scour large dictionaries of terms, comparing approximately 45 million possible values per second to the captured authentication traffic to guess the password and break LEAP's security, he said.

After sending a copy of the tool to Cisco in August, 2003, Wright agreed to wait for the San Jose, California, company to find a more secure replacement for the protocol before releasing his tool to the public. In February, Cisco unveiled a new wireless LAN security protocol designed to stop dictionary attacks called Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).

In his latest message, Wright said he was releasing the tool to the public to help LEAP users "evaluate the risks of using LEAP as a mechanism to protect the security of wireless networks." Wright also posted a link to a Web page where interested parties can download both Linux and Windows versions of Asleap.

Wright said he publicized the vulnerabilities in LEAP because he believed that Cisco encouraged customers to use its proprietary LEAP protocol over more secure mechanisms such as PEAP (Protected Extensible Authentication Protocol ) because "it made more money for them."

In February, Cisco submitted a draft version of EAP-FAST to the Internet Engineering Task Force (IETF) for inclusion in the upcoming 802.1x WLAN security standard. The company has also built native support for EAP-FAST into many of its Aironet wireless access points and promised versions of its network client devices, such as wireless networking cards, that support the protocol in the first quarter of 2004.

Cisco could not immediately confirm availability of Aironet clients supporting EAP-FAST.