Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Cisco :: bt1277.txt

Weaknesses in LEAP Challenge/Response

Hash: SHA1

In August 2003, I sent a tool I had written to the Cisco PSIRT team
that exploited weaknesses in the LEAP challenge/response
authentication mechanism.  This tool leveraged large password lists
to efficiently launch offline dictionary attacks against LEAP user
accounts, collected through passive sniffing or active
disassociate/reassociate techniques.

The Cisco LEAP challenge/response mechanism is just a modified
version of MS-CHAPv2, as documented on the website [1].=20
The MS-CHAPv2 protocol is known to be weak, as documented in many

My concern when learning about the architecture of the LEAP protocol
was that Cisco was continuing to push LEAP to customers in their CCX
program as a way to gain market share, over stronger wireless
authentication protocols such as PEAP and TTLS.  After presenting
this information at the Defcon 11 conference [2], Cisco released a
PSIRT notice that referenced their internal documentation, making
customers aware that LEAP was vulnerable to dictionary attacks [3].=20
This notice was very subtle, and despite my asking Cisco to reword
the notice to include stronger language that would prompt people who
are using LEAP to take the flaw seriously, Cisco would not modify the

I am not the first person to identify this weakness, and I know that
other people have written code (that is likely far better than my own
code) to exploit this flaw but have remained quiet while Cisco
prepares an alternate, stronger authentication mechanism for
customers.  In an effort to give Cisco and their customers time to
react to this flaw, I told Cisco I would not release my attack code
for 6 months, starting in August 2003.  I plan to keep this promise,
although it may be moot since other exploit code has been posted to
public forums that exploits the same challenge/response flaw.

Customers using LEAP should be aware that the usernames and password
of their user account are exposed, and should plan for the deployment
of an alternate authentication mechanisms such as PEAP or TTLS.=20
Disabling user accounts after successive failed login attempts will
not help protect against unauthorized access, since this is an
offline attack that can be run at the attacker's leisure.  At a bare
minimum, LEAP users should immediately audit and expire user
passwords that are based on dictionary words, or common derivations.

- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University

fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

[1] "802.11 Wireless LAN Security White Paper",
olutions_white_paper09186a00800b469f.shtml (section 5 - "Cisco LEAP

[2] "Weaknesses in LEAP Challenge/Response",

[3] "Dictionary Attack on Cisco LEAP",

Version: PGPfreeware 6.5.8 for non-commercial use <>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH