Attacking LEAP with ASLEAP

The ASLEAP tool was written by Joshua Wright and is designed to crack passwords used by wireless networks being secured with proprietary Cisco LEAP (Lightweight Extensible Authentication Protocol). I had a chance to see a BOF session at SANS San Diego 2007 that was presented by Joshua and it was amazing. He went non-stop for at least an hour on many problems with Bluetooth and even 'toyed' with sending HTML to his phone via Bluetooth to show that it could be vulnerable to a XSS attack.

Anyway, back to ASLEAP... Here are some of the features that ASLEAP has to offer (Check out
http://asleap.sourceforge.net/ for a complete list, plus PPTP support).

• Recovers weak LEAP passwords (duh).
• Can read live from any wireless interface in RFMON mode.
• Can monitor a single channel, or perform channel hopping to look for targets.
• Will actively deauthenticate users on LEAP networks, forcing them to reauthenticate. This makes the capture of LEAP passwords very fast.
• Will only deauth users who have not already been seen, doesn't waste time on users who are not running LEAP.
• Can read from stored libpcap files, or AiroPeek NX files (1.X or 2.X files).

Here is some information on what LEAP is: LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked).