"Cisco warned that the LEAP authentication protocol, typically used for RADIUS authentication in wireless devices -- including Cisco Aironet devices, is vulnerable to a classic dictionary attack. A remote user can attempt to guess the shared secret password."
Can someone explain to me how a hacker gains knowledge of the shared secret? I alwasy thought the shared secret was used just between the AP and the RADIUS server to authenticate each other, and not used between the client and the RADIUS server to authenticate each other
To help its customers respond to the possibility of dictionary attacks, Cisco is urging all of its customers to review their security policies and institute the previously published best practices that are outlined below and in Cisco SAFE White Papers:
1. Use a strong password policy (as detailed below) and periodically expire user passwords (recommended at least every three months) giving users advanced warning to change passwords before they expire.
2. If unable to implement a strong password policy, consider migrating to another 802.1X type like PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks:
3. PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network.
4. EAP-TLS uses pre-issued digital certificates to authenticate a user to the network
Note: PEAP and EAP-TLS require certificate and public key infrastructure (PKI) management on both RADIUS servers and WLAN clients. Migration to these EAP types from Cisco LEAP requires careful planning, testing, and execution.
Don't know if this is more FYI info but his question is more geared toward gaining access to shared secret key and when you get it what can you do with it. Not the integrity of users passwords which is what your post addresses. I am curious of this answer myself
So let's say someone does use a dictionary crack, and does get the AP's SSID. Assuming LEAP with dynamic keys, ACS for authentication of user and MAC authentication are in use; what kind of damage could a 'hacker' do with the SSID on this wireless network?
LEAP's weakness lies in it's reliance on MS-CHAPv2.
The username is passed in the clear. It's easy to observe on a WLAN. Once you know the username, all you have to do is guess the password. You can also observe the encrypted password being passed over the WLAN.
Once you've captured the username and encrypted password, you can run offline dictionary attacks (guesses) against the password, until you come back with an encrypted form that matches what you observed. Whoola.
The problem has to do with MS-CHAPv1 not MS-CHAPv2. And yes, LMhash of user's password is visible with MS-CHAPv1. You will need to use MDcrack or something similar to do brute force attack on the hashed password(it's MD4 based). With a relatively fast Pentium III machine, you can do about 1million hashes per second. It's trivial to crack a six character password. I've been told that Cisco is addressing this issue first quarter of next year. Whether it means they will create a secure tunnel before authentication information is exchanged or they are moving to MS-CHAPv2 I don't know. They can possibly do both. Anyway, the bottom line is that a hacker can have a user ID and password combination. If this also happens to be the user's NT ID and password, well you know what that means.
Currently I'm using LEAP w/ radius authentication. We are using a 20 character randomly generated combo of uppercase, lowercase, numbers and symbols for the username, password, SSID and shared secret (different for each). I have told my CIO that this is pretty much bulletproof, even with the LEAP brute-force vulnerability. Anyone care to comment on whether or not I'm right?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...