Information Technology Reference
In-Depth Information
2 . 8 E A P - L E A P A t t a c k
802.1x uses a number of protocols to accomplish its goal of providing further se-
curity for wireless networks. The communication between the authentication server
and the authenticator is logically separate from the communication between the au-
thenticator and the supplicant. Extensible Authentication Protocol (EAP) is usually
used for the authenticator/supplicant communication. EAP was created for point-to-
point (PPP) authentication but has been adopted for use with wireless. EAP itself
does not determine what method will be used to authenticate the supplicant, rather it
allows the use of a server to facilitate the actual authentication. EAP-LEAP is one of
the most popular types of EAP that is used today. It was developed by Cisco and has
been implemented in a number of open-source RADIUS solutions
[13]
.
EAP-LEAP is fundamentally flawed due to it's usage of MS-CHAPv2. This al-
gorithm, and specifically the way that it was implemented in EAP-LEAP, allows an
offline attack to be used to determine the password. When the usage of EAP-LEAP
has been agreed upon, the authentication server sends the supplicant (by way of the
authenticator) a nonce, or challenge text. Specifically it is an 8-byte random stream
which the supplicant must encrypt. To encrypt the challenge text, the password is
hashed using an NT hash and split up to generate three separate keys. The first key
consists of the first seven bytes of the hashed password, the second key is the second
seven bytes of the hashed password, and the third key is the final two bytes followed
by five NULL values. These three keys are each used to encrypt the 8 byte challenge
text. The three 8 byte results are then concatenated into one 24-byte value and this
value is sent back to the authentication server for verification. Since EAP-LEAP sup-
ports mutual authentication, the process can be repeated in the opposite direction to
authenticate the authentication server with the supplicant.
The problem with EAP-LEAP is that NT hashing does not use “salt.” That means
that the same plaintext value will hash to the same hashed value. So an attacker can
hash a dictionary of plaintext passwords and store the corresponding hash values. If
the password is one of the dictionary words, the hashes will match. Since the third
hashed value that is used as a key to encrypt the 8 byte challenge consists of five
null values, there is really only 2
16
different possible values for the key. With so few
possibilities, the two bytes can be found in less than a second. At this point, the last
two NT hashed bytes of the password have been recovered. Using the precompiled
dictionary, the attacker finds all hashed passwords where the last two bytes match
what has been found. This usually narrows down the possible passwords to a num-
ber that can be brute forced against the authentication server. Now the attacker can
achieve access to the wireless network.
There are a number of utilities that can perform this attack, the most famous of
which is asleap, developed by Joshua Wright. Leapcrack and leap are two other
