OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Doug Wilson (doug__wilsonhotmail.com)
Date: Mon Jul 09 2001 - 10:47:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Original Message -----
    From: <lostxampeopleart.net>
    To: "Doug Wilson" <doug__wilsonhotmail.com>
    Cc: <aironetenkidu.cse.ucsc.edu>
    Sent: Monday, July 09, 2001 7:41 AM
    Subject: Re: [Aironet] LEAP security

    >
    > Forgive me for interjecting, but I'd like to ask a few other questions
    > about your needs with regards to wireless networks.
    >
    > Is your goal to simply limit who can associate to the ESS/BSS?
    1] Limit who can connect to the network, 2] ensure the wireless link is
    encrypted and cannot be hijacked,. 3] client should NOT connect to a rogue
    APs masquerading as corporate APs, 4] prevent rogue APs and other clients
    from seeing password hashes and challenges.

    >
    > Is your goal to, once a association is completed successfully, provide
    > link-level security?
    >
    > ----
    >
    > Also, on an unrelated note, I would like to ask this list what they think
    > about the following theory.
    >
    > If a 802.11 client device is authenticating via LEAP or EAP (rather, being
    > allowed an association because of..), what are the chances of another user
    > taking on the 'identity' (read: MAC address, IP address (if IP is being
    > used), and Radio ID) of a user who just authenticated? Lets say they were
    > opperating in Adhoc mode, and could opperate allongside transparently, or,
    > continue opperating after the 'real' client's computer was turned off. Any
    > thoughts on what would happen?

    I am told that EAP or LEAP authentication results in generation of
    encryption keys on both client and server, and the encryption keys are used
    to encrypt the link. Based on the above, I am *guessing* that the hackers
    computer have to somehow compromise the encryption keys to hijack the
    session. The key strength would probably depend on a combination of
    authentication method used and the characteristics of WEP.

    >
    > It would seem to me that durring the course of normal use, client devices
    > may roam into an area which has such poor coverage they associate &
    > deassociate due to excessive CRC errors or failed attempts at
    > retransmissions. Clients can't be expected to continualy re-authenticate
    > just to reassociate all the time.
    >
    > So, in the case of LEAP or EAP I would presume that there is some sort of
    > 'cached' user/password data which can be re-sent by some means (driver,
    > script?) whenever the card de/re-associates.. Or at least some sort of
    > CHAP-style reoccuring password hash exchange going on after the initial
    > granting of an association.
    >
    > If that's the case, could not our rouge client device capture (assuming
    > the station could hear the transmission) that hash-exchange and replay it
    > on demand if the station were to 'impersonate' the real station after the
    > initial association?

    This is the kind of information we would like to know about LEAP. 2
    questions:
    a) Can someone replay hash & challenge or keep track of challenge and replay
    corresponding hash.
    b) Can someone do a offline dictionary attack on the LEAP password hash w/
    tool such as L0phtcrack.

    >
    > TIA for any replies/thoughts!
    >
    > -Lostxam
    >
    > On Fri, 6 Jul 2001, Doug Wilson wrote:
    >
    > > you might be right; I can't find anything that says LEAP works with
    > > Microsoft RADIUS.
    > >
    > > We would like to make a call on whether LEAP is secure enough. I have
    not
    > > been able to find third party reviews evaluating LEAP from a security
    > > perspective. If you have any information on LEAP security , pls send it
    to
    > > me.
    > >
    > > Someone on this mailing list mentioned that LEAP is MSCHAP. Is it
    MSCHAPv1
    > > or MSCHAPv2?. Any protocol details?
    > >
    > > Thanks,
    > >
    > > Doug Wilson
    > >
    > >
    > > ----- Original Message -----
    > > From: "Mark Wilson" <markstargate.ucsc.edu>
    > > To: "Doug Wilson" <doug__wilsonhotmail.com>
    > > Cc: <aironetenkidu.cse.ucsc.edu>
    > > Sent: Wednesday, July 04, 2001 10:13 AM
    > > Subject: Re: [Aironet] LEAP security
    > >
    > >
    > > > On Wed, 4 Jul 2001, Doug Wilson wrote:
    > > >
    > > > > Hi everyone,
    > > > >
    > > > > I am planning to test Cisco Aironet Wireless 802.1x solution with
    LEAP.
    > > > > We are using Microsoft's Windows 2000 RADIUS server for VPN and it
    > > > > supports EAP-MD5 & EAP-TLS. Will LEAP work with Microsoft's RADIUS
    > > server?
    > > > >
    > > > > Thank you
    > > > >
    > > > > Doug Wilson
    > > > >
    > > >
    > > > I don't believe so. So far, I have only got it to work with the Cisco
    > > > ACS. But, if you do we would be interested.
    > > >
    > > >
    > > > Mark Wilson
    > > > Sr. Network Analyst
    > > > Communications and Technology Services (CATS)
    > > > UC Santa Cruz - Santa Cruz, Ca. 95064
    > > > 831.459.3675
    > > > Just a Cruzin......
    > > >
    > > >
    > > _______________________________________________
    > > Aironet mailing list - Aironetcsl.cse.ucsc.edu
    > > http://csl.cse.ucsc.edu/mailman/listinfo/aironet
    > >
    >
    >
    _______________________________________________
    Aironet mailing list - Aironetcsl.cse.ucsc.edu
    http://csl.cse.ucsc.edu/mailman/listinfo/aironet