Cisco LEAP has a number of discovered vulnerabilities. One of them was so bad that Cisco systems gave up using LEAP and went to a new EAP type called EAP-FAST. LEAP was developed to allow for fast roaming from cell to cell.
A number of tools emerged that defeated the security of LEAP. The first one released was called anwarp. This tool showed that LEAP had no mechanism to prevent an attacker from trying a large number of authentication attempts against the access point. One thing that helps mitigate this threat is that many RADIUS servers have the ability to prevent this. They do so by setting an invalid authentication attempt attribute and a subsequent lockout duration after achieving the invalid authentication threshold.
The next tool released was called asleap; this tool took the above attack further and allowed for an offline attack to take place against LEAP frames. The LEAP vulnerability that this tool took advantage of was a modified version of MS-CHAPV2 that Cisco used to authenticate users on a LEAP network. It was built upon the fact that Cisco used padding for 21 bytes; this makes performing an attack on a hash much easier because the last seven bytes only have two charter options. Because of this, the time it takes to perform a dictionary attack on LEAP is significantly reduced. This makes tools, like asleap, that performed this exploit extremely fast.
