EAP-MD5 sucks *for real*
EAP-MD5 is deprecated since Windows Vista in the Microsoft world.
A KB exists to pinpoint the dictionary attack. That’s not the case for Cisco. EAP-MD5 is so great you can still use it on the Cisco’s IP phones. Also, I have found no documents referring to the EAP-MD5 security weakness but the deployment guides that helps the poor administrators to be powned in the future. Hopefully when Cisco stamps a customer network as safe glad to an audit (Probably running by a CISSP leet) then the customer feels indestructible until a real pentester (not the CISSP’s well-suited guy) manages to break-in on their invulnerable network in seconds.
Reality is bad. Help your customer to kill EAP-MD5 forever by using my metasploit module which worked succesfully on wired and wireless 802.1x environments.
You could also use the following script from LaNMaSteR53 if you are in love with python. Or the well-known xtest and eapmd5pass which is not needed to comment anymore.
Go for another scheme or… or…sorry definitely no EAP-MD5 even tunneled as it remove the dictionary attack but add the man in the middle scenario to the attacker.
Evangelism for the win.
pello lives near Paris (France)