Skip to comments.Tools released at Defcon can crack widely used PPTP encryption in under a day
Posted on 07/29/2012 12:52:30 PM PDT by LibWhacker
New tool and service can decrypt any PPTP and WPA2 wireless sessions using MS-CHAPv2 authentication
Security researchers released two tools at the Defcon security conference that can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.
MS-CHAPv2 is an authentication protocol created by Microsoft and introduced in Windows NT 4.0 SP4. Despite its age, it is still used as the primary authentication mechanism by most PPTP virtual private network (VPN) clients.
MS-CHAPv2 has been known to be vulnerable to dictionary-based brute force attacks since 1999, when a cryptanalysis of the protocol was published by cryptographer Bruce Schneier and other researchers.
However, the common belief on the Internet is that if you have a strong password then it's ok, said Moxie Marlinspike, the security researcher who developed ChapCrack, one of the tools released at Defcon. "What we demonstrated is that it doesn't matter. There's nothing you can do."
ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.
This DES key can then be submitted to CloudCracker.com -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.
The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.
PPTP is commonly used by small and medium-size businesses -- large corporations use other VPN technologies like those provided by Cisco -- and it's also widely used by personal VPN service providers, Marlinspike said.
The researcher gave the example of IPredator, a VPN service from the creators of The Pirate Bay, which is marketed as a solution to evade ISP tracking, but only supports PPTP.
Marlinspike's advice to businesses and VPN providers was to stop using PPTP and switch to other technologies like IPsec or OpenVPN. Companies with wireless network deployments that use WPA2 Enterprise security with MS-CHAPv2 authentication should also switch to an alternative.
I never assume any form of electronic communication is secure.
For most of us, I think it’s a matter of how much ability someone has and how much effort they’re willing to put into it. With the release of this tool, the effort part of the equation for crackers was just removed.
Since all my servers are Windows 2008 R2, and my clients are running Windows 7, I’ve set SSTP as my standard VPN protocol.
My campus uses Cisco Anywhere Connect, which is OpenSSL, almost the same thing.
Er, make that Cisco AnyConnect. It is pretty much anywhere!
How much of the essentially infinite run time of the government computers you get depends on how much you stick up from the herd.
WPA has been hackable for quite a while with free tools. Wireless is not secure.
802.X with EAP/TLS. Adjust WAP and client signal strength to controlled physical space as much as possible. Limit unauthorized physical access. Classify data into security categories and never use wireless or Internet access on machines handling the more sensitive categories.
Security is an ongoing game.
Assume that all these methods will be broken eventually. Keep evolving!
Post on Free Republic, and you get on the NSA's rolling smartphone crypto-twitter feed, alongside chemical analysis of your nose hairs.
I keep saying I am going to wire for ethernet and give up my tablet, but it’s like a crack addict trying to stop crack for me, evidently.
I just love being able to surf on my ipod & tablet. Dang it.
I wish infrared had made it big... I could install local infrared access points in each room, and be reasonably secure (there is still the issue of light leakage through windows and such, but it would take professional equipment to access that reliably, and a position which I could easily detect a hacker in).
I think the sum total is this: wireless encryption needs to get A LOT BETTER.
Maybe I will setup a VPN which my wireless devices have to access to get to the internet.
I recently implemented an IPSEC host to host capability for a customer. It uses IKE and AES crypto. Both AH and ESP elements. The only down side was network performance is cut in half. Using signed certs for the authentication gives you the ability to lockout unauthorized use bia a CRL.
We were doing a wireless security scan for a client a few weeks ago. Came across a network labeled ‘USDOJ Surveillance Team’.
all you have to do is mac-lock your wireless security and it won’t really matter. For home use, it’s really not that much of a pain
MAC addresses are really easy to spoof. At least on my OS X box, I can spoof it’s MAC address with a single command on the command line.
This is what I’ve built for my Network. Working fine so far.
I live out in the country on multi-acres. Controlling my physical space is easy. Anyone caught trespassing finds themselves in “fields of fire”! Still, I secure my home wireless.
Now I hear on Drudge that Homeland Security will be using drones in the USA. Will that be government sponsored “war-flying”?
Maybe I’ll be skeet shooting on that day.... Oops! Sorry about your model plane, Mister! Honest!
Unless some of you devise a good hack to make them crash... Maybe something on your wireless networks they’re snooping for. Call it a drone takedown honeypot.
I’m aware the MAC is easy to spoof, but you have to know what specific address to spoof in order to do it. That’s a very difficult challenge, near impossible.