New Moxie Marlinspike Tool Cracks Crypto Passwords 71
Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."
Re:so what? (Score:5, Informative)
PPTP is a type of VPN still used by some companies and included with windows...
MS-CHAPv2 is the default / most common authentication option when using PPTP with windows. Thus organizations still using PPTP for remote access may be at risk.
Re:Nice hack, but... (Score:5, Informative)
Actually, lots of companies still use MS PPTP precisely because it's cheaper and easier than the alternatives. MS PPTP server is built into RRAS, so it's free, and the client is built into every version of Windows since XP.
Re:so what? (Score:2, Informative)
If I understand it correctly, one implication is that if you:
1. use Micrsoft Windows' built-in VPN client (Network Connections -> Connect to...)
2. to connect to Microsoft Windows' built-in VPN server ("Remote Access")
3. and someone snifs your traffic (like on a public Starbucks hot-spot)
then they can decrypt that VPN traffic.
One would assume that usage of Microsoft's built-in stuff is pretty prevalent, so the implications of this are pretty big.
Re:so what? (Score:5, Informative)
For VPN use IPSEC, not PPTP, either with certificate-based outer tunnel, or with an outer tunnel using a PSK that you trust will not be compromised. The latter is near impossible in enterprise setups, so the certificate approach is superior, albeit harder to administer.
WPA2-PSK is insecure due to a separate issue entirely (see Firesheep).
For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server). If this is not the case (and Apple makes this particularly hard, especially on the new Lion setup that requires an 802.1x profile generated by a Lion Server installation) then an MITM attack is possible, where someone pretends to be your AP+RADIUS, and since your client does not check the certificate they offer, it will happily start the MSCHAPv2 session with them, at which point the exchange becomes vulnerable to attempts to hijack it.
WPA2 using EAP-TLS with certificates is safe, but does not offer the ability to check user passwords, so it is usually only favored by institutions that do not worry too much about stolen equipment. (Given that everyone seems happy to let the OS remember their passwords, however, the added benefits of the password becomes dubious.) WPA2 with EAP-TTLS should be unaffected by any of this. The precautions about validating server certs remain relevant, however.
It is possible to configure WPA2-Enterprise with just a raw MSCHAPv2 exchange and no protective PEAP wrapper around it. That would be what the OP's tool is for. It would also be completely insane, and given many native clients do not support that, rather a lot of effort to invest in being insane.