Send to Kindle

ChapCrackMoxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft’s MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download.

ChapCrack is designed to enable users to crack passwords that are used to help secure PPTP connections. PPTP (point-to-point tunneling protocol) is one of the protocols used for securing remote connections. The MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is the algorithm used to do the secure negotiation for some PPTP implementations. 

“Separate cryptographic keys are generated for transmitted and received data. The cryptographic keys are based on the user’s password and the arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used,” Microsoft says in the documentation for the protocol.

Marlinspike’s ChapCrack tool has the ability to take packet captures that include an MS-CHAPv2 network handshake–the back-and-forth negotiation that sets up the secure connection between machines–and remove the relevant credentials from the capture. The user can then submit the encrypted credentials to CloudCracker and will eventually receive in return an encrypted packet that he can insert into ChapCrack again. The tool then will crack the password.

The ChapCrack tool relies on the computing power of a system built by Pico Computing, a specialized manufacturer of hardware for applications such as cryptography that require large amounts of dedicated processing power. David Hulton of Pico Computing presented the ChapCrack tool at DEF CON with Marlinspike.

“They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day,” Marlinspike said in a blog post on the attack and tools.

With Pico Computing’s DES cracking machine in hand, we can now crack any MS-CHAPv2 handshake in less than a day. “

Here’s how the ChapCrack documentation describes the process:

1) Obtain a packet capture with an MS-CHAPv2 network handshake in it (PPTP VPN or WPA2 Enterprise handshake, for instance).

2) Use chapcrack to parse relevant credentials from the handshake (chapcrack parse -i path/to/capture.cap).

3) Submit the CloudCracker token to www.cloudcracker.com

4) Get your results, and decrypt the packet capture (chapcrack decrypt -i path/to/capture.cap -o output.cap -n )

ChapCrack has the ability to search the entire DES keyspace in order to crack the captured password. DES is an old encryption standard that was replaced several years ago by AES. However, DES is still in use in some places, and the fact that Marlinspike was able to design a system that can tear through all of the DES keyspace in a reasonable amount of time shows again the serious problems with the algorithm.

Although MS-CHAPv2 is an older protocol and has had known security weaknesses for more than a decade, Marlinspike said in his post that he and Hulton chose to go after it because it is still used in a lot of enterprise wireless networks that use WPA2 and in numerous VPNs. Hulton and Marlinspike say that, as a result of their findings, enterprises would be smart to start migrating their implementations now.

All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted,” Marlinspike wrote. “Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.”

This article was update on July 30 to add more context about the hardware involved in the crack and Pico Computing’s involvement.  

Send to Kindle
Categories: Cryptography

Comments (6)

  1. Guido Faulkes
    1

    This Moxie guy is pure mockery and there is no story here, as 56-bit DES has never been secure. From day one, the US government could decipher it, since the entire DES keyspace is just over 20TB and they already had that much online storage at the NSA back in the 1970s. It is easier to use huge online storage for rainbow table, rather than build FPGAs to crack the code.

    3-3-DES (168 bit) remains secure at 96 bit effective depth still uncracked, but it is dog slow. 3-2-DES (aka DES-X) is completely broken, just as 1-1-DES (56bit). There are serious doubts about AES’s choice by the USA after the Stuxnet-Duqu-Flamer scandal. probably best use Blowfish or GOST.

  2. ET
    2

    Don’t Panic!!!  It seems that the MS-CHAPv2 auth has to be sent in the clear, which is certainly not normal in today’s WPA2-Enterprise wireless networks.  Instead, the MS-CHAPv2 exchange happens as an inner method inside an EAP-TTLS or EAP-PEAP tunnel that uses TLS, and is offered up only after the client has verified the server’s identity by the certificate used in the outer exchange.

  3. jack
    3

    Thanks for sharing this great article, I really enjoyed the insign you bring to the topic, awesome stuff!

  4. Dr. Nonono
    5

    As pretty plain routers with PPTP-server capabilities at the same time offer the configuration option of not reacting to WAN-pings I wonder how some crazy brute force mind would be able to fish packets from some unknown ip address. And let’s assume neither of both ends can be pinged.
    So how would any alien know WHAT to analyse if he can’t even see what to analyse there would be beyond hum drum???

    Below buttom line the whole story sounds like a nice academic fairy tale from the ivory tower where people frequently forget that ultimate security is a religious fiction anyway in this universe from big bang on.

  5. Anonymous
    6

    You’re incorrect. It reduces the MS-CHAPv2 3DES to the complexity of single DES. From the blog post:

    The hash we’re after, however, is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack. Instead of brute forcing the MD4 hash output directly (a complexity of 2128), we can incrementally brute force 7 bytes of it at a time. 

    This means that, effectively, the security of MS-CHAPv2 can be reduced to the strength of a singleDES encryption.

    It’s effectively a 128bit key assuming unbounded password length. 

Comments are closed.