Microsoft is warning customers about the availability of the ChapCrack tool that Moxie Marlinspike built to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it’s not aware of any active attacks using the tool, customers can protect themselves by implementing PEAP or changing to a more secure VPN tunnel.
Marlinspike unveiled the ChapCrack tool at DEF CON last month, and it’s designed to take packet captures from sessions using the MS-CHAPv2 protocol and strip out the user’s credentials from the cryptographic handshake in the session. In order to decrypt the user’s credentials, Marlinspike submits the packet to CloudCracker, which sends back a packet that he can put back into ChapCrack, which then will crack the password.
In its advisory, Microsoft says that while the ChapCrack tool doesn’t take advantage of a security vulnerability per se, it still represents a risk to users.
“An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” the company said in its advisory on ChapCrack.
“An attacker has to be able to intercept the victim’s MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user’s credentials.”
Microsoft recommends that customers who use MS-CHAPv2 implement PEAP (protected extensible authentication protocol) to further secure their VPNs.