(LiveHacking.com) – A few weeks ago, at Defcon 20, Moxie Marlinspike and David Hulton gave a presentation on cracking MS-CHAPv2 and subsequently integrated the techniques presented into the CloudCracker service.
MS-CHAP2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98. Today the protocol is still widely used for PPTP VPNs, as well as in WPA2 Enterprise environments.
As a response to this, Microsoft has released a security advisory called “Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure.” The advisory notifies Microsoft customers of the known cryptographic weaknesses in the MS-CHAP v2 protocol.
To exploit the weaknesses and obtain user credentials, the attacker has to be able to intercept the victim’s MS-CHAP v2 handshake by performing man-in-the-middle attacks or by intercepting open wireless traffic.
Microsoft offers two workarounds (suggested actions):
1. Secure your MS-CHAP v2/PPTP based tunnel with PEAP (see Microsoft Knowledge Base Article 2744850)
2. Use a more secure VPN tunnel – Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
For more information on these, see the following links:
- L2TP – Configure L2TP/IPsec-based Remote Access
- VPN Reconnect (IPSEC IKEv2) – Configure IKEv2-based Remote Access
- SSTP – SSTP Remote Access Step-by-Step Guide: Deployment