

A post within the "straight to the meat" category :



There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.



This post gives a quick rundown with references on what you need to know, enjoy - Thierry









History :

1999 - Bruce Schneier and Mudge document the vulnerability [2]

2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]

2012 - Defcon Talk detailing the flaw and release of SAAS to crack the key within 23hours [3]







Implications



Access to VPN

Decryption of Traffic

MS-CHAPv2 - Yes

Plain PPTP - Yes

MPPE (Microsoft Point-to-Point Encryption) - Yes

(Microsoft Point-to-Point Encryption) - EAP-PEAPv0 and EAP-TTLS aka "EAP-TLS" as used in WPA-Enterprise - Depends (see "what now")

Microsoft PPTP Implementation does not require the password to be found, the recovery of the hash through the means above it sufficient. [3]

If you use PPTP VPN you should immediately migrate - As Moxie puts it "PPTP traffic should be considered unencrypted"

PPTP VPN you should immediately migrate - As Moxie puts it "PPTP traffic should be considered unencrypted" "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else."



TZO : I believe what Moxie implies here is that if you don't use TLS to authenticate Client to Server and Server to Client (mutual authentication), or at minimum authenticate the server, your setup should be considered vulnerable as well. "Fake AP". [5]

[1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ [2] http://www.schneier.com/paper-pptpv2.html [3] http://erratasec.blogspot.de/2012/07/the-tldr-version-of-moxies-mschapv2.html [4] http://esec-pentest.sogeti.com/challenge-vpn-network/decipher-mppe-breaking-ms-chap-v2 [5] http://revolutionwifi.blogspot.de/2012/07/is-wpa2-security-broken-due-to-defcon.html