ChapCrack tunnel exploit prompts Microsoft configuration warning

Microsoft pushes PEAP glove for MS-CHAPv2 handshake weaknesses.
  • Liam Tung (CSO Online (Australia))
  • — 21 August, 2012 13:18

Microsoft has advised customers using its MS-CHAP v2 authentication protocol for Point-to-Point Tunnelling Protocol (PPTP) VPNs to implement additional protections nearly a month after researchers released an exploit tool to quickly crack credentials handled in the process.

Security and privacy researcher Moxie Marlinspike released the tool ChapCrack after his demonstration at last month’s Defcon conference in an attempt to nudge “hundreds” of VPN services, including The Pirate Bay’s iPredator, off PPTP, which commonly used MS-CHAP v2. He noted that it was also employed widely in enterprise wireless networks that use WPA2.

ChapCrack can be used to strip out relevant credentials from a captured MS-CHAPv2 handshake between two machines. The tool creates a token that can be sent to CloudCracker, an online password cracking tool created by Marlinspike, which was integrated with a “DES cracking box” by Pico Computing to accelerate the process.

Combined, the tools allow anyone who can capture MS-CHAPv2 handshake packets to crack credentials in under a day.

Marlinspike urged VPN providers and enterprises to “immediately start migrating” to something else and warned that PPTP “should be considered unencrypted”.

Microsoft, like Marlinspike, notes in its advisory that the exploit code was published for known weaknesses.

One option is to move to a more secure VPN, but Microsoft urges customers to consider its existing advice to implement PEAP -- Protected Extensible Authentication Protocol (PEAP) -- in their networks. PEAP wraps MS-CHAPv2 authentication traffic in the cryptographic protocol Transport Layer Security (TLS).

Although the PEAP option may be less secure, it may require fewer configuration changes to the affected environment, according to Microsoft.

Microsoft said it was not aware of active attacks that use Marlinspike’s tools but was actively monitoring the situation.

Shortly after Marlinspike’s demonstration, iPredator announced it would accelerate its aim to make OpenVPN and L2TP/IPSEC available.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Encryption

Robust data protection for PCs, smartphones, and removable media

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »