ChapCrack tunnel exploit prompts Microsoft configuration warning

Microsoft pushes PEAP glove for MS-CHAPv2 handshake weaknesses.
  • Liam Tung (CSO Online)
  • 21 August, 2012 13:18

Microsoft has advised customers using its MS-CHAP v2 authentication protocol for Point-to-Point Tunnelling Protocol (PPTP) VPNs to implement additional protections nearly a month after researchers released an exploit tool to quickly crack credentials handled in the process.

Security and privacy researcher Moxie Marlinspike released the tool ChapCrack after his demonstration at last month’s Defcon conference in an attempt to nudge “hundreds” of VPN services, including The Pirate Bay’s iPredator, off PPTP, which commonly used MS-CHAP v2. He noted that it was also employed widely in enterprise wireless networks that use WPA2.

ChapCrack can be used to strip out relevant credentials from a captured MS-CHAPv2 handshake between two machines. The tool creates a token that can be sent to CloudCracker, an online password cracking tool created by Marlinspike, which was integrated with a “DES cracking box” by Pico Computing to accelerate the process.

Combined, the tools allow anyone who can capture MS-CHAPv2 handshake packets to crack credentials in under a day.

Marlinspike urged VPN providers and enterprises to “immediately start migrating” to something else and warned that PPTP “should be considered unencrypted”.

Microsoft, like Marlinspike, notes in its advisory that the exploit code was published for known weaknesses.

One option is to move to a more secure VPN, but Microsoft urges customers to consider its existing advice to implement PEAP -- Protected Extensible Authentication Protocol (PEAP) -- in their networks. PEAP wraps MS-CHAPv2 authentication traffic in the cryptographic protocol Transport Layer Security (TLS).

Although the PEAP option may be less secure, it may require fewer configuration changes to the affected environment, according to Microsoft.

Microsoft said it was not aware of active attacks that use Marlinspike’s tools but was actively monitoring the situation.

Shortly after Marlinspike’s demonstration, iPredator announced it would accelerate its aim to make OpenVPN and L2TP/IPSEC available.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.