Monday, July 30, 2012

The tl;dr version of Moxie's MSCHAPv2

I couldn't figure out what the deal is with Moxie's MSCHAPv2 talk, as cracking the challenge/response for weak passwords has been known for the last decade. In addition, the press has enormously hyped this talk beyond any reasonable degree.

But here's the deal: because MSCHAPv2 uses 56-bit DES, it can recover the original password hash in 23-hours of FPGA cracking time, and as everyone knows, having the hash is almost as good as having the original password when hacking Microsoft products. In particular, knowing the hash means you can decrypt the entire captured PPTP VPN session, meaning it's essentially obfuscated but not encrypted.

Like so many other presentations, I guess we sorta already knew this, but it takes somebody pointing it out and demonstrating it with code to wake everyone up to the fact.

What this means is that Microsoft's PPP VPN should now be considered totally broken. Anybody can sniff the challenge-response on the wire, crack it and obtain the hash, then use the hash to login themselves even if they don't know the password. Likewise EAP-MSCHCAPv2 (popular enterprise WPA2 scheme) is broken, and PEAP-MSCHAPv2 should also be considered broken when used without client-side TLS validation of the server (like how "DefconSecure" network used PEAP, although Moxie's tool isn't built specifically to deal with that example yet).

To repeat: we already could hack you if you chose a weak password (for PPP/EAP), but now we can hack you no matter how strong your password (for PPP/EAP).

FAQ: Can I do this with John-the-Ripper or Hashcat or some other GPU accelerated program?
Answer: No. These can be updated to attack (weak) passwords, but they would need to be about 500 times faster to crack DES in one day. You need FPGAs (or chips) to do it.


Anonymous said...

When you say that this breaks PEAP, are you referring to the MiTM attacks (fake AP) on clients that don't properly validate the server certificate, or am i missing something here?

Robert Graham said...

Yea, precisely. PEAP-MSCHAPv2 as used by DefconSecure should easily be broken the same way. The Aruba devices might kick off rogue access points on the same channel, but you should be able to setup rogue access-points on different channels, or put them in the hotel far enough away from defcon as not to be picked up by the Aruba devices (up in your room, near the entrance, etc.).