New Moxie Marlinspike Tool Cracks Crypto Passwords

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

I know he's brilliant

[winkydink]

but whenever I read his name, my mind keeps wandering to Stephen R. Donaldson novels and off the point he's trying to make.

Re:I know he's brilliant

Are you trying to say Moxie is a leper with a magic ring?

Re:I know he's brilliant

Did the magic ring cause the leprosy, or why didn't it cure it? I try to treat all security "researchers" as lepers.

Re:I know he's brilliant

The ring was only magic when the asshole was in the other world, and when he was there, he didn't have leprosy.

Re:I know he's brilliant

I say, Moxie is a most unusual beverage. The taste of fermented peppermint is quite unique among colas. The only thing like it, I hear, is a beverage called "Jägermeister".

Re:I know he's brilliant

[John+Bokma]

I think GP refers to the Gap series. Some names from that series: Angus Thermopyle, Orn Vorbuld, Milos Taverner. If you like dark SF, highly recommended. Some parts gave me the same feelings as "Alien".

Re:I know he's brilliant

[EdIII]

I just keeping thinking it is a Ubuntu release

I admire this guy

He really seems down-to-earth and balanced, and all the stuff he's done have been spot-on so far.

Re:I admire this guy

[Penurious+Penguin]

If I remember correctly, he also developed Google-Sharing, a firefox extension to garble the data google collects on its users. Basically, all users with the extension share their tracks, which are fed to google to help confuse it. Futile, perhaps, but a great idea and an important concept no doubt. I dig the guy too.

Re:I admire this guy

[bill_mcgonigle]

but a great idea and an important concept no doubt

we used to do that with supermarket loyalty cards. Nice!

Good Grief.

So... It's OK for Marlinspike to build these tools so people can crack passwords that don't belong to them... But of course Marlinspike himself demands privacy and security for himself...

Re:Good Grief.

[dark12222000]

Because surely if he didn't build them, nobody else ever would. The entire point is that he makes the vulnerabilities known, posts them publicly, and often (if not always) gives the manufacturer a chance to correct the issue FIRST.

Re:Good Grief.

[zlives]

is MSCHAPV2 actually used by people?

Re:Good Grief.

is MSCHAPV2 actually used by people?

Back when I was in university the library used it to identify students. After connecting to the library VPN, you had access to the library resources (mostly journals) from off-campus IP addresses.

It was secure enough for that purpose.

Re:Good Grief.

Way to miss the fucking point.

Re:Good Grief.

Let's just put it this way: We're a major phone services provider (think interactive voice service, not networks) in Europe and our VPN only supports MSCHAPv2.

Re:Good Grief.

Oh get your mind out of the gutter, I just want to test security on my own network. Lol, I watch my kids computers anytime I want too. That's just what kind of guy I am. You gonna start pissin an wailin about security? Maybe you'd like to just wait around till someone DOES compromise your system, or your bosses system, or your customers, your banks..... Does the fact that these tools exist within your grasp in order to fix your pissant security escape you? Maybe you just expect everyone to lay around with lubed sphincters because you do.
Got a problem with Marlinspike having a private life? He's out there saving your dumb ass.

Bets on how many goobers still can't put this picture together?

so what?

[jehan60188]

not trying to be brash, or curt or whatever, but can someone explain the larger implications?

what does this mean for me (the average non-very-savvy-when-it-comes-to-security person)?
should I stop using tor (is tor pptp?)?
should I stop using vpn, or wpa wireless networks?

this actually doesn't seem that interesting, I mean, if you use a cloud-based cracker, couldn't you have submitted the wpa handshake there already?

Re:so what?

[BagOBones]

PPTP is a type of VPN still used by some companies and included with windows...
MS-CHAPv2 is the default / most common authentication option when using PPTP with windows. Thus organizations still using PPTP for remote access may be at risk.

Re:so what?

[characterZer0]

PPTP using EAP-TLS is still okay, right?

Re:so what?

If I understand it correctly, one implication is that if you:

1. use Micrsoft Windows' built-in VPN client (Network Connections -> Connect to...)
2. to connect to Microsoft Windows' built-in VPN server ("Remote Access")
3. and someone snifs your traffic (like on a public Starbucks hot-spot)

then they can decrypt that VPN traffic.

One would assume that usage of Microsoft's built-in stuff is pretty prevalent, so the implications of this are pretty big.

Re:so what?

[Amouth]

yes this is a CHAP issue

Re:so what?

[Sir_Sri]

One would assume that usage of Microsoft's built-in stuff is pretty prevalent, so the implications of this are pretty big.

so too then is it relatively easy to replace, with a windows update rollout.

Re:so what?

[skids]

For VPN use IPSEC, not PPTP, either with certificate-based outer tunnel, or with an outer tunnel using a PSK that you trust will not be compromised. The latter is near impossible in enterprise setups, so the certificate approach is superior, albeit harder to administer.

WPA2-PSK is insecure due to a separate issue entirely (see Firesheep).

For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server). If this is not the case (and Apple makes this particularly hard, especially on the new Lion setup that requires an 802.1x profile generated by a Lion Server installation) then an MITM attack is possible, where someone pretends to be your AP+RADIUS, and since your client does not check the certificate they offer, it will happily start the MSCHAPv2 session with them, at which point the exchange becomes vulnerable to attempts to hijack it.

WPA2 using EAP-TLS with certificates is safe, but does not offer the ability to check user passwords, so it is usually only favored by institutions that do not worry too much about stolen equipment. (Given that everyone seems happy to let the OS remember their passwords, however, the added benefits of the password becomes dubious.) WPA2 with EAP-TTLS should be unaffected by any of this. The precautions about validating server certs remain relevant, however.

It is possible to configure WPA2-Enterprise with just a raw MSCHAPv2 exchange and no protective PEAP wrapper around it. That would be what the OP's tool is for. It would also be completely insane, and given many native clients do not support that, rather a lot of effort to invest in being insane.

Re:so what?

I was there and the most serious implication is that once someone cracks this THEY RECOVER THE USER'S USERNAME AND PASSWORD IN PLAIN TEXT.
If this is a Windows Domain credential (which a very common use case would dictate) then you now pwn that user and can access anything else that their username and password give you access to on a corporate network. Use your imagination here...

Re:so what?

Why won't someone think of the TPS reports?!

Re:so what?

[Amouth]

if it was only reading the VPN traffic i wouldn't be worried about it so much. the larger implication is that it derives the user credentials.

having on the session traffic leaves it open to only momentary chance that the person would get some juicy data.. but having the user credentials allows for far more issues.

Re:so what?

[GSloop]

WPA2-PSK is insecure due to a separate issue entirely (see Firesheep).

Citation needed.

---
Not to be harsh, but WPA2-PSK has NOTHING to do with firesheep. JUST NOTHING.

Firesheep is a takover of a non SSL wrapped session. So, someone on a non-switched ethernet network can take-over a session. Same is true for any shared medium network, like wireless.However, since WPA2 uses weak individual session encryption you can perhaps determine the PWMK and then sniff all other sessions.

But to determine the PWMK you need the PSK to start with. This doesn't mean that the whole WPA2-PSK is broken.
It does mean individual session security is bad if you already know the PSK.

If you don't have the PSK, I'm not aware of any non-brute force method of hacking WPA2-PSK, especially AES. [There are some cases where you can inject packets in a TKIP encrypted session.]

So, I guess I think your claim that WPA2-PSK is broken requires a citation.

Re:so what?

[GSloop]

To amplify that:

If the attacker already knows the PSK, then your whole network is screwed and individual session security, while important, becomes far less important.

So, yes, individual sessions are important - but this really isn't any/much different than ARP poisoning on a switched network. You shouldn't rely on such methods for real security.

However, for small networks - ergo home/small business networks - using WPA2-PSK is perfectly fine - just be careful who you share the key with, just like you'll be careful who you let plug into your ethernet switch.

PSK isn't very appropriate for larger more sophisticated networks with more complicated security issues.

Re:so what?

[skids]

I'm sorry, for some reason I misremembered that the Tews/Beck WPA-PSK cracking material had been integrated with Firesheep. I was thinking of the latter.

Re:so what?

[yuhong]

Not plain text, it is actually a MD4 hash. Not that it matters much, as it can then be passed directly to most Windows network protocols as the password, as the hashing is done on the client side.

Part of a 3-pronged effort.

[Impy+the+Impiuos+Imp]

Wouldn't it be faster to use use the backdoor Microsoft built in for the government in exchange for backing off lawsuits?

this is the same

[nimbius]

poor guy who is actually more well renound for deciding to help wikileaks and spending most of his 2010 travel itinerary detained and threatened by customs agents.

for me, he falls somewhere between hero and legend. im certain for the government he falls somewhere between drone strike and gulag.

Re:this is the same

[Sulphur]

poor guy who is actually more well renound for deciding to help wikileaks and spending most of his 2010 travel itinerary detained and threatened by customs agents.

for me, he falls somewhere between hero and legend. im certain for the government he falls somewhere between drone strike and gulag.

Are the Russians interested, or do you mean Guantanamo?

Re:this is the same

[Bob+the+Super+Hamste]

Are the Russians interested, or do you mean Guantanamo?

Yes.

It's the only solution...

[SternisheFan]

Build a better lock, someone will learn to open it, That's it then. Time for everybody in the world to go on the honor system! (And NO crossing your fingers/toes.)

Nice hack, but...

[aaronb1138]

DES has been well known for vulnerabilities for some time. I don't know of many businesses using MS PPTP for remote VPN because it is usually cheaper and easier to just purchase licenses from their firewall / gateway vendor. Certainly no company with strong crypto needs such as HIPAA, PCI, and similar compliance are using anything but dedicated VPN appliances with AES or similar based encryption. Heck, most of those have moved to 2-factor authentication and are using at least TLS 1.0 / SSL 3.0 at layer 4.

Re:Nice hack, but...

Yeah, this comes off with all the wow factor of defeating the copy protection on the C64 version of Elite.

Re:Nice hack, but...

Actually, lots of companies still use MS PPTP precisely because it's cheaper and easier than the alternatives. MS PPTP server is built into RRAS, so it's free, and the client is built into every version of Windows since XP.

Re:Nice hack, but...

The only real problem DES has is its 56bit key. Its structure is extremely sound and unbroken so far.
Had the NSA not insisted on changing the original key length of 128bit down to 56bit it would still be unbroken.
Besides, Triple-DES or DES-X give you an effective key length of 112 bit. Their main problem is runtime since DES is slow.

Re:Nice hack, but...

I still have that corrugated clear plastic lens,... somewhere.....

Re:Nice hack, but...

[swb]

I've worked with more than one company that has wanted to actually return to using PPTP after bad experiences with IPSec client VPNs.

It's typically because the client software blows or isn't available on their platform or hasn't been updated for an OS rev change (we saw this with Vista/Win7).

Most of these were small shops that couldn't afford the freight on a dedicated VPN setup and were stuck with whatever their firewall would do. Cisco's IPSec implementation seems widely supported, but you have to be willing to pay for it, otherwise the next best choice if you have a weird platform is PPTP.

I wish there was a vendor-neutral SSL VPN implementation, but they all do it differently.

Re:Nice hack, but...

[Eskarel]

I've had great success with shrewsoft Has worked for me with a few different VPN vendors and it's available in 32 and 64 bit for a bunch of platforms. Works better for me than the CISCO client.

Re:Nice hack, but...

[aaronb1138]

Odd, I've used Shrewsoft on a few vendor's firewalls and run into all manner of incompatibilities. I suppose once you figure out all the quirks for a given device, you would be solid to deploy elsewhere.

On the small scale, I would probably opt for an OpenVPN setup, perhaps on a VM hosted on the base server for insulation. It's easier to setup a fresh server and client than shrewsoft's client in my experience.

Moxie Marlinspike

[MyLongNickName]

I read the headline and wondered why a crack was released for Ubuntu only and such an old version...

Re:Moxie Marlinspike

[stanlyb]

Because, the newest ones are a joke. Literally.

what wait ?

[fluffythedestroyer]

I have to send my handshake file on that website ? Isn't that unsecure ? The website owner could keep the data and do whatever he wants with it ?

where are the news

that can crack passwords (...) that rely on encryption using Microsoft's MS-CHAPv2 protocol.

everybody knows Microsoft isn't know for their good security. In fact, they are known for they half assed protocols and pseudo security.

Re:where are the news

But their grammar is usually good.

Re:where are the news

Haven't read a technet post in a while, have you?

Sunlight is the best disinfectant

I know that security people who build these things get vexed whenever a vulnerability is posted in the wild along with a cracking mechanism, but so often in the past we have seen security researchers have the cops called on them for notifying companies in advance (as if they were a shakedown racket demanding money). And its either that, or they ignore the vulnerability researcher till the 'post in the wild'. Better to post right away, get it out in the open, and move on. Many companies behave identically to the political right: they have no prescience. They can get a million warnings about a potential problem and will cheerfully ignore it. When it comes down on them like a ton of bricks, then they yelp and cry out. Its stupid, but they always go for the pound of cure (often costing millions) rather than the ounce of prevention (costing pennies).

Re:Sunlight is the best disinfectant

[TheCarp]

Very true (also true about sunlight being a great disinfectant, at least, if you are not trying to use it through UV blocking glass :)

I remember, what a decade ago? It used to be different. You used to see anouncements that said "This vulnerability was given to so and so on date X, they worked out a patch, now here is the full vulnerability". Or "This was sent on X date, it was ignored, They ignored several warnings, here it is".

Sure sometimes someone just released a vulnerability without any of this diligence, but, it was frowned upon except in very specific circumstances (active use "in the wild" already, for example).

Then... a few years ago we had talks quashed, papers hushed up, researchers sued...

A few too many messengers get shot...and now look where we are...

Who uses MS-CHAPv2?

[D3]

I was there and he answered this in his talk. There were hundreds of VPN services that still supported using it. He pointed out that iPredator (VPN service for the Pirate Bay) ONLY supports MS-CHAPv2. The ubiquity of use and support has created a loop where people keep using it (another point of his talk).

Re:Who uses MS-CHAPv2?

I don't understand what the big deal is? Just don't use DES.

Was this a good thing?

[man_ls]

Moxie, who I'd say has made massive contributions to personal security with his "positive" security tools (WhisperCore, RedPhone, TextSecure, etc.) has just released a tool which effectively eliminates common security measures people have previously been taking, rendering them open to attack. Not just enterprises or nation-states, but Joe Laptopper at the neighborhood Starbucks.

This isn't a new issue, certainly, but the likelihood of being attacked at the neighborhood coffee shop's WiFi was indistinguishable from zero. Now there's an off the shelf tool and cloud service made specifically to break through the security people have been using. This means that even someone who was doing security "correctly" (i.e. using a VPN on a public wifi network) is now at risk from having credentials stolen over the wire.

Other than giving Microsoft the finger, this doesn't seem like it's contributing much to the discourse. I'm disappointed in Moxie, he's placed a whole lot of people at risk just to say he could.

Re:Was this a good thing?

Initially, I thought the same.

Then I realized that if he's developed a crack for DES, who's to say he's the first? Any organization with access to enough computing power could have already been doing this.

It's an inconvenience yes, but rather that than falsely thinking your safe.

Re:Was this a good thing?

You do realise that DES has been broken by brute-force since the middle of the 90s, right?

Re:Was this a good thing?

[Hal_Porter]

This cartoon explains his reasoning better

http://www.adequacy.org/stories/2001.12.21.195051.13.html

Re:Was this a good thing?

[triffid_98]

This isn't a new issue, certainly, but the likelihood of being attacked at the neighborhood coffee shop's WiFi was indistinguishable from zero. Now there's an off the shelf tool and cloud service made specifically to break through the security people have been using. This means that even someone who was doing security "correctly" (i.e. using a VPN on a public wifi network) is now at risk from having credentials stolen over the wire.

Other than giving Microsoft the finger, this doesn't seem like it's contributing much to the discourse. I'm disappointed in Moxie, he's placed a whole lot of people at risk just to say he could.

I disagree. The ONLY way this is going to get fixed is with that kind of exposure. Unfortunately many companies don't seem to care very much about security until it starts costing them money or becomes public knowledge.

Also increasing key lengths is really just a band-aid anyway. It makes cracking slower of course, but with FPGA/GPU boxes they're still vulnerable until you start getting into fairly large key lengths. The things you want in a good public/private encryption scheme are to make the algorithm memory expensive and difficult to parallelize. Blowfish and SCrypt are both good examples of this.

In that scenario even with a complete network breach you're still not going to be able to do much with the data.

What deoes it mean?

[networkconsultant]

When using DES or a similar broken algorithm to secure communications you subject yourself to the the weaknesses of that algorithm. DES has been broken since the advent of the Core 2 from Intel or the FX series from AMD. Basically as Moore's Law pushes computing power ever further it also obsoletes weaker encryption algorithms. This is true for all crypto systems that are based on the use of the Discrete Logarithim Problem; It's based on the fact that it's difficult to compute large prime numbers. (ie; NP-Hard) now I'm generalizing here; 56-bit DES is a BAD idea; where possible when implmenting WPA2 use 128-bit AES (at a minimum) and use mutual 802.1x based certificates and a Full PKI for both the user and system accounts and preferably use secure tokens for their certs as well. What this means for you as a user? Well fire up wireshark / backtrack on your WiFi and submit your PCAP of a MS-CHAP handshake to find out; if it's insecure his tool will verify that notion; if it's secure his tool will tell you that you have chosen well.

Cost?

[bill_mcgonigle]

OK, so what does it cost to buy 12-24 hrs of time on this FPGA set? Their dictionary attack service is $17/20 minutes on commodity hardware. At that rate this attack would cost $25K and I care much less about it than if the attack costs $25.

Re:Cost?

$25K?

From the article:
Worse case ~23 hours.
Assuming $17 per 20 minutes.
(17*3)*23 = 1173

$1173 for a crack? Depends on how badly someone wants to see whats on your network I guess.

Re:Cost?

[yuhong]

$200 was the price I saw in most report.

Re:Cost?

[bill_mcgonigle]

Assuming $17 per 20 minutes.

That's the trick - is the special purpose built hardware being rented out at the same rate as the commodity hardware (which is much less scarce)?

eduroam security?

Does is mean that all the eduroam (WiFi in universities) connections are to be considered unsafe? Eduroam uses PEAP and EAP-MSCHAP v2 for logins. Thanks!

Re:eduroam security?

[skids]

Those eduroam sites that use MSCHAPv2 use PEAP-MSCHAPv2. You have to crack the PEAP before you can crack the MSCHAPv2.

Also, EAP_TTLS is allowed on eduroam -- as long as the clients are configured to match their home servers, eduroam can support multiple authentication schemes. The security is end-to-end between you and your home institution (for the authentication, that is, there is no security other than the over-the-air encryption for your data, so still use https and SSL on clients wherever possible.) Do note, however, that in the case of eduroam you are expecting the SSID to show up just about anywhere, so it is doubly important for the security conscious to validate the home server's cert against only the CA you know it should be coming from, and to validate its subject. Which, of course, you cannot do on phones these days, even android.

Needing PEAP-TLS-MSCHAPv2

[jroysdon]

Having just implemented a PEAP-TLS (mutual-certificate based authentication), I can say that what I really want is a combination PEAP-TLS-MSCHAPv2 solution (which doesn't exist to my knowledge). I want mutual-certificate authentication (proving a "Corporate Issue" device which has a typical-end-user non-exportable private key is in use, effectively "something you have"', especially on encrypted drives with no user admin-access) wrapping around a MSCHAPv2 authentication of username/password pairs. While certificates can be revoked (and renewed), it's not the same as requring strong user passwords that change semi-frequently.

Re:Needing PEAP-TLS-MSCHAPv2

That sounds great! Actually, I would already be happy having mutual authentication using a preshared secret plus additional user authentication.

Re:Needing PEAP-TLS-MSCHAPv2

[rb12345]

Cisco's VPN client definitely has this in password form, where you have a group user/password plus additional username/password. It also has certificate authentication, but I don't know if it allows certificates to be used in place of passwords while retaining the group+user authentication though. The open-source vpnc client apparently does not support certificate authentication either.

Few notes

Win2k Pro does have a PPTP client too and AFAIK Win98 too.

This affects also those using poptop (poptop.org seems to be uneachable) with Linux.

Also Cisco PIX did support it.
Cisco ASA (os ver > 7.x) doesn't any more.

PPTP is such a simple protocol, basically just additional tcp port for authentication and then PPP over GRE with PPP compression replaced with encryption hack based on DES.

This is not entirely headache of those who had been using Windows RRAS and haven't upgraded more secure systems yet.

Link to his talk

[D3]

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/