Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.
The tools crack WPA2 (Wi-Fi Protected Access) and VPN passwords used by corporations and organizations running networks that are protected by the PPTP (Point-to-Point Tunneling Protocol), which uses MS-CHAPv2 for authentication.
ChapCrack captures the MS-CHAPv2 handshakes, or SSL (Secure Sockets Layer) negotiation communications, and converts them to a token that can be submitted to CloudCracker.
It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES (Data Encryption Standard) keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.
The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.
The processing is being done on a supercomputer running customized chips created by David Hulton of Pico Computing. It will cost $200 for a crack to go through the whole keyspace and CloudCracker, Marlinspike said.
The PPTP protocol is old and has a poorly designed authentication handshake in MS-CHAPv2, he said. "We found we can reduce the security of the protocol to a single DES encryption," he added in an interview after his talk.
Despite the technology being outdated and broken, it is used on a huge number of enterprise networks, including those with Windows XP-based computers. The PPTP protocol remains popular because Windows XP and other operating systems support it, and operating systems continue to support it because so many organizations are using it, Marlinspike said. "We're hoping that by doing this we can break out of the [expletive] cycle," he added.
Asked for comment, Yunsun Wee, director of Microsoft Trustworthy Computing, provided this statement: "We are actively investigating the issue and will take the necessary steps to help protect customers."Updated July 30 at 1:47 p.m. PT with Microsoft comment.