A post within the "straight to the meat" category :

There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.

This post gives a quick rundown with references on what you need to know, enjoy - Thierry

History :
1999 - Bruce Schneier and Mudge document the vulnerability [2]
2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]
2012 - Defcon Talk detailing the flaw and  release of SAAS to crack the key within 23hours [3]


  • Access to VPN
  • Decryption of  Traffic
Vulnerable Protocols
  • MS-CHAPv2 - Yes
  • Plain PPTP - Yes
  • MPPE (Microsoft Point-to-Point Encryption) - Yes
  • EAP-PEAPv0 and EAP-TTLS aka "EAP-TLS" as used in WPA-Enterprise - Depends (see "what now")
Interesting Facts :
  • Microsoft PPTP Implementation does not require the password to be found, the recovery of the hash through the means above it sufficient. [3]
What now  [1]:
  • If you use PPTP VPN you should immediately migrate - As Moxie puts it "PPTP traffic should be considered unencrypted"
  • "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else."

    TZO : I believe what Moxie implies here is that if you don't use TLS to authenticate Client to Server and Server to Client (mutual authentication), or at minimum authenticate the server, your setup should be considered vulnerable as well. "Fake AP". [5]
[1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
[2] http://www.schneier.com/paper-pptpv2.html
[3] http://erratasec.blogspot.de/2012/07/the-tldr-version-of-moxies-mschapv2.html
[4] http://esec-pentest.sogeti.com/challenge-vpn-network/decipher-mppe-breaking-ms-chap-v2
[5] http://revolutionwifi.blogspot.de/2012/07/is-wpa2-security-broken-due-to-defcon.html


Sid said... @ 07 August, 2012 16:15

"EAP-PEAPv0 and EAP-TTLS aka "EAP-TLS" as used in WPA-Enterprise"
PEAP and EAP-TTLS are different, but still very similar and obviously impacted if they use MS-CHAPv2 as second authentication without enforcing server side certificate verification in the first place.
In the other hand, EAP-TLS is something different that does not imply MS-CHAPv2 but two-way certificate based authentication.
Cf. http://en.wikipedia.org/wiki/EAP-TTLS#EAP-TLS or http://tools.ietf.org/html/rfc5216

EAP-TTLS said... @ 11 December, 2012 11:33

This type of security assigns a string to an access point or several access points defining a

logical segmented wireless network known as a service set identifier (SSID). The client can't

associate with an access point unless it is configured with that SSID.

Post a Comment