A post within the "straight to the meat" category :

There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.

This post gives a quick rundown with references on what you need to know, enjoy - Thierry

History :
1999 - Bruce Schneier and Mudge document the vulnerability [2]
2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]
2012 - Defcon Talk detailing the flaw and  release of SAAS to crack the key within 23hours [3]


  • Access to VPN
  • Decryption of  Traffic
Vulnerable Protocols
  • MS-CHAPv2 - Yes
  • Plain PPTP - Yes
  • MPPE (Microsoft Point-to-Point Encryption) - Yes
  • EAP-PEAPv0 and EAP-TTLS aka "EAP-TLS" as used in WPA-Enterprise - Depends (see "what now")
Interesting Facts :
  • Microsoft PPTP Implementation does not require the password to be found, the recovery of the hash through the means above it sufficient. [3]
What now  [1]:
  • If you use PPTP VPN you should immediately migrate - As Moxie puts it "PPTP traffic should be considered unencrypted"
  • "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else."

    TZO : I believe what Moxie implies here is that if you don't use TLS to authenticate Client to Server and Server to Client (mutual authentication), or at minimum authenticate the server, your setup should be considered vulnerable as well. "Fake AP". [5]
[1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
[2] http://www.schneier.com/paper-pptpv2.html
[3] http://erratasec.blogspot.de/2012/07/the-tldr-version-of-moxies-mschapv2.html
[4] http://esec-pentest.sogeti.com/challenge-vpn-network/decipher-mppe-breaking-ms-chap-v2
[5] http://revolutionwifi.blogspot.de/2012/07/is-wpa2-security-broken-due-to-defcon.html


Post a Comment