Hacking PPTP VPNs with ASLEAP
Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft's PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.
Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.
But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.
And looking back at our discussions on pwdump, rainbow tables and the like you'll remember the inherent weaknesses in Windows account credentials.
There are two ways Windows stores a user's account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.
The default VPN server implemented in Windows XP and Server 2003's Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.
As far back at 1999 these weaknesses have been widely known. If you're interested in reading more on the cryptanalysis of MS-CHAPv2 there's a nifty paper written by Bruce Schneier and L0pht that I'll link in the show notes.
And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.
This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.