Episode 612 – Hacking PPTP VPNs with ASLEAP

Updated 2 months, 2 weeks ago

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle ...

attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003’s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

35 comments on this story

PRO

50% positive

Showing 22 relevant reactions out of 35.

./h43x » Hacking PPTP VPNs with ASLEAP 2 months, 2 weeks ago on Wordpress

[...] all about it at Hak5! var addthis_pub = 'aex'; var addthis_language = 'en';var addthis_options = 'email, favorites, [...]

The TopOfMemory Security Feed » Blog Archive » Episode 614 – Firewall evasion, SSH and virtual appliances! 2 months, 3 weeks ago on Wordpress

[...] episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly [...]

Hak5 – Technolust since 2005 » Episode 614 – Firewall evasion, secure tunneling and virtual appliances! 2 months, 3 weeks ago on Wordpress

[...] episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly [...]

J. Abdul-Qahhar 3 months ago on Friendfeed

Hak5 – Technolust since 2005 » Episode 612 – Hacking PPTP VPNs with ASLEAP - http://www.hak5.org/episode...

J. Abdul-Qahhar 3 months ago on Friendfeed

"Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses."

Helpful Coward 3 months ago on Wordpress

The -C and -R options of asleap force the program into LEAP mode as seen by lines 1433 and 1448 of asleap.c. One would need to create two new options to check the PPTP challenge/response lengths and then force PPTP mode by setting asleap.pptpchalfound=1 and asleap.pptprespfound=1.

opexxx 3 months ago on Twitter

RT @tweetmeme Hak5 – Technolust since 2005 » Episode 612 – Hacking PPTP VPNs with ASLEAP http://bit.ly/3F9a0M

Henrik 3 months ago on Wordpress

Hei guys!

I can’t find the episode where you introduced cuppy

Could someone help me?

Whould be really appriciated

Gary 3 months ago on Wordpress

Great show as usual!

bleh 3 months ago on Wordpress

^ I agree.

prezza 3 months ago on Wordpress

Dude to much talking and so little doing. Please we dont need to now history just facts and causes. I am sorry but I feel asleep durnig episode 612.

Thx Prezza

butt 3 months ago on Wordpress

Are you going to give us another easter egg hunt any time soon. IMO, letting the audience play a part, rather than just consuming the video, makes a good show. I really liked it when you did that a while ago.

Derek 3 months ago on Wordpress

@Darren – This is why you guys rock. Thanks for responding and keeping us in the loop. Hopefully the new shirts will come in soon so I can support the show a bit. I might even be able to slide a Pineapple purchase past the wife…

Iraklis Athanasakis 3 months ago on Friendfeed

new hak5 episode @ http://www.hak5.org/episode...

Darren Kitchen 3 months ago on Wordpress

@Derek – It’s coming. It’s done in fact, just a matter of recording it. Consider the promo a tease. We’ll have it either 614 or 615.

Also, I Sc00bz on the forums posted some code that would convert the challenge and response into the proper format. I’ve tested it and it works.

http://hak5.org/forums/index.php?showtopic=14755&st=0&gopid=145700

Derek 3 months ago on Wordpress

Per usual, excellent job in explaining the theory behind the potential attack and all, but you guys have been promising us this Linux device segment for several episodes now…

Whats up with that?

Road Warrior VPN.com Blog» Blog Archive » Hack 5 – Hacking PPTP VPNs with ASLEAP 3 months ago on Wordpress

[...] Hack 5 – Episode 612 – Hacking PPTP VPNs with ASLEAP [...]

Tweets that mention Hak5 – Technolust since 2005 » Episode 612 – Hacking PPTP VPNs with ASLEAP -- Topsy.com 3 months ago on Wordpress

[...] This post was mentioned on Twitter by Darren Kitchen, Hak5, Robin, Matthew Johnson, freak_out and others. freak_out said: RT @Hak5 Episode 612 – Hacking PPTP VPNs with ASLEAP – Exploiting Microsoft authentication protocols – http://bit.ly/3F9a0M [...]

ElDiPablo 3 months ago on Wordpress

Awesome show as always. I’m curious to know if you guys have looked at some of Microsoft’s latest VPN technologies? For example SSTP and Direct Access. I just set up a SSTP VPN server for my company, and it seems like M$ finally did a good job in creating a secure VPN. Direct Access seems pretty sound too.

In fact I think SSTP would not be susceptible to the SSLStrip attack. Have ... See all content Hide content

uberVU - social comments 3 months ago on Wordpress

Social comments and analytics for this post…

This post was mentioned on Twitter by Hak5: Episode 612 – Hacking PPTP VPNs with ASLEAP – Exploiting Microsoft authentication protocols – http://bit.ly/3F9a0M…

justinelze 3 months ago on Twitter

@Hak5: Ep 612 - Hacking PPTP VPNs with ASLEAP - Exploiting Microsoft authentication protocols - http://bit.ly/3F9a0M [whatchya think?]

Hak5 3 months ago on Twitter

Episode 612 - Hacking PPTP VPNs with ASLEAP - Exploiting Microsoft authentication protocols - http://bit.ly/3F9a0M

Twitter Facebook

DASHBOARD

PRO
MY KEYWORDS

PRO
- ubervu
- Apple iPhone
- Nexus One
+ Add
ADD
CANCEL
TOOLS & WIDGETS