Almost two days later, we did, in fact, receive an email with the "CloudCracker results", which gave us this rather uninteresting seeming string of characters:
The original estimates were apparently a bit optimistic, since the successful attack took 135,062 seconds, or about 38 hours.
By the way, there is no feasible way to get from this hash value back to the original password. Even for cryptographic hash functions that are now considered to be cracked, such as MD4, MD5 and SHA-1, there are no attacks that can, with finite time, create a dataset that corresponds to a pre-set hash value like this one – that is, that can carry out a pre-image attack. All known attacks use collisions, modifying two datasets until they eventually produce the same hash value – but a random value mind you.
But, according to the theory, the password itself isn't even necessary at all. The only important secret component for creating a connection via MS-CHAPv2 is the NT hash, which is what we now had. Checking nthash.py showed that it really was the correct MD4 hash for the PPTP password mentioned above.
The naive attempt to use it to decode the recorded PPTP traffic as promised in the documentation bumped up against another problem when the script said "Wrote 0 packets" without any further information. Yet another entry in the bug-tracking system was still waiting for a response at the time of writing.
We then tried to use the NT hash to directly log in to the virtual private network. With "apt-get -b source pppd", we installed the sources and quickly found the code in the PPP daemon that carries out MS-CHAPv2 authentication for PPTP. There, we quickly found where password was hashed, put a stop to this now unnecessary process with a few jaunts into the source code and instead copied the hash value entered as the connection password directly to the buffer. A "make" command delivered a patched version of pppd. The manipulated PPP daemon sent out the following request:
./pppd debug call pptptest updetach pty "pptp 193.99.X.Y --nolaunchpppd"
to which the server promptly responded
CHAP Success id=0x95 "S=941C... M=Access granted"
But what was that?
MS-CHAPv2 mutual authentication failed.
Somehow, the connection didn't seem to be working. After some consideration, we realised that the server identifies itself to the client with a hash created from the challenge and the PPTP password – which is, of course, different from what the client provides, since we only gave it the NT hash for the password. We tried another little hack to turn off server authentication, and finally we were in:
local IP address 172.16.10.134
remote IP address 172.16.10.1
VPN access was successfully cracked and we could get to the Heise LAN without any restrictions.
The death knell
It certainly wasn't magic; after all, it took a couple days of waiting, a bit of elbow grease, a total of three bug reports, and $200. Moxie's CloudCracker is far from polished enough to be a real service, and the fact that credit cards are being charged $200 without any kind of receipt shows that the hackers aren't really thinking about customers.
But as a demo that puts the nail in PPTP and MSCHAPv2's coffin, CloudCracker is a complete success. The level of expertise required is relatively low – the biggest challenge of this test may be getting the accounting department to reimburse us that $200 without a receipt...
Those who are still using PPTP should find an alternative as soon as possible; options include L2TP/IPSec, IPSec with IKEv2 and OpenVPN. The same holds true, by the way, for corporate WLANs with WPA2 and EAP via MSCHAPv2, which can be cracked using the same concept. PEAP, the encoded variant, puts everything through an SSL tunnel whose security depends on users never accepting a fake certificate – and that can't be guaranteed for companies that use their own signed certificates.
- Cloud service cracks VPN passwords in 24 hours, a report from The H.
- Microsoft says don't use PPTP and MS-CHAP, a report from The H.
- Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate, blog post by Moxie Marlinspike.