Information Technology Reference
In-Depth Information
pared. To provide mutual authentication, the Peer Authenticator Challenge is sent to
the server, where the server concatenates it with the 24-byte response from the client
and the string “magic server to client constant.” This value is hashed using SHA to
generate a 20-byte result that is then concatenated with the original challenge that
was sent to the client and the afore-mentioned string padded, if necessary, to force
more than one iteration and then hashed once again with SHA. This value is sent
back to the client where it can be verified. If all values match, the session has been
authenticated. While MS-CHAPv2 is much more complicated than MS-CHAPv1, it
does very little to add to the security
[14]
.
4 . 2 A t t a c k s o n P P T P
The attacks on PPTP are predominately attacks on the MS-CHAP authen-
tication. As mentioned above, this is easier to do with the older version of
MS-CHAP. In this version, a number of attacks were possible. One of the at-
tacks involved spoofing a message from the server telling the client to change
his or her password. If the client did change the active password, the password
hashes could be picked up and cracked using a program such as L0phtcrack
(
http://www.insecure.org/sploits/l0phtcrack.lanman.problems.html
)
. It was also pos-
sible for password cracking utilities, like L0phtcrack, to take advantage of the fact
that the LM hash was being sent along with the NT hash. The LM hash is extremely
easy to break and then could then be used to crack the NT hash and recover the
password. With the password, an attacker could completely spoof the authentica-
tion process. Utilities such as anger (
http://www.securiteam.com/windowsntfocus/
2TUQBR5SAW.html
)
perform the attack on MS-CHAPv1 enabled PPTP VPNs. It
collects the challenge and response packets that are exchanged for use in a cracking
utility and it also provides the active attack using the change password messages.
In MS-CHAPv2, the change password message was altered to eliminate the vul-
nerabilities that tools like anger took advantage of. Since the LM hash is no longer
sent along with the NT hash, it is more difficult to break. That is not to say that it is
secure. The attack that can be performed on MS-CHAPv2 is described in the “EAP-
LEAP” section. Ettercap (
http://ettercap.sourceforge.net
)
is another utility that can
be used to exploit weaknesses in PPTP. It has a number of plugins which automate
the process of recovering passwords from PPTP MS-CHAP authentication.
4 . 3 D e n i a l - o f - S e r v i c e B a c k g r o u n d a n d A t t a c k s
Denial of service (DoS) and distributed denial of service (DDoS) attacks can ren-
der networks useless and are some of the hardest attacks to thwart. Though computers
and networks have become faster and more reliable, they still have practical limits.
