Blog Archives

Easy Cracking of Microsoft Crypto

Another day, another set of cracking tools.

Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.

Source: Tools boast easy cracking of Microsoft crypto for businesses | Security & Privacy – CNET News.

Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP

Using SSL to detect …

a hacking proxy.

There are several different ways for MITM/hacking proxies to handle SSL. They can create a self signed root cert that the attacker/user accepts once, they can do a per site snake oil cert, or they can simply downgrade the attacker/user to HTTP (a la Moxie’s sslstrip). Any of those work, and it’s kind of a matter of preference and circumstance as to which is better. But what if I’m running a site and I want to see if the user coming in is using a hacking proxy? There’s a few techniques to do that.

First of all there’s really not all that much you can do within SSL itself to create more than binary options (there are some exceptions to that rule, and I’ll post about that later) but those binary options are actually just enough. Let’s say I have several sites. One of which is a banking site. The others just have something as simple as a tracking pixel on them. Firstly, the time difference between when the user pulls the SSL certificate and actually instantiates the site might indicate whether they are going directly to the site or if they had to take some time to accept a self signed-per site certificate (a la Burp Suite).

Now if the MITM proxy uses a standard root signing certificate one of those sites with the tracking pixels on them can use the same standard root signing certificate (since it’s sitting right there in the tool and can probably easily be ripped out and re-tasked to be used on the banking’s tracking pixel site) to sign it’s own SSL session. If the user pulls it down anyway, even with the mis-match error, you know they are either using or have used that particular MITM proxy. (Source: Detecting MITM/Hacking Proxies via SSL – ha.ckers)

A very informative article for IT security personnel, go to the source for the whole thing.

Reblog this post [with Zemanta]
%d bloggers like this: