Dear Ugen,
--Wednesday, May 19, 2004, 10:03:46 PM, you wrote to vuln-dev_at_securityfocus.com:
U> - The rogue authenticator server challenges the wireless device by
U> MS-CHAP v2.
U> Potentially, they may request MS-CHAP v1 and/or craft the session key to
U> simplify
U> subsequent cracking of the password.
U> - The wireless device responds and authenticator "denies access", left
U> with a copy of
U> encrypted password hash. The process may be repeated with different
U> session keys,
U> and a number of times.
Wireless device has no copy of password hash in this scenario, what it
has is 192 bit response, each 64 bits of response are independently
calculated from challenge (challege is calcualated in different way for
MS-CHAP and MS-CHAPv2 and this is only difference) and 56 bits of the
user's password hash as a key. You can restore password by bruteforcing
or restore password hash by breaking 56 bit DES encryption. In case of
MS-CHAP and LM hash is used, password can be bruteforced in relatively
short time because of limited alphabet and possibility to crack first 7
characters of the password independently. MS-CHAPv2 doesn't support LM
hashes.
It doesn't matter if you recover cleartext password by bruterforcing
password or you recover password hash by cracking DES, because with
password hash you can connect to any resource without cleartext
password.
U> Does it make sense to anyone else?
Of cause, MS-CHAP is less secure than Kerberos and even NTLMv2 (MS-CHAP
is actually NTLM, but MS-CHAPv2 is not NTLMv2, it's MS-CHAP with
modification to challenge calculation and with mutual authentication and
same weak cryptography). I would not recommend you to use user's logon
account for wireless communications. Have different account for this
case with limited rights.
--
~/ZARAZA
Когда птичка погибает от обжорства, ее нанизывают на вертел. (Лем)
Received on May 20 2004
Intro
