PPTP VPN authentication protocol proven very susceptible to attack

PPTP VPN authentication protocol proven very susceptible to attack

Summary: Later today, Joshua Wright will release an upgraded version of his ultra-high speed password cracking tool called ASLEAP . For those of you already familiar with ASLEAP, you might be wondering what this has to do with Microsoft's PPTP VPN protocol since ASLEAP is a LEAP authentication dictionary attack tool.

SHARE:
TOPICS: Security
13

Later today, Joshua Wright will release an upgraded version of his ultra-high speed password cracking tool called ASLEAP . For those of you already familiar with ASLEAP, you might be wondering what this has to do with Microsoft's PPTP VPN protocol since ASLEAP is a LEAP authentication dictionary attack tool. Well that was then and this is now. ASLEAP just added PPTP authentication support so that it can crack PPTP VPN authentication sessions just as easily as it could with LEAP Wireless LAN authentication. The end result is that we have yet another authentication protocol that has outlived its lifespan and just goes to show that Bill Gates wasn't kidding when he declared the password dead.

Three months ago, I was trying to explain the difference between PPTP and L2TP VPN to a friend while working on a breaking story on SP2 where Windows XP SP2 broke NAT-T operation in L2TP VPN by default. As I was trying to explain the differences, I noticed how similar PPTP authentication was to LEAP authentication where both relied solely on MSCHAPv2 to protect the user's password. I sent word to Joshua Wright and he immediately said that it would be possible to modify ASLEAP to work on PPTP just as it did on LEAP authentication. Three months later, the code is fully operational and I've had a chance to verify its effectiveness.

ASLEAP was created in 2003 by Joshua Wright to prove that a password based authentication system like Cisco LEAP is not a secure because of one glaring weakness, it relies on humans to memorize strong passwords. Eight months later in mid 2004 after Cisco had a chance to release an updated protocol to LEAP, Joshua released ASLEAP on to SourceForge. PPTP is a Microsoft VPN protocol published as an RFC in 1999 for secure remote access. In recent years, it has grown to be used in many Microsoft based networks, firewall appliances, and even pure Linux and Open Source environments. Strictly speaking, there never was anything technically wrong with the LEAP or PPTP MSCHAPv2 authentication protocol since they both worked as advertised. Both Cisco and Microsoft warned from the very beginning that strong passwords must be employed when using password based authentication schemes. Unfortunately, strong passwords (or even strong pass phrases) are simply incompatible with most Homo sapiens and if you force the issue, they will go out of their way to make it easy by writing passwords down on a sticky note and taping it to their monitor. Since strong passwords are rarely implemented in practice, you have a situation where the product simply isn't safe enough to protect us from ourselves. As Bruce Schneier likes to say, "any password you can reasonably expect a user to remember can be brute forced or guessed". ASLEAP just happens to make that point abundantly clear since it had the ability to scan through a 4 GB pre-computed password hash table at a rate of 45 million passwords a second using a common desktop computer. This new version of ASLEAP not only adds PPTP compatibility, but also extends maximum database size to 4 Terabytes and the ability to scan live off the air using a Wireless LAN card and a regular sniffer in Microsoft Windows. As a result, Wireless LAN hotspots have just became deadly to PPTP authentication and those who use PPTP to substitute for real Datalink layer Wireless LAN security aren't spared either and are wide open to password cracking.

When Joshua Wright reported this to Microsoft's official security response team, Microsoft gave this official response.

  • Implement and enforce a strong password policy.
  • If users wish to continue using PPTP, they should employ EAP-TLS authentication instead of the default MSCHAPv2 authentication mechanism.
  • Switch to an L2TP/IPSEC based VPN.

Here is my assessment and recommendations on this advice:

  • The problem with the first recommendation is that strong passwords are rarely implemented in reality and are very difficult for the users to use. The fact that the users will probably end up writing their passwords down in a convenient place will probably do more harm than good. Bill Gates is absolutely right when he says "the password is dead".
  • As for using EAP-TLS authentication with PPTP, this is a strong solution and it will protect weak passwords during PPTP authentication. However, implementing EAP-TLS authentication with Microsoft PPTP requires server-side "Computer Certificates" and it requires client-side "User Certificates". Automatically deploying "Computer Certificates" on a Microsoft Windows 2000 or 2003 Active Directory based network is relatively simple, but "User Certificate" aren't so simple. You have to have Windows 2003 Enterprise Edition server to support automatic "User Certificate" enrollment.
  • Converting to an L2TP/IPSEC base is probably the best advice here and you would be using standards based IPSEC 3DES encryption. Since L2TP only requires "Computer Certificates" on both the Server and Client, the Certificates can be automatically deployed by Windows 2000 or Windows 2003 Standard Edition shops. Note that in order for L2TP VPN to be practical, you must have Microsoft's latest NAT-T capable VPN client freely available for all versions of Windows. Windows XP SP2 has a built in NAT-T client, but it is partially crippled by default and this is explained in an earlier story. You can fix it if you read this Knowledge Base article. For more information on Microsoft's L2TP and Digital Certificates, you can go here and here.

Unrelated to Microsoft, there are many firewall appliances and Open Source projects that use PPTP with MSCHAPv2 authentication. For those organizations that fit in to this category, the recommendation is the same and they should switch to an L2TP/IPSEC VPN solution. Fortunately for them, L2TP and Digital Certificates are fully supported by Open Source. You can get some good information on Open Source L2TP implementations here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • This is a frightening blog entry

    I hope that the right people read it.

    Stephen
    Stephen Howard-Sarin
    • They should be frightened

      That is the point of this Blog and the point of ASLEAP. In the past when I tell people that PPTP is not safe, even when there are known methods and tools you can put together yourself to break it, it doesn?t do anything. Now that there is an all in one weapons grade PPTP cracker, it finally gets the point through that PPTP is not safe.
      george_ou
      • PPTP is not safe - not quite

        I've learnt not to use traditional passwords for critical infrastructure long ago. If I use complicated passphrases or certificate authentication, I'm safe - am I not?
        slavickp9
      • Set up OpenVPN for me, and then I'll stop using PPTP

        I'm going to set up PPTP on my router right now. Why? Because it only supports OpenVPN or PPTP, and OpenVPN is IMPOSSIBLE to set up. I've tried so many times over the years and OpenVPN has never worked, just makes me want to smash things. PPTP has worked, though, so that's what I'm using. If you don't want me to use PPTP, write a tutorial for setting up OpenVPN for home users who just want a simple VPN and web tunnel.
        alphabetadelta
  • long time has gone but have people really get this

    although such a long time has passed since the vulnerabilities of pptp in combination with ms-chapv2 have been revealed, there are actually plenty of people that still use it. or some of them move to "a more secure" l2tp/ipsec with pre-shared key "authentication" and ms-chapv2. while this might be true in a certain some way there is a false sense of security here.
    popular vpn servers like isa2004/2006 can use the pre-shared keys as authentication for machine level. but the pre-shared key is used by everybody. I'm sorry to say but this is stupid 'cause there isn't any authentication at all. the pre-shared key is nothing more than a "group shared key" because the shared key cannot be used as proof of identity(as if was only known by two peers) and ike's role in phase 1: "peers establish a secure,
    authenticated channel with which to communicate", is compromised. ISAKMP states that:
    "Strong authentication MUST be provided on ISAKMP exchanges. Without being able to authenticate the entity at the other end, the Security Association (SA) and session key established are suspect. Without authentication you are unable to trust an entity's identification, which makes access control questionable. While encryption (e.g.ESP) and integrity (e.g. AH) will protect subsequent communications from passive eavesdroppers, without authentication it is possible
    that the SA and key may have been established with an adversary who performed an active man-in-the-middle attack and is now stealing all your personal data.
    A digital signature algorithm MUST be used within ISAKMP's authentication component"
    I would go even further on pre-shared keys and remind that a secret shared between two people is kept secret as long one of them is dead. Microsoft states on their web site that we should use the pre-shared keys only for testing and advertise this all the time.
    Some people simple don't get it.
    For example a vpn client start a l2tp/ipsec connection from an untrusted place. If the the pre-shared
    key have been compromise and an attacker(it could be a recently fired/on a list of people to be fired employee or a an angry one) knows it but this is unknown to the security staff, if the
    attacker manages somehow to redirect the user to a rogue vpn server which has set the "stolen" pre-shared key
    then the game is pretty much over. the second level of authentication counts very little because
    is based on ms-chapv2 and very probably the client's password is vulnerable to a dictionary attack.
    the rogue vpn server has established an IKE SA and an IPSec SA with the vpn client and the IPSec SA is used to protect l2tp and ppp(with ms-chapv2) authentication phase. the vpn client "sents in clear" for the attacker, like pptp, the 16 byte "peer challenge", the 24 byte "peer response" and the "user name". the 8 byte "challenge" generated by the client can be deducted because the attacker has all the pieces of the puzzle and he also knows the 16 byte "server challenge".
    a redirection to a wrong vpn server can be done with cain&abel with a MITM when the vpn client uses the FQDN instead of the ip address of the vpn server so we can use APR-DNS to give him a wrong ip address.
    while the successful rate of such attacks might depend on many factors it is an unacceptable risk because as George always states it is very simple to use certificates instead of pre-shared keys.
    by the way great article george!
    adrian_dimcev
  • RE: PPTP VPN authentication protocol proven very susceptible to attack

    I travel extensively and was looking for a secure VPN solution. I had heard PPTP had weaknesses. Found an OpenVPN solution with <a href="http://www.tuvpn.com">TUVPN.COM</a> . It is working very well. I would be interested in opinions on technical advantages of OpenVPN vs PPTP. TUVPN.COM covers the subject in their FAQs and blog. But another opinion would be good.
    JH8041
  • johny

    Hello Friends,<br><br>Nice article, i was also asked to implement all kinds of vpn for my company supporting mobile phones like iphones,smart phones,androids,ipads etc so I was looking for a substantial material to implement it, meanwhile I didn't got much help from articles,blogs,forums but I came across a great ebook which provides complete information how to implement mobile vpn with pptp,L2tp,Ipsec,ssl vpn methodologies with packages,live configurations,examples,methods,client connectivity with mobile phones etc. I found this great ebook on mobile vpn on <a href="http://www.ebooksyours.com/how_to_vpn.html" target="_blank" rel="nofollow"><a href="http://www.ebooksyours.com/how_to_vpn.html," target="_blank" rel="nofollow">http://www.ebooksyours.com/how_to_vpn.html</a></a> I would hightly recommend this ebook for system & network admin looking for road warrior vpn implementation in conjunction with mobile phones too.<br><br>Cheers !<br>John
    johny_linux
  • www.vpn-planet.com

    you can go to www.vpn-planet.com. it's an awesome site.I ordered my VPN about a week ago through the website. It was seamless and very simple to order. As soon as the order was placed, I received a welcome email instantly with all of the login information. I have been using the VPN every day since, and have had perfect service with no disruptions. Keep up the great work VPN-Planet!
    fahad_pilu
  • Planet.com

    Thanks Mr. fahad. I went to www.vpn-planet.com. It is a awesome site. It is simple and easy to understand. They respond fast. If any one want VPN they should go to it. Carry on Planet...
    arifulalam7777
  • PPTP over EAP-TLS - Client certificates

    Hi,

    does anyone have expericences with setting up linux pptp (pppd) patched to use EAP-TLS?

    Thanks for any combination of working config/command.

    Best regards,

    Ladislav
    archenroot
  • nice article!

    this is awesome article! it sorted much questions regarding VPN basics, here <a href="http://www.bestvpnservice.com/">Best VPN Service</A>, I found reviewed list of VPN providers to select one of your choice!
    markelhum158
  • PPTP VPN

    Good Post! also i have some words about ppt vpn

    <a href="http://purevpn.com">PPTP VPN</a> works on a client server model. PPTP clients are included by default in Microsoft Windows and also available for both Linux and Mac OS X. Newer VPN technologies like L2TP and IPsec may replace PPTP someday, but PPTP remains a popular network protocol especially on Windows computers.

    Technology extends the Point to Point Protocol (PPP) standard for traditional dial-up networking. PPTP operates at Layer 2 of the OSI model. As a network protocol, PPTP is best suited for the remote access applications of VPNs, but it also supports LAN internetworking.
    kamilla112
  • vpn

    i recomend vpn service http://www.hotvpn.com/
    it's need try. price, speed very best
    Lirok