Vulnerability Development mailing list archives
Re: Stealing NT passwords through WiFi?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 20 May 2004 17:10:03 +0400
Dear Ugen, --Wednesday, May 19, 2004, 10:03:46 PM, you wrote to vuln-dev () securityfocus com: U> - The rogue authenticator server challenges the wireless device by U> MS-CHAP v2. U> Potentially, they may request MS-CHAP v1 and/or craft the session key to U> simplify U> subsequent cracking of the password. U> - The wireless device responds and authenticator "denies access", left U> with a copy of U> encrypted password hash. The process may be repeated with different U> session keys, U> and a number of times. Wireless device has no copy of password hash in this scenario, what it has is 192 bit response, each 64 bits of response are independently calculated from challenge (challege is calcualated in different way for MS-CHAP and MS-CHAPv2 and this is only difference) and 56 bits of the user's password hash as a key. You can restore password by bruteforcing or restore password hash by breaking 56 bit DES encryption. In case of MS-CHAP and LM hash is used, password can be bruteforced in relatively short time because of limited alphabet and possibility to crack first 7 characters of the password independently. MS-CHAPv2 doesn't support LM hashes. It doesn't matter if you recover cleartext password by bruterforcing password or you recover password hash by cracking DES, because with password hash you can connect to any resource without cleartext password. U> Does it make sense to anyone else? Of cause, MS-CHAP is less secure than Kerberos and even NTLMv2 (MS-CHAP is actually NTLM, but MS-CHAPv2 is not NTLMv2, it's MS-CHAP with modification to challenge calculation and with mutual authentication and same weak cryptography). I would not recommend you to use user's logon account for wireless communications. Have different account for this case with limited rights. -- ~/ZARAZA Êîãäà ïòè÷êà ïîãèáàåò îò îáæîðñòâà, åå íàíèçûâàþò íà âåðòåë. (Ëåì)
Current thread:
- Stealing NT passwords through WiFi? Ugen (May 19)
- Re: Stealing NT passwords through WiFi? 3APA3A (May 20)
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- Re[2]: Stealing NT passwords through WiFi? 3APA3A (May 20)
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- <Possible follow-ups>
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- Re: Stealing NT passwords through WiFi? 3APA3A (May 20)