Re: Stealing NT passwords through WiFi?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Ugen,

--Wednesday, May 19, 2004, 10:03:46 PM, you wrote to vuln-dev () securityfocus com:


U> - The rogue authenticator server challenges the wireless device by 
U> MS-CHAP v2.
U> Potentially, they may request MS-CHAP v1 and/or craft the session key to
U> simplify
U> subsequent cracking of the password.

U> - The wireless device responds and authenticator "denies access", left
U> with a copy of
U> encrypted password hash. The process may be repeated with different 
U> session keys,
U> and a number of times.

Wireless  device  has no copy of password hash in this scenario, what it
has  is  192  bit  response,  each 64 bits of response are independently
calculated  from challenge (challege is calcualated in different way for
MS-CHAP  and  MS-CHAPv2  and this is only difference) and 56 bits of the
user's  password hash as a key. You can restore password by bruteforcing
or  restore  password hash by breaking 56 bit DES encryption. In case of
MS-CHAP  and  LM hash is used, password can be bruteforced in relatively
short  time because of limited alphabet and possibility to crack first 7
characters  of  the password independently. MS-CHAPv2 doesn't support LM
hashes.

It  doesn't  matter  if  you recover cleartext password by bruterforcing
password  or  you  recover  password  hash by cracking DES, because with
password  hash  you  can  connect  to  any  resource  without  cleartext
password.

U> Does it make sense to anyone else?

Of  cause, MS-CHAP is less secure than Kerberos and even NTLMv2 (MS-CHAP
is  actually  NTLM,  but  MS-CHAPv2  is  not  NTLMv2,  it's MS-CHAP with
modification to challenge calculation and with mutual authentication and
same  weak  cryptography). I would not recommend you to use user's logon
account  for  wireless  communications.  Have different account for this
case with limited rights.

-- 
~/ZARAZA
Êîãäà ïòè÷êà ïîãèáàåò îò îáæîðñòâà, åå íàíèçûâàþò íà âåðòåë.  (Ëåì)