Re: PPTP VERY long & strong passwords - Strong enough ?

[Nick Owen <nickowen () mindspring com>]

bla bla:

There is a tool called asleap that a has new-ish PPTP add-on for
passively breaking PPTP authentications. It's really the same MS-Chapv2
attack, but it is just much easier now that it can done over a WiFi
connection. I assume you can't be sure that your users won't be logging
in via a WiFi connection somewhere.  I would think that even the longest
memorable password could be broken in a month offline.  

It may not matter in your case, but worth knowing about.

HTH.

Nick

On Tue, 2005-03-01 at 14:01 +0000, bla bla wrote:
> Hi !
>
> 4 questions:
>
> 1. I use Win2003 PPTP VPN. I've gone through some of past posts & replies regarding PPTP (MS-CHAPv2) and came across 
> this:
>
> "Finally, I want to state this: using long, very random password moves
> the PPTP attacks from the realm of the practical back into the
> theoretical. TO be sure, PPTP is 65,000 times easier to crack because of
> a flaw in the authentication protocol. But if you use 12-character (out
> of 95 "type-able" ASCII characters) randomly-generated passwords, you
> get about 2^79 possible combinations. Even with the 2^16 advantage the
> flaw in PPTP provides, it is still impractical for anyone to break the
> tunnel without tens of millions of dollars in investment. The NSA or
> distributed.net could break it in a few months, but that's about the
> only adversaries you'd need to worry about." 
>
> Link: http://www.securityfocus.com/archive/50/330874/2005-02-26/2005-03-04/2
>
> Do you guys agree ?
> Are there any other (then weak\small passwords) exploits I should be aware of ?
> BTW, all vpn accounts set to "never expired" so that any possible "renew password" hack for stealing passwords can 
> ever take place (passwords will be changed manually on a monthly basis-it's only ment for a few users).
> Also disabled this via the rras policy.


> 2. Are there any patches\fixes in Win2003 SP1 (ETA 28/3/05) concerning this ? has anybody encountered any problems in 
> the SP1 beta2 ?
>
> 3. Does anybody know of a hack that will allow to map certificates to user account WITHOUT active directory (the 
> server is a stand alone\not in a domain env.) ?
>
> 4. I'm also using ISS Blackice (Host IDS+Firewall, ver 3.6coa) on that server (I know-it's not supported by ISS on 
> Win2003, bla bla bla...). it works great with pptp but intercepts l2tp\ipsec (MS-CHAPv2) login attempts as 
> UDP_SHORT_HEADER and UDP_PROBE_OTHER intrusions (the vpn host is xpsp1). I've tried opening all the relevant ports + 
> configuring the app to ignore these type of intrusions + trusting all communication from the vpn host ip, but to no 
> avail. only stopping the firewall does the trick.
> Any thoughts ?
> Does Blackice has a forum somewhere ?
>
> Thnaks guys !
-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidstrongauthentication.com
At last, two-factor authentication, without the hassle factor