Security Basics mailing list archives
Re: PPTP VERY long & strong passwords - Strong enough ?
From: Nick Owen <nickowen () mindspring com>
Date: Tue, 01 Mar 2005 13:41:13 -0500
bla bla: There is a tool called asleap that a has new-ish PPTP add-on for passively breaking PPTP authentications. It's really the same MS-Chapv2 attack, but it is just much easier now that it can done over a WiFi connection. I assume you can't be sure that your users won't be logging in via a WiFi connection somewhere. I would think that even the longest memorable password could be broken in a month offline. It may not matter in your case, but worth knowing about. HTH. Nick On Tue, 2005-03-01 at 14:01 +0000, bla bla wrote:
Hi ! 4 questions: 1. I use Win2003 PPTP VPN. I've gone through some of past posts & replies regarding PPTP (MS-CHAPv2) and came across this: "Finally, I want to state this: using long, very random password moves the PPTP attacks from the realm of the practical back into the theoretical. TO be sure, PPTP is 65,000 times easier to crack because of a flaw in the authentication protocol. But if you use 12-character (out of 95 "type-able" ASCII characters) randomly-generated passwords, you get about 2^79 possible combinations. Even with the 2^16 advantage the flaw in PPTP provides, it is still impractical for anyone to break the tunnel without tens of millions of dollars in investment. The NSA or distributed.net could break it in a few months, but that's about the only adversaries you'd need to worry about." Link: http://www.securityfocus.com/archive/50/330874/2005-02-26/2005-03-04/2 Do you guys agree ? Are there any other (then weak\small passwords) exploits I should be aware of ? BTW, all vpn accounts set to "never expired" so that any possible "renew password" hack for stealing passwords can ever take place (passwords will be changed manually on a monthly basis-it's only ment for a few users). Also disabled this via the rras policy.
2. Are there any patches\fixes in Win2003 SP1 (ETA 28/3/05) concerning this ? has anybody encountered any problems in the SP1 beta2 ? 3. Does anybody know of a hack that will allow to map certificates to user account WITHOUT active directory (the server is a stand alone\not in a domain env.) ? 4. I'm also using ISS Blackice (Host IDS+Firewall, ver 3.6coa) on that server (I know-it's not supported by ISS on Win2003, bla bla bla...). it works great with pptp but intercepts l2tp\ipsec (MS-CHAPv2) login attempts as UDP_SHORT_HEADER and UDP_PROBE_OTHER intrusions (the vpn host is xpsp1). I've tried opening all the relevant ports + configuring the app to ignore these type of intrusions + trusting all communication from the vpn host ip, but to no avail. only stopping the firewall does the trick. Any thoughts ? Does Blackice has a forum somewhere ? Thnaks guys !
-- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidstrongauthentication.com At last, two-factor authentication, without the hassle factor
Current thread:
- PPTP VERY long & strong passwords - Strong enough ? bla bla (Mar 01)
- Re: PPTP VERY long & strong passwords - Strong enough ? Micheal Espinola Jr (Mar 02)
- Re: PPTP VERY long & strong passwords - Strong enough ? Nick Owen (Mar 02)