mschapv2 and chapcrack - how common is the exploit?

[telot]

Hey guys - I know there's no metrics or anything, so I pose the question to you all. How commonplace is it for malicious sniffers to utilize chapcrack? Between arp poisoning, IDS, wifi pineapples, or just sniffing the air, there's a lot of pcaps being created out there. Of the malicious sniffers, how many are cracking mschapv2? The reason I ask is because a friend still uses pptp for his vpn's and for his wpa2-enterprise radius server. He claims that because pptp is so easy to deploy and compatibility is through the roof, and that chapcracks use is so rare, that its worth sticking with mschapv2. With Darren's recent episode on installing a pptp server (and subsequent episode apologizing and giving the how-to on openvpn) its got me thinking about the issue again. I mean, chapcracks been out for years now, and I almost never hear about it. Does the fact that you have to pay $20 to cloudcracker hinder its popularity? What do you think?

telot

Edited March 22, 2013 by telot

[telot]

Being that 34 people have read this and no one has responded, I'll go with the assumption that you all don't know how often its used.

How about I change my question then: Have any of you ever used chapcrack? Ever?

telot

[TylerCPU]

Nope, never used chapcrack. If I had the chance I would.

[digip]

I've never used tools to crack or intercept mschap, although I know its been said to use mschapv2, the problem in the scenario is that its a PPTP meaning, point to point tunneling protocol, and being able to capture that, requires being in between each end point kind of like a MITM attack, and with regard to tunnels, this attack is probably not as wide spread as people would fear, but its best to avoid PPTP and move over to something more secure like an SSH tunnel or OpenVPN solution for full encryption.

I'd personally like to see a video demo for educational purposes of how one goes about capturing these handshakes,although I can see this being trivial on devices like an iPhone, iPad, and Android devices, since apps can gain control of every aspect of the device, memory, traffic, et al. Router to Router, its still used in many networks. As for mobile devices, and desktops, I'd say thats where you are going to see this attacked more, but until I see it in action, thats my theory. I don't see this being troublesome for say, a WAN with a switching network unless someone has access to the devices themselves or can sit between the two external exchanges to grab that data and pass it back and forth as if transparent.

[TylerCPU]

Yah, I could see that it's not very practical. You have to be waiting on the network for a user to connect to their VPN to get the handshake. If you are aprspoofing, by the time you could capture their network traffic they would be already connected to their VPN.