Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20

Moxie Marlinspike and David Hulton's Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate presentation from Defcon is now a reality. If you want to crack a MS-CHAPv2 PPTP authentication handshake (like the one I use when I connect to IPREDator, the secure proxy I favor), they'll exhaust all of the DES keyspace for you for a mere $20, usually in less than a day.

Basically, MS-CHAPv2-based VPNs should now be considered insecure and not fit for purpose. Plus Moxie and David can brute force all of DES for $20. Yowza.

A Week Of Discounted Cracking

For this week (9/23/2012), we will be offering deeply discounted MS-CHAPv2 cracking jobs by reducing the price from $200 to $20. This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA Enterprise wireless credentials can be cracked and decrypted with a 100% success rate for only $20.

The one major caveat is that an influx of additional jobs might increase the pending queue depth and cause MS-CHAPv2 jobs to take slightly longer than ususal, but we'll see how it goes.

Cheaper MS-CHAPv2 Cracking (via Hacker News)


  1. I get that this is their brute force way to get people to stop using a flawed protocol, but do they know for sure that they are not actually putting anyone’s life in danger by offering this service? The brashness of it seems pretty ivory-tower.

    1. Odds are, the minerals refined to build the cracker, and the energy resources employed to run it have a greater likelihood of putting lives in danger than will the additional cryptoanalysis…

      I agree that it isn’t impossible; but once you start branching out into modest indirect probabilities, the list of people you might have helped kill gets pretty long.

    2.  Yes. The notional cost of doing this at the “full rate” is $200. Anyone in a position to threaten someone’s life (a state actor, organized crime) has both $200 and the nous to crack DES. The only thing these folks are doing is making it obvious — unmistakable — that the protocols underlying MSCHAPv2 are unsafe at any speed and need to be taken out of service NOW.

    1. Some of these use OpenVPN https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/  

  2. Another real question: where to for orgs using MSCHAPv2 for enterprise wifi? I believe this is standard for Active Directory deployments…

    1. PEAP-MSCHAPv2 for WiFi is still relatively safe (at least, compared to MSCHAPv2 directly observable by attackers).  The first P in PEAP stands for “Protected” – the client first establishes an SSL tunnel, and then does the MSCHAPv2 exchange inside that tunnel.

      As long as all the attacker can see is the SSL tunnel, you could just send plaintext passwords with and be alright (and now it should be clear that MSCHAPv2 should now be considered equivalent to plaintext).

  3.  Cory:

    I’m the guy who proposed the RSA Symmetric Key Challenges back in 1996, and I helped set up the contests (which were the impetus for the EFF building Deep Crack). It tickles me to the core to see that work on naming and shaming weak crypto is still underway. The contests were a factor in the relaxing of US export policies on crypto in 2000; lets now hope MS rapidly sunsets MSCHAP V2.

    The core of the problem is that MSCHAP V2 is using single DES, albeit three times (this is NOT ‘triple DES’, which remains secure). The Challenges first brute forced single DES back in 1997, and a decade (!) later, it was officially deprecated by NIST.

    However, the protocol is embedded in the firmware of uncounted access control devices; replacing it will be a major expense.


Comments are closed.