MS-CHAPv2 Cracked at DEFCON 2012

This weekend at DEFCON 20 it was announced that MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol) has been cracked and the method made publicly available. This software can be used on any secure communication that relies on MS-CHAPv2. The most common network systems that utilize this authentication protocol include WPA2 in wireless networks and VPN using PPTP.

Moxie Marlinspike ( has made the tool "chapcrack" available on Github. The tool itself does not do the cracking, it simply parses a packet capture of the MS-CHAPv2 network handshake that you’ve grabbed from the wire or air depending on what you are trying to break in to. From there you submit the token create by chapcrack to CloudCracker. CloudCracker is a online password cracking service for pen testers and network auditors. They utilize various dictionaries to brute force the encryption. For MS-CHAPv2 they have a single dictionary that represents the entire DES key space. Should you want to use this large of a dictionary (72,057,594,037,927,936 entries) on your own, you’d be waiting quite a long time. CloudCracker uses specialized system, a custom FPGA cracking box, that can guarantee 100% success on cracking within 24 hours for $200. Once you receive the returned token you will be able to decrypt the original capture and viola, you have now the keys.

What does this mean for wireless network administrators? Leave a comment below to start the discussion.

Leave a Reply

Your email address will not be published. Required fields are marked *