The two tools, ChapCrack developed by Moxie Marlinspike and CloudCracker.com that runs on FPGA cracking box developed by David Hulton of Pico Computing can be used together to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.
If we take a trip down the memory lane, MS-CHAP2, an authentication protocol, was created by Microsoft and was launched ages ago in Service Pack 4 for its Windows NT 4.0. Years have gone by but, somehow it is still being used in PPTP VPN connections. It’s not that PPTP is not vulnerable. Dictionary based attacks are possible and it has been provided back in 1999. But, the thing with dictionary based brute force attacks is that it takes a long time if you have a very strong password and so it’s ok.
Marlinspike, while explaining about the hack, said “What we demonstrated is that it doesn’t matter. There’s nothing you can do.”
The thing about ChapCrack is that it accepts captured network traffic containing MS-CHAPv2 network handshake be it for PPTP VPN or WPA2 Enterprise handshake and reduces the handshake’s security to a single DES (Data Encryption Standard) key.
This particular output, the DES key, can be used as an input to CloudCracker.com, which will decrypt the key in under a day. The output from CloudCracker.com can be used as an input to ChapCrack allowing you to decrypt all the data captured using some sort of network sniffing tool like WireShark for a particular session.
PPTP is used by many commercial VPN service providers across the globe as well as by corporate to connect back to their office computers while they are on the move.