Part 2 - Defcon 20: Shodan, Cracking the Cloud and Microsoft's VPN

The second part to Mikhael Felker's report from Defcon 20, held July 26-29 in Las Vegas.

Shodan Shows Critical Systems with Doors Wide Open

What do wind farms systems, HVAC systems, and Traffic Light systems have in common?  They are all currently accessible via public IP addresses; many are insecure, lacking a basic password to prevent access and exploitation.  These systems were just a glimmer of some of the IP addressable systems that were detailed by independent security researcher Dan Tentler.  

The results were culled from the Shodan search engine, created by John Matherly.  A user can search Shodan for systems of interest using a variety of filters, such as domain, IP, software, and other attributes.  For example, a user can search for all webcams in Shodan using the query webcam city:"Las Vegas" country:US.   The results of Shodan come from banners that are returned when Internet devices and their services, such as HTTP and FTP, are probed (or scanned).

Bottom line, if you have a critical system, make sure it’s not connected to the Internet directly.  Common system protections include using a Firewall and a VPN in front of target system and will help keep your systems safe.  Also, a prudent step would be to check your domain against the Shodan index (i.e., acme.com) and be aware of the results that come up.

Credential Cracking in the Cloud

Password security is back in the limelight – Yes, its 2012 and systems are still being deployed without hashing and salting.  For those that are using limited crypto techniques (i.e., md5 only), the likelihood of getting the actual credentials is very high, especially if less than 8 characters are used; remember that anything that’s a printable character can be broken.  

Bitweasil released a new cloud service, CryptoHaze WebTables, which essentially lets you send a hash and get back a password.  Usage is free for up to six characters; anything greater than that will cost a fee ranging from $1.99 for 10M chain searches to unlimited access costing just under $150. Although the underlying mechanism of pre-computing hashes (known commonly in the community as Rainbow Tables), has existed for a while, it previously required downloading gigabytes of data and significant processing power to run this type of attack, now, it’s outsourced and more efficient.

BitWeasil also released an open-source multihash brute force tool, Cryptohaze Multiforcer. Multiforcer is designed for performance and scalability when handling large hash lists. This software is supportable on Windows, MacOS and Linux and can be run locally or via a distributed set of agents for cloud deployment with services such as Amazon EC2.

Microsoft's VPN is Broken by Defcon Hacker

All crypto looks good until it's broken; by broken we mean that enough computing power exists to easily brute-force and derive an encryption key.  With the encryption key, you can decrypt all traffic.  

Now to summarize, PPTP (VPN) using MS-CHAPv2 is broken.

Defcon speaker, Moxie, performed a cryptanalysis of the MS-CHAPv2, Microsoft’s version of the Challenge-Handshake Authentication Protocol.  He was able to computationally reduce the complexity and derive the key from 2^128 to 2^56, thus finding several weaknesses within the implementation of the aging protocol. 

If an attacker can capture any PPTP initial session, the username and password can be cracked within less than a day.  To make this even easier, the cracking portion is actually off-loaded to a new web service designed for penetration testing and auditing called CloudCracker. 

Per his blog, the recommendation Moxie makes after cracking MS-CHAPv2 is basically this:  migrate away from it.