The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,230 other followers

«
»

Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)

Posted by jpluimers on 2013/06/24

A while ago, I had to connect to secure data over PPTP.

It reminded me of  this post from about a year ago: via Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate (now archived at the wayback machine).

Their main point:

MS-CHAPv2 can be cracked within less than a day (and that time will only get less).

Their short conclusion “basically PPTP is dead, and IPSEC-PSK is worse” leads to the recommendation:

This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.

Longer quote:

  1. All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
  2. Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.

–jeroen

via: Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate.

This entry was posted on 2013/06/24 at 12:00 and is filed under IPSec, Network-and-equipment, Power User, PPTP, Security, VPN. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)”

  1. Reminder to self: when your PPTP server is behind a NAT, forward both GRE protocol and TCP port 1723 « The Wiert Corner – irregular stream of stuff said

    2017/06/06 at 06:00

    […] But preferably I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

    Reply

  2. Setting up a PPTP connection on Mac OS X Lion « The Wiert Corner – irregular stream of stuff said

    2016/07/30 at 13:10

    […] Although: I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

    Reply

  3. Windows PPTP – How to Create a VPN Server on Your Windows Computer Without Installing Any Software « The Wiert Corner – irregular stream of stuff said

    2016/07/30 at 13:08

    […] Later: indeed, I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: