Saturday, May 21, 2016

chap: A tool for MS-CHAPv2 network handshakes

Chap is a tool for parsing and decrypting MS-CHAPv2 network handshakes. In order to use it, a packet with an MS-CHAPv2 network handshake must be obtained. The tool is used to parse relevant credentials from the handshake. In other words, Chap parses the credential information out of MS-CHAPv2 handshakes, sends to Cloud which in turn will return a packet that can be decrypted by Chap to recover the .

The resulting file (“token”) is then submitted to Cloud, an online service for penetration testers and network auditors, which returns the MD4 hash in under a day. For ch handshake, it outputs the username, known plaintext, two known ciphertexts, and will the third DES . Whats interesting to know is that Cloud forwards your handshake information to a Pico Computing’s DES box, which is powered by a FPGA box that implemented DES as a rl pipeline, with one DES operation for ch clock cycle. With 40 cores at 450mhz, that’s 18 billion /second!

The hash is inserted into chap, and the entire network capture is decrypted. Alternatively, it can be used to login to the user’s VPN service or WPA2 Enterprise radius server. All of this is possible only because of the wk protocol architecture that allows MD4 hash of the user’s to be authentied as them, as well as to decrypt any of their traffic.

How to use chap?
Obtain a packet capture with an MS-CHAPv2 network handshake in it (PPTP VPN or WPA2 Enterprise handshake, for instance).Use chap to parse relevant credentials from the handshake (chap parse -i path/to/capture.cap).Submit the Cloud token to your results, and decrypt the packet capture (chap decrypt -i path/to/capture.cap -o output.cap -n )
Download chap

No comments:

Post a Comment