Skip to content


Repository files navigation

example workflow


MS-CHAP-V2 SHOULD NOT be used...


mschapv2acc is a proof of concept of MS-CHAP-V2 auditing/cracking tool.

It uses old know vulnerability and fast implementation of cryptographic algorithm. The main goal is to show the need to change for other stronger protocol.


Just see...

Standard mode

std mode img

Improved mode

improved mode img


  • You need a processor with SSE2 support.
  • This tool can be compiled with gcc for Linux / Mac OS X.

Just extract the archive:

~$ tar xfvz mschapv2acc-x.y.z.tar.gz
~$ cd mschapv2acc-x.y.z

Or clone with git:

~$ git clone
~$ cd mschapv2acc

Or checkout with subversion:

~$ svn checkout --depth empty
~$ cd mschapv2acc

And execute 'make':

~$ make

Features (or not)

  • 2 main modes : Brute Force mode and Dictionary mode.
  • To change the charset for the Brute Force mode, modify nbc and caract values in 'mschapv2acc.c' file in source code.

Exemples of uses

  • Brute force mode
~$ ./mschapv2acc file_auth
  • Brute force mode with challenge's cryptanalysis enabled
~$ ./mschapv2acc -x file_auth
  • Brute force mode with SSE2 enabled
~$ ./mschapv2acc -s file_auth
  • Brute force mode with challenge's cryptanalysis and SSE2 enabled
~$ ./mschapv2acc -x -s file_auth
  • Dictionary mode
~$ ./mschapv2acc -w dico.txt file_auth
  • Dictionary mode with challenge's cryptanalysis enabled
~$ ./mschapv2acc -x -w dico.txt file_auth

All the options are listed on the help message printed when you run mschapv2acc with no parameter.

About file_auth

file_auth is a binary dump file containing required MS-CHAP-V2 data.

This file is build as follow:

1 *int = user name length
user_name_lenght *char = user name
16 *unsigned char = auth challenge
16 *unsigned char = peer challenge
8 *unsigned char = challenge
24 *unsigned char = response

To get the file_auth:

  • use my patch mschapCap4FR1.1.2.patch with this old freeradius version. It puts the mschapv2acc file_auth in /tmp directory.
  • use wpe2acc (included with mschapv2acc) for converting the FreeRADIUS Wireless Pwnage Edition hex representation of MS-CHAP-V2 information to mschapv2acc file_auth.
  • use accgen.rb for converting John the Ripper input password file to mschapv2acc file_auth. Seems to be write for this tool: Peap-Karma (relative post)

Related stuff


MS-CHAP-v2 et 802.11i, le mariage risqué ? MISC 39