MS-CHAP-V2 SHOULD NOT be used...
mschapv2acc is a proof of concept of MS-CHAP-V2 auditing/cracking tool.
It uses old know vulnerability and fast implementation of cryptographic algorithm. The main goal is to show the need to change for other stronger protocol.
Just see...
- You need a processor with SSE2 support.
- This tool can be compiled with gcc for Linux / Mac OS X.
Just extract the archive:
~$ tar xfvz mschapv2acc-x.y.z.tar.gz
~$ cd mschapv2acc-x.y.z
Or clone with git:
~$ git clone https://github.com/polkaned/mschapv2acc
~$ cd mschapv2acc
Or checkout with subversion:
~$ svn checkout --depth empty https://github.com/polkaned/mschapv2acc
~$ cd mschapv2acc
And execute 'make':
~$ make
- 2 main modes : Brute Force mode and Dictionary mode.
- To change the charset for the Brute Force mode, modify nbc and caract values in 'mschapv2acc.c' file in source code.
- Brute force mode
~$ ./mschapv2acc file_auth
- Brute force mode with challenge's cryptanalysis enabled
~$ ./mschapv2acc -x file_auth
- Brute force mode with SSE2 enabled
~$ ./mschapv2acc -s file_auth
- Brute force mode with challenge's cryptanalysis and SSE2 enabled
~$ ./mschapv2acc -x -s file_auth
- Dictionary mode
~$ ./mschapv2acc -w dico.txt file_auth
- Dictionary mode with challenge's cryptanalysis enabled
~$ ./mschapv2acc -x -w dico.txt file_auth
All the options are listed on the help message printed when you run mschapv2acc with no parameter.
file_auth is a binary dump file containing required MS-CHAP-V2 data.
This file is build as follow:
1 *int = user name length
user_name_lenght *char = user name
16 *unsigned char = auth challenge
16 *unsigned char = peer challenge
8 *unsigned char = challenge
24 *unsigned char = response
To get the file_auth:
- use my patch mschapCap4FR1.1.2.patch with this old freeradius version. It puts the mschapv2acc file_auth in /tmp directory.
- use wpe2acc (included with mschapv2acc) for converting the FreeRADIUS Wireless Pwnage Edition hex representation of MS-CHAP-V2 information to mschapv2acc file_auth.
- use accgen.rb for converting John the Ripper input password file to mschapv2acc file_auth. Seems to be write for this tool: Peap-Karma (relative post)
MS-CHAP-v2 et 802.11i, le mariage risqué ? MISC 39