#Defcon: Marlinspike expands Cloudcracker

Powered by SC Magazine
 

Web-based tool cracks more than just WPA.

Whisper Systems founder Moxie Marlinspike has expanded a web-based tool for cracking protocols used for securing Wi-Fi networks, hashing passwords and encrypting documents.

The CloudCracker service was launched in February and targeted network auditors and penetration testers. It was based on Marlinspike's WPACracker service, launched in 2009.

The latest version, unveiled at the annual DefCon hacker conference in Las Vegas over the weekend, promised to crack an even greater range of encryption protocols and password hashing methods used in corporate and wireless networks and VPNs.

It claimed to be able to succesfully attack and break WPA, WPA2, NTLM,  SHA-512, MD5, and MS-CHAPv2 protocols using a field programmable grid array chip supercomputer designed by Pico Computing in the US.

Microsoft's Challenge Handshake Authentication Protocol Extensions Version 2 (MS-CHAPv2) was commonly used by Windows users as part of the Point-to-Point Tunnelling Protocol (PPTP), CNET reported.

CloudCracker promised to run "your network handshake against 300,000,000 words in twenty minutes for just $US17". The tool was accessible to anyone who paid CloudCracker's fees.

It used brute-force guessing and dictionaries to crack protocols.

CloudCracker's MS-CHAPv2 dictionary represented the entire address space of the Data Encryption Standard (DES), one of the most popular encryption algorithms containing 72,057,594,037,927,936 options.

It said this guaranteed a 100 percent succes rate on recovering MS-CHAPv2 credentials for PPTP VPN connections and the inner authentication method for WPA2 enterprise Wi-Fi.

Marlinspike is known for his work on circumventing Certificate Authorities (CAs) for secure socket layer (SSL) encryption, used for securing web browser traffic.

His Whisper Systems Android security company was acquired by Twitter last November last year for an unknown amount.

Last December, Whisper Systems open-sourced its TextSecure secure text messaging client for Android. This July, it open-sourced the RedPhone encrypted voice calls application.

RedPhone was used by Egyptian dissidents to encrypt voice calls via their Android handsets during the uprising against the Mubarak regime last year.

Copyright © iTnews.com.au . All rights reserved.


#Defcon: Marlinspike expands Cloudcracker
 
 
 
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
 
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3093

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 986

Vote