Microsoft pptp vpn vulnerabilities Exploits in Action


© SANS Institute 2000 - 200



Download 2 Mb.
Pdf ko'rish
bet18/144
Sana16.01.2022
Hajmi2 Mb.
#372744
1   ...   14   15   16   17   18   19   20   21   ...   144
Bog'liq
microsoft-pptp-vpn-vulnerabilities-exploits-action 337

© SANS Institute 2000 - 200
                                                5
, Author retains full rights.
 
 
 
 
 
 
 
 
 
 
 
 
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 
 
© SANS Institute 2000 - 200
5                                                                                                                 
Author retains full rights.
13
The next packet it sends will have the flushed bit set.  This bit will
indicate to the other end that it should re-initialize its own tables.  In
this way they become resynchronized.  This mode of operation is called
"stateful mode" in the new MPPE draft.
What does this all mean to us?  Well, it means we can force both ends of 
the connection to keep encrypting their packets with the same key until the low
order sequence number reaches 0xFF.  For example assume Alice and Bob 
have just set up the communication channel.  They both have initialized their
session keys and expect a packet with a coherency count of zero.
Alice           ->      Bob
Alice sends Bob a packet numbered zero encrypted with the cipher 
stream
generated by the RC4 cipher and increments her sent coherency count to one.
Bob receives the packet, decrypts it, and increments his receive coherency
count to 1.
Mallory (Bob)   ->      Alice
Mallory sends Alice a spoofed (remember this is datagram protocol - 
assuming
we don't desynchronize GRE) CCP Reset-Request packet.  Alice immediately
re-initializes her RC4 tables to their original state.
Alice           ->      Bob
Alice sends another packet to Bob.  This packet will be encrypted with 
the
same cipherstream as the last packet.  The packet will also have the FLUSHED
bit set.  This will make Bob re-initialize its own RC4 tables.
Mallory can continue to play this game up to a total of 256 times after
which the session key will be changed.  By this point Mallory will have
collected 256 packets from Alice to Bob all encrypted with the same cipher
stream.
Furthermore, since Alice and Bob start with the same session key in 
each
direction Mallory can play the same game in the opposite direction collecting
another 256 packets encrypted with the same cipher stream as the ones going
from Alice to Bob.
The Apr[il] 1998 version of the draft adds a "stateless mode" option 
(otherwise known as "historyless mode" in some Microsoft literature) to the 
negotiation packets.  This option tells MPPE to change the session key after 
0



Download 2 Mb.

Do'stlaringiz bilan baham:
1   ...   14   15   16   17   18   19   20   21   ...   144




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish