|
|
|
|||
|
|
||||
Thank you for registering! Please Bookmark this page so you don't have to register again. Here is the information you want:
This is how to crack PPTP version 1.2. Version 1.3 has many improvements to it however is still open to dictionary/brute force attack.
This is the front end client interface for PPTP
which sets up the connection. As you can see, it prompts you for username password.
You can break into PPTP via username/password. You see, the password is the encryption
keys. Guess the password, and you are in. Authentication works like this:
1) Client makes a login attempt.
2) The server generates a random number (challenge: 123456789 as an example) and
3) DES encypts the number with the user's password as a key (giving 84736595, the expected
response).
4) Server sends the challenge to client as shown in this network sniff:
The client should be able to encrypt with valid password, generating
the valid response.
5) Client sends the response back to the server, and if the numbers (not passwords) match,
you are good to go.
Note that the Username is sent without encryption, so you alreadly have half of the puzzle.
Incidentally, this is CHAP (Challenge-Handshake Authentication Protocol).
If you feed both the Challenge and
Response into a cracking tool like L0pht, you can recreate the password.
This is a brute force attack, and may take a little while, but Microsoft PPTP has some weaknesses which play in your favor:
1) LAN MAN responses are DES encrypted using only 7 characters of
password (not exactly, but trying to keep things simple)
2) NT responses are DES encrypted using MD4 hash of password (up to 14 characters) which
makes it harder to guess.
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.