[PEN-TEST] PPTP Sniffer

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

A while ago I wrote a PPTP sniffer called "anger". It sniffer PPTP's
MS-CHAPv1 challenge-response and saved it on a file that could be
input into L0phtcrack. It also implemented an active attack on MS-CHAPv1's
password change protocol that could fool the user into disclosing their
NTLM and LANMAN hashes.

Recently I've updated the code to handle MS-CHAPv2. This new version of
MS-CHAP no longer has the password change vulnerability. While Microsoft
modified the authentication protocol by adding a number of calls to the
SHA hashing algorithm they didn't really improve its security. The
updates program is capable of sniffing the MS-CHAPv2 challenge-response
and produce the same output file that you can process via L0phtcrack.
No changes are required to L0phtcrack.

Sadly I've not been able to test the code. I don't have a box running
Windows NT and PPTP with MS-CHAPv2 to test it on. So I am looking for
a couple of people to test the program.

What you need:

* Windows NT running the PPTP server with MS-CHAPv2.
* A PPTP client that supports MS-CHAPv2.
* A Unix box with libpcap and OpenSSL on a network segment in which
  the PPTP traffic is visible.
* L0phtcrack. I might be wrong but I think only the command line version of
  L0phtcrack can handle the challenge-response file format.

To test simply create an account with an easy to guess password on the
PPTP server. Compile and run the PPTP sniffer on the Unix box. Connect to
the PPTP server from the client using the account with the easy to guess
password. Run L0phtcrack with the output of the sniffer.

If it guesses the password my code works. Otherwise it must have an error.
Either way I'd like to know.

If you are interested in giving me a hand drop me a line and I'll send you
the code.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum