Penetration Testing mailing list archives
[PEN-TEST] PPTP Sniffer
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 15 Nov 2000 10:53:15 -0800
A while ago I wrote a PPTP sniffer called "anger". It sniffer PPTP's MS-CHAPv1 challenge-response and saved it on a file that could be input into L0phtcrack. It also implemented an active attack on MS-CHAPv1's password change protocol that could fool the user into disclosing their NTLM and LANMAN hashes. Recently I've updated the code to handle MS-CHAPv2. This new version of MS-CHAP no longer has the password change vulnerability. While Microsoft modified the authentication protocol by adding a number of calls to the SHA hashing algorithm they didn't really improve its security. The updates program is capable of sniffing the MS-CHAPv2 challenge-response and produce the same output file that you can process via L0phtcrack. No changes are required to L0phtcrack. Sadly I've not been able to test the code. I don't have a box running Windows NT and PPTP with MS-CHAPv2 to test it on. So I am looking for a couple of people to test the program. What you need: * Windows NT running the PPTP server with MS-CHAPv2. * A PPTP client that supports MS-CHAPv2. * A Unix box with libpcap and OpenSSL on a network segment in which the PPTP traffic is visible. * L0phtcrack. I might be wrong but I think only the command line version of L0phtcrack can handle the challenge-response file format. To test simply create an account with an easy to guess password on the PPTP server. Compile and run the PPTP sniffer on the Unix box. Connect to the PPTP server from the client using the account with the easy to guess password. Run L0phtcrack with the output of the sniffer. If it guesses the password my code works. Otherwise it must have an error. Either way I'd like to know. If you are interested in giving me a hand drop me a line and I'll send you the code. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- [PEN-TEST] PPTP Sniffer Elias Levy (Nov 16)