|
4 | 4 |
|
5 | 5 | ## Basic Information |
6 | 6 |
|
7 | | -**Point-to-Point Tunneling Protocol (PPTP)** is a method widely employed for **remote access** to mobile devices. It utilizes **TCP port 1723** for the exchange of keys, while **IP protocol 47** (Generic Routing Encapsulation, or **GRE**), is used to encrypt the data that is transmitted between peers. This setup is crucial for establishing a secure communication channel over the internet, ensuring that the data exchanged remains confidential and protected from unauthorized access. |
| 7 | +**Point-to-Point Tunneling Protocol (PPTP)** is an old VPN tunneling protocol used for **remote access**. It uses **TCP port 1723** for the control channel and **IP protocol 47** (**GRE**) to carry the PPP payload. The traffic inside the tunnel is commonly protected with **MPPE**, while authentication is frequently based on **MS-CHAPv2**. |
| 8 | + |
| 9 | +From an offensive perspective, the interesting part is usually not the control connection itself but the fact that **capturing a PPTP/MS-CHAPv2 handshake can enable offline password or NT-hash recovery**. Also remember that a host can answer on TCP/1723 while the tunnel still fails because **GRE (protocol 47) is filtered**. |
8 | 10 |
|
9 | 11 | **Default Port**:1723 |
10 | 12 |
|
11 | 13 | ## Enumeration |
12 | 14 |
|
13 | 15 | ```bash |
14 | | -nmap –Pn -sSV -p1723 <IP> |
| 16 | +nmap -Pn -sSV -p1723 <IP> |
| 17 | +nmap -Pn -sO --protocol 47 <IP> |
| 18 | +``` |
| 19 | + |
| 20 | +If you only confirm `tcp/1723` and miss GRE, you can easily get a false sense that the VPN is reachable. During troubleshooting or sniffing, capture both the control and encapsulated traffic: |
| 21 | + |
| 22 | +```bash |
| 23 | +sudo tcpdump -ni <iface> 'tcp port 1723 or gre' -w pptp-handshake.pcap |
| 24 | +tshark -r pptp-handshake.pcap -Y 'pptp || gre || ppp || chap' |
15 | 25 | ``` |
16 | 26 |
|
17 | 27 | ### [Brute Force](../generic-hacking/brute-force.md#pptp) |
18 | 28 |
|
19 | | -## Vulnerabilities |
| 29 | +## Attack Notes |
20 | 30 |
|
21 | | -- [https://www.schneier.com/academic/pptp/](https://www.schneier.com/academic/pptp/) |
22 | | -- [https://github.com/moxie0/chapcrack](https://github.com/moxie0/chapcrack) |
| 31 | +### MS-CHAPv2 handshake capture |
23 | 32 |
|
24 | | -{{#include ../banners/hacktricks-training.md}} |
| 33 | +For PPTP, the relevant material is the PPP authentication exchange transported inside GRE. In MS-CHAPv2 the response depends on: |
| 34 | + |
| 35 | +- The server **AuthenticatorChallenge** |
| 36 | +- The client **Peer-Challenge** |
| 37 | +- The **username** |
| 38 | +- The **NT-Response** |
| 39 | + |
| 40 | +That means a packet capture is often enough to move the attack offline. If you can sniff the initial connection, request the user to reconnect, or position yourself on-path, capture the handshake and extract the challenge/response data. |
| 41 | + |
| 42 | +Useful quick filters: |
| 43 | + |
| 44 | +```bash |
| 45 | +tshark -r pptp-handshake.pcap -Y 'chap' |
| 46 | +tshark -r pptp-handshake.pcap -Y 'ppp and chap' |
| 47 | +``` |
| 48 | + |
| 49 | +### Parse and decrypt with `chapcrack` |
| 50 | + |
| 51 | +`chapcrack` is still one of the cleanest ways to process a PPTP capture: |
| 52 | + |
| 53 | +```bash |
| 54 | +chapcrack.py parse -i pptp-handshake.pcap |
| 55 | +``` |
| 56 | + |
| 57 | +If you recover the underlying secret material, you can decrypt the PPTP packet capture: |
| 58 | + |
| 59 | +```bash |
| 60 | +chapcrack.py decrypt -i pptp-handshake.pcap -o pptp-decrypted.pcap -n <recovered_nt_hash_or_token> |
| 61 | +``` |
| 62 | + |
| 63 | +This is especially useful when the goal is not only credential recovery but also **session decryption** and post-auth traffic analysis. |
| 64 | + |
| 65 | +### Crack challenge/response material |
| 66 | + |
| 67 | +If you already extracted the challenge/response pair, `asleap` can still be used directly against PPTP/MS-CHAPv2 material: |
| 68 | + |
| 69 | +```bash |
| 70 | +asleap -C 58:16:d5:ac:4b:dc:e4:0f -R 50:ae:a3:0a:10:9e:28:f9:33:1b:44:b1:3d:9e:20:91:85:e8:2e:c3:c5:4c:00:23 -W /usr/share/wordlists/rockyou.txt |
| 71 | +``` |
| 72 | + |
| 73 | +`asleap` also supports working from packet captures or precomputed lookup tables, but for PPTP assessments the most common workflow is: |
| 74 | + |
| 75 | +1. Capture the PPTP handshake |
| 76 | +2. Extract the challenge/response |
| 77 | +3. Run offline cracking with `asleap`, `chapcrack`, or a custom workflow |
25 | 78 |
|
| 79 | +Recent tradecraft also includes **NT-hash-first** workflows such as `assless-chaps`, which recover the **NT hash** from MS-CHAPv2/NTLMv1 challenge-response material using a prepared hash database. This can be faster than conventional password cracking if you maintain a good NT-hash corpus: |
26 | 80 |
|
| 81 | +```bash |
| 82 | +./assless-chaps <challenge> <response> <hashes.db> |
| 83 | +``` |
| 84 | + |
| 85 | +This matters because for PPTP the recovered **NT hash is operationally valuable by itself**: once obtained, it can be used to validate the crack, decrypt captures, and pivot into Windows-oriented reuse checks. |
| 86 | + |
| 87 | +### Protocol weakness summary |
| 88 | + |
| 89 | +- PPTP depends on a **separate GRE data channel**, so firewalls often expose `tcp/1723` while silently breaking the tunnel. |
| 90 | +- **MS-CHAPv2 security effectively collapses to recovering DES-derived material / NT-hash-equivalent secrets**, making passive capture much more dangerous than with modern VPNs. |
| 91 | +- Even if the password is not immediately recovered, the handshake can usually be **stored and attacked offline later**. |
| 92 | + |
| 93 | +## References |
| 94 | + |
| 95 | +- [https://github.com/moxie0/chapcrack](https://github.com/moxie0/chapcrack) |
| 96 | +- [https://github.com/sensepost/assless-chaps](https://github.com/sensepost/assless-chaps) |
| 97 | + |
| 98 | +{{#include ../banners/hacktricks-training.md}} |
27 | 99 |
|
0 commit comments