Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MS RAS (pptp + MSCHAPv1)

from [Omar Herrera] Network Security [Permanent Link]
Subject: RE: MS RAS (pptp + MSCHAPv1)
Date: Fri, 28 Jan 2005 19:03:25 -0600 



-----Original Message-----
From: Maria Da Re [mailto:pentestml@yahoo.it]

wasnt there a release by team-teso to fingerprint
ppp?


In Google and packetstorm i find nothing.


 : THC-pptp-bruter: Brute force program against PPTP
VPN Gateways (tcp port 1723).


Now, i know that bruter isn't useful for my purpose,
because i not working on ip but in dial-up. So i can't
connect to tcp port 1723 *before* the MSCHAPv1
authentication on PPTP.


True, THC-pptp-bruter won't be useful if you are using dialup, but you won't
work with PPTP neither; you will be using PPP alone. Point to Point
Tunneling Protocol is designed to work over an IP network (therefore the
confusion).

This paper talks about MS-CHAPv2 and its vulnerabilities, but it also gives
you a good overview of how MS-CHAPv1 works and might be worth reading:
http://www.schneier.com/paper-pptpv2.pdf.


THC has another (~ updated, 2003) tool for ppp brute forcing using unix
scripts and minicom (it used to be included in most Linux distros but I
haven't checked lately). The tool is called: THC-dialup Login Hacker v1.1
and is available here:
http://www.thc.org/download.php?t=r&f=login_hacker-1.1.tar.gz 


I'm not sure whether this tool already supports MS-Chap and have not seen
specific tools for MS-Chap, but I think you could modify the scripts to send
whatever is needed through minicom. The protocol (from the paper above) is
this:

"
1. Client requests a login challenge from the Server.
2. The Server sends back an 8-byte random challenge.
3. The Client uses the LAN Manager hash of its password to derive three
DES keys. Each of these keys is used to encrypt the challenge. All three
encrypted blocks are concatenated into a 24-byte reply. The Client creates
a second 24-byte reply using the Windows NT hash and the same
procedure.
"

Instructions are also given in the paper on how to derive the keys. 

In synthesis, you might use a dictionary attack using hashes of the
passwords in your dictionary and the challenge. The speed of the attack is
not dependant upon the hashing stuff but it is upon the dialing/reconnecting
speed since you will have to reconnect several times to the server with your
modem. Even then you should be aware that RAS accounts might have been
configured to block after a number of unsuccessful attempts, so the task,
even with the right tools is far from easy :-).

I hope this is useful.

Regards,

Omar Herrera
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MS RAS (pptp + MSCHAPv1), Maria Da Re
Next by Date:  RE: MS RAS (pptp + MSCHAPv1), Jay D. Dyson
Previous by Thread:  RE: MS RAS (pptp + MSCHAPv1), Maria Da Re
Next by Thread:  RE: MS RAS (pptp + MSCHAPv1), Todd Towles
Indexes:  [Date] [Thread] [Top] [All Lists]