MS RAS (pptp + MSCHAPv1)

From: Maria Da Re (pentestml_at_yahoo.it)
Date: 01/27/05

  • Next message: Balwant Rathore: "Re: Educational Security Assessment project for Northern Virginia Community College students."
    Date: Thu, 27 Jan 2005 22:41:22 +0100 (CET)
    To: pen-test@securityfocus.com
    
    

    Hi!

    I will execute a penetration test on Windows 2000
    systems responding in dial-up on different telephone
    numbers with pptp protocol handled by Microsoft RAS
    (Routing and Remote Access) server.

    I think to proceed with an analysis composed by these
    steps:

    1) Fingerprint with ppp, trying to use&verify the many
    authentication protocol available such as CHAP,
    MSCHAPv1, MSCHAPv2; very probably the protocol is
    MS-CHAPv1.

    2) Trying to take advantage of this vulnerability:
    www.securityfocus.com/bid/5807. Any suggestion? There
    are other vulnerability?

    3) Trying to bruteforcing the passwords with
    pptp-bruter. There are other good tools for doing
    this?

    Because i can't access to the shared telephone line, i
    can't try man in the middle attacks (decrypting
    credentials or implement a fake server to steal
    credentials)

    Have you some suggestions? There are other types of
    attacks to try or tools to use?

    Thanks for sharing your experience

    -- 
    M. Da Re
    		
    ___________________________________ 
    Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam, Giochi, Rubrica… Scaricalo ora! 
    http://it.messenger.yahoo.it
    

  • Next message: Balwant Rathore: "Re: Educational Security Assessment project for Northern Virginia Community College students."

    Relevant Pages

    • Re: GSS-API routine for renewing credentials
      ... GSS-API routine for renewing credentials ... you have to establish a new security context. ... is it a standard protocol? ...
      (comp.protocols.kerberos)
    • RE: Security Question: External POP3 Clients Using Outlook Express
      ... Let's start off by saying that POP3 is fundamentally an unsecure protocol. ... You're passing credentials in clear text and in the case of Exchange accounts ... > including Anonymous access in the POP3 Virtual Server settings. ...
      (microsoft.public.windows.server.sbs)
    • Solero Music Viewer 7.0
      ... when I enter my username and password, or any credentials.: ... Resource Locator does not use a recognized protocol. ... that a valid protocol is in use (for example, HTTP for a Web request). ...
      (microsoft.public.backoffice.smallbiz2000)
    • RE: [fw-wiz] Firewalls Compared
      ... > I'm trying to reconcile "know what the vulnerability looks ... For example if we know from the protocol rules that we're ... signatures that just dump any packet with %n%n or %x or whatever. ... Firewalls MUST be in a default DENY mode." ...
      (Firewall-Wizards)
    • RE: ids inquisition
      ... Well, I also fully believe that BOTH protocol analysis, AND pattern ... Dozens of IDS companies out there are merketing millions of dollars ... One signature for ANY buffer overflow, ... > we just knew that this would likely be a vulnerability. ...
      (Focus-IDS)