RE: MS RAS (pptp + MSCHAPv1)

From: Marc Heuse (Marc.Heuse_at_nruns.com)
Date: 01/28/05

  • Next message: Todd Towles: "RE: MS RAS (pptp + MSCHAPv1)" 
    To: "'Maria Da Re'" <pentestml@yahoo.it>, <pen-test@securityfocus.com>
Date: Fri, 28 Jan 2005 10:24:15 +0100

    Hi,

    > 1) Fingerprint with ppp, trying to use&verify the many
    > authentication protocol available such as CHAP,
    > MSCHAPv1, MSCHAPv2; very probably the protocol is
    > MS-CHAPv1.

    wasnt there a release by team-teso to fingerprint ppp?
    their web site is down, but you should be able to find it
    in the packetstorm archive.

    > 3) Trying to bruteforcing the passwords with
    > pptp-bruter. There are other good tools for doing
    > this?

    this came out a few weeks ago:
     : THC-pptp-bruter: Brute force program against PPTP VPN Gateways (tcp port 1723).
    Fully standalone.
     : Supports latest MSChapV2 authentication. Tested against Windows and Cisco Systems.
    Exploits a
     : weakness in Microsoft's anti brute-force implementation that makes it possible to
    try 300
     : passwords per second.
    I havent tried it, but its the only one I know. it's from www.thc.org

    Cheers,
    Marc

    ====================================================================
    Marc Heuse
    n.runs GmbH
    Mobile Phone: +49-160-98925941
    Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
    ====================================================================
     
    -----Original Message-----
    From: Maria Da Re [mailto:pentestml@yahoo.it]
    Sent: Thursday, 27. January 2005 22:41
    To: pen-test@securityfocus.com
    Subject: MS RAS (pptp + MSCHAPv1)

    Hi!

    I will execute a penetration test on Windows 2000
    systems responding in dial-up on different telephone
    numbers with pptp protocol handled by Microsoft RAS
    (Routing and Remote Access) server.

    I think to proceed with an analysis composed by these
    steps:

    1) Fingerprint with ppp, trying to use&verify the many
    authentication protocol available such as CHAP,
    MSCHAPv1, MSCHAPv2; very probably the protocol is
    MS-CHAPv1.

    2) Trying to take advantage of this vulnerability:
    www.securityfocus.com/bid/5807. Any suggestion? There
    are other vulnerability?

    3) Trying to bruteforcing the passwords with
    pptp-bruter. There are other good tools for doing
    this?

    Because i can't access to the shared telephone line, i
    can't try man in the middle attacks (decrypting
    credentials or implement a fake server to steal
    credentials)

    Have you some suggestions? There are other types of
    attacks to try or tools to use?

    Thanks for sharing your experience 

    -- 
M. Da Re
		
___________________________________ 
Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam, Giochi,
Rubrica… Scaricalo ora! 
http://it.messenger.yahoo.it
  • Next message: Todd Towles: "RE: MS RAS (pptp + MSCHAPv1)"