thc-pptp-bruter problem?



Hey pen-testers,

Since i wasn't able to directly email people at thc.org [1], i'm writing
here. Just wanted to share some kinda weird problems i'm currently
experiencing with thc-pptp-bruter v0.1.4.

It seems to work flawlessly against Windows:

# cat test | thc-pptp-bruter x.x.x.x
Hostname 'xxx', Vendor 'Microsoft Windows NT', Firmware: 2195
5 passwords tested in 0h 00m 00s (5.00 5.00 c/s)
9 passwords tested in 0h 00m 02s (1.82 4.50 c/s)
[...]

But at least against Cisco VPN 3000 Concentrator and WatchGuard it
presents the following behaviour:

# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'Cisco Systems, Inc.', Firmware: 1031
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[it goes like this forever]

# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'WatchGuard Technologies, Inc.',
Firmware: 0
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[same as above]

I've played a bit with the command line switches, with no appreciable
results, so i decided to investigate a bit further. After some tests
performed on Cisco and WatchGuard VPN concentrators and the development of
a small old-style .BAT hack to automate the bruteforce attack [2], i
realized that both platforms implement some sort of anti-bruteforce
mechanism, preventing thc-pptp-bruter to work properly.

Anyone here has experienced the same issues? I'd be interested in hearing
about solutions/workarounds/techniques/tools employed by other pen-testers
when testing M$ PPTP...

Ciao,

[1]
root@voodoo:~# host -t mx thc.org
thc.org mail is handled by 20 kyle.spoiled.org.
root@voodoo:~# telnet kyle.spoiled.org 25
Trying 217.172.183.188...
telnet: connect to address 217.172.183.188: Connection refused

[2]
http://www.0xdeadbeef.info/code/rasbrute.bat
Yeah, .BAT pretty much sucks, i should have probably used the way more
powerful Windows Script (http://msdn.microsoft.com/scripting/), but i'm
allergic to VB and JScript;P

--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------