RE: MS RAS (pptp + MSCHAPv1)

From: Marc Heuse (Marc.Heuse@nruns.com)
Date: Fri Jan 28 2005 - 04:24:15 EST

• Next message: Todd Towles: "RE: MS RAS (pptp + MSCHAPv1)"
• Previous message: GomoR: "ANNOUNCE: Net::Packet 2.00 released"
• In reply to: Maria Da Re: "MS RAS (pptp + MSCHAPv1)"
• Next in thread: Maria Da Re: "RE: MS RAS (pptp + MSCHAPv1)"
• Reply: Maria Da Re: "RE: MS RAS (pptp + MSCHAPv1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

> 1) Fingerprint with ppp, trying to use&verify the many
> authentication protocol available such as CHAP,
> MSCHAPv1, MSCHAPv2; very probably the protocol is
> MS-CHAPv1.

wasnt there a release by team-teso to fingerprint ppp?
their web site is down, but you should be able to find it
in the packetstorm archive.

> 3) Trying to bruteforcing the passwords with
> pptp-bruter. There are other good tools for doing
> this?

this came out a few weeks ago:
 : THC-pptp-bruter: Brute force program against PPTP VPN Gateways (tcp port 1723).
Fully standalone.
 : Supports latest MSChapV2 authentication. Tested against Windows and Cisco Systems.
Exploits a
 : weakness in Microsoft's anti brute-force implementation that makes it possible to
try 300
 : passwords per second.
I havent tried it, but its the only one I know. it's from www.thc.org

Cheers,
Marc

====================================================================
Marc Heuse
n.runs GmbH
Mobile Phone: +49-160-98925941
Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
====================================================================
 
-----Original Message-----
From: Maria Da Re [mailto:pentestml@yahoo.it]
Sent: Thursday, 27. January 2005 22:41
To: pen-test@securityfocus.com
Subject: MS RAS (pptp + MSCHAPv1)

Hi!

I will execute a penetration test on Windows 2000
systems responding in dial-up on different telephone
numbers with pptp protocol handled by Microsoft RAS
(Routing and Remote Access) server.

I think to proceed with an analysis composed by these
steps:

1) Fingerprint with ppp, trying to use&verify the many
authentication protocol available such as CHAP,
MSCHAPv1, MSCHAPv2; very probably the protocol is
MS-CHAPv1.

2) Trying to take advantage of this vulnerability:
www.securityfocus.com/bid/5807. Any suggestion? There
are other vulnerability?

3) Trying to bruteforcing the passwords with
pptp-bruter. There are other good tools for doing
this?

Because i can't access to the shared telephone line, i
can't try man in the middle attacks (decrypting
credentials or implement a fake server to steal
credentials)

Have you some suggestions? There are other types of
attacks to try or tools to use?

Thanks for sharing your experience

-- 
M. Da Re
		
___________________________________ 
Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam, Giochi,
Rubrica… Scaricalo ora! 
http://it.messenger.yahoo.it

• Next message: Todd Towles: "RE: MS RAS (pptp + MSCHAPv1)"
• Previous message: GomoR: "ANNOUNCE: Net::Packet 2.00 released"
• In reply to: Maria Da Re: "MS RAS (pptp + MSCHAPv1)"
• Next in thread: Maria Da Re: "RE: MS RAS (pptp + MSCHAPv1)"
• Reply: Maria Da Re: "RE: MS RAS (pptp + MSCHAPv1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT