From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Mon Feb 13 2006 - 05:29:07 EST
Hey pen-testers,
Since i wasn't able to directly email people at thc.org [1], i'm writing
here. Just wanted to share some kinda weird problems i'm currently
experiencing with thc-pptp-bruter v0.1.4.
It seems to work flawlessly against Windows:
# cat test | thc-pptp-bruter x.x.x.x
Hostname 'xxx', Vendor 'Microsoft Windows NT', Firmware: 2195
5 passwords tested in 0h 00m 00s (5.00 5.00 c/s)
9 passwords tested in 0h 00m 02s (1.82 4.50 c/s)
[...]
But at least against Cisco VPN 3000 Concentrator and WatchGuard it
presents the following behaviour:
# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'Cisco Systems, Inc.', Firmware: 1031
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[it goes like this forever]
# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'WatchGuard Technologies, Inc.',
Firmware: 0
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[same as above]
I've played a bit with the command line switches, with no appreciable
results, so i decided to investigate a bit further. After some tests
performed on Cisco and WatchGuard VPN concentrators and the development of
a small old-style .BAT hack to automate the bruteforce attack [2], i
realized that both platforms implement some sort of anti-bruteforce
mechanism, preventing thc-pptp-bruter to work properly.
Anyone here has experienced the same issues? I'd be interested in hearing
about solutions/workarounds/techniques/tools employed by other pen-testers
when testing M$ PPTP...
Ciao,
[1]
root@voodoo:~# host -t mx thc.org
thc.org mail is handled by 20 kyle.spoiled.org.
root@voodoo:~# telnet kyle.spoiled.org 25
Trying 217.172.183.188...
telnet: connect to address 217.172.183.188: Connection refused
[2]
http://www.0xdeadbeef.info/code/rasbrute.bat
Yeah, .BAT pretty much sucks, i should have probably used the way more
powerful Windows Script (http://msdn.microsoft.com/scripting/), but i'm
allergic to VB and JScript;P
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT