New PPTP Sniifer/Active Attack

[aleph1 () DFW NET (Aleph One)]

Inspired by the fine folks at L0pht I wrote my own PPTP challenge/response
sniffer. This version will work on any system that has libpcap. As an
added bonus, on systems that support IP_HDRINCL, it can perform an active
attack on PPTP logon via the MS-CHAP password change protocol version 1 to
obtain the LANMAN and NT password hashes.

Some caveats: currently L0phtcrack will only crack the first entry in a
password file for each user, so rename multiple entries to be different.
For example, change:

DOMAIN\sucker:0:XXXXX...
DOMAIN\sucker:0:ZZZZZ...

to:

DOMAIN\sucker1:0:XXXX...
DOMAIN\sucker2:0:ZZZZ...

Notice that once you get the password hashes, as opposed to the the
challenge/response, you dont even need to crack the password to do one
of several things.

You can use the password hashes to: logon onto an SMB server using a
modified smbclient and logon to the PPTP server using the Linux PPTP
client and a modified PPPD.

The password change issue is _NOT_ fixed by the NT PPTP update and the
rest of us are still waiting for the Windows 95 DUN 1.3 update that we
were tolds would be out very soon now over a month and a half ago.

You can get the program from:
http://www.l0pht.com/l0phtcrack/dist/anger.tar.gz

While I am ranting where is the LM-FIX to turn off LANMAN authentication?
It was pulled from the MS ftp site almost 5 months ago never to return.
Maybe MS thinks this is not a security issue anymore?

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01