Penetration Testing mailing list archives
RE: MS RAS (pptp + MSCHAPv1)
From: "Marc Heuse" <Marc.Heuse () nruns com>
Date: Fri, 28 Jan 2005 10:24:15 +0100
Hi,
1) Fingerprint with ppp, trying to use&verify the many authentication protocol available such as CHAP, MSCHAPv1, MSCHAPv2; very probably the protocol is MS-CHAPv1.
wasnt there a release by team-teso to fingerprint ppp? their web site is down, but you should be able to find it in the packetstorm archive.
3) Trying to bruteforcing the passwords with pptp-bruter. There are other good tools for doing this?
this came out a few weeks ago: : THC-pptp-bruter: Brute force program against PPTP VPN Gateways (tcp port 1723). Fully standalone. : Supports latest MSChapV2 authentication. Tested against Windows and Cisco Systems. Exploits a : weakness in Microsoft's anti brute-force implementation that makes it possible to try 300 : passwords per second. I havent tried it, but its the only one I know. it's from www.thc.org Cheers, Marc ==================================================================== Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10 ==================================================================== -----Original Message----- From: Maria Da Re [mailto:pentestml () yahoo it] Sent: Thursday, 27. January 2005 22:41 To: pen-test () securityfocus com Subject: MS RAS (pptp + MSCHAPv1) Hi! I will execute a penetration test on Windows 2000 systems responding in dial-up on different telephone numbers with pptp protocol handled by Microsoft RAS (Routing and Remote Access) server. I think to proceed with an analysis composed by these steps: 1) Fingerprint with ppp, trying to use&verify the many authentication protocol available such as CHAP, MSCHAPv1, MSCHAPv2; very probably the protocol is MS-CHAPv1. 2) Trying to take advantage of this vulnerability: www.securityfocus.com/bid/5807. Any suggestion? There are other vulnerability? 3) Trying to bruteforcing the passwords with pptp-bruter. There are other good tools for doing this? Because i can't access to the shared telephone line, i can't try man in the middle attacks (decrypting credentials or implement a fake server to steal credentials) Have you some suggestions? There are other types of attacks to try or tools to use? Thanks for sharing your experience -- M. Da Re ___________________________________ Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam, Giochi, Rubrica Scaricalo ora! http://it.messenger.yahoo.it
Current thread:
- MS RAS (pptp + MSCHAPv1) Maria Da Re (Jan 27)
- RE: MS RAS (pptp + MSCHAPv1) Marc Heuse (Jan 28)
- RE: MS RAS (pptp + MSCHAPv1) Maria Da Re (Jan 28)
- RE: MS RAS (pptp + MSCHAPv1) Omar Herrera (Jan 30)
- RE: MS RAS (pptp + MSCHAPv1) Maria Da Re (Jan 28)
- <Possible follow-ups>
- RE: MS RAS (pptp + MSCHAPv1) Todd Towles (Jan 28)
- RE: MS RAS (pptp + MSCHAPv1) Maria Da Re (Jan 28)
- RE: MS RAS (pptp + MSCHAPv1) Jay D. Dyson (Jan 30)
- RE: MS RAS (pptp + MSCHAPv1) Marc Heuse (Jan 28)