Penetration Testing mailing list archives
thc-pptp-bruter problem?
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Mon, 13 Feb 2006 11:29:07 +0100 (CET)
Hey pen-testers, Since i wasn't able to directly email people at thc.org [1], i'm writing here. Just wanted to share some kinda weird problems i'm currently experiencing with thc-pptp-bruter v0.1.4. It seems to work flawlessly against Windows: # cat test | thc-pptp-bruter x.x.x.x Hostname 'xxx', Vendor 'Microsoft Windows NT', Firmware: 2195 5 passwords tested in 0h 00m 00s (5.00 5.00 c/s) 9 passwords tested in 0h 00m 02s (1.82 4.50 c/s) [...] But at least against Cisco VPN 3000 Concentrator and WatchGuard it presents the following behaviour: # cat test | thc-pptp-bruter x.x.x.x PPTP Connection established. Hostname 'xxx', Vendor 'Cisco Systems, Inc.', Firmware: 1031 5 passwords tested in 0h 00m 01s (5.00 5.00 c/s) 5 passwords tested in 0h 00m 06s (0.20 0.83 c/s) 5 passwords tested in 0h 00m 11s (0.20 0.45 c/s) 5 passwords tested in 0h 00m 16s (0.20 0.31 c/s) [it goes like this forever] # cat test | thc-pptp-bruter x.x.x.x PPTP Connection established. Hostname 'xxx', Vendor 'WatchGuard Technologies, Inc.', Firmware: 0 5 passwords tested in 0h 00m 01s (5.00 5.00 c/s) 5 passwords tested in 0h 00m 06s (0.20 0.83 c/s) 5 passwords tested in 0h 00m 11s (0.20 0.45 c/s) 5 passwords tested in 0h 00m 16s (0.20 0.31 c/s) [same as above] I've played a bit with the command line switches, with no appreciable results, so i decided to investigate a bit further. After some tests performed on Cisco and WatchGuard VPN concentrators and the development of a small old-style .BAT hack to automate the bruteforce attack [2], i realized that both platforms implement some sort of anti-bruteforce mechanism, preventing thc-pptp-bruter to work properly. Anyone here has experienced the same issues? I'd be interested in hearing about solutions/workarounds/techniques/tools employed by other pen-testers when testing M$ PPTP... Ciao, [1] root@voodoo:~# host -t mx thc.org thc.org mail is handled by 20 kyle.spoiled.org. root@voodoo:~# telnet kyle.spoiled.org 25 Trying 217.172.183.188... telnet: connect to address 217.172.183.188: Connection refused [2] http://www.0xdeadbeef.info/code/rasbrute.bat Yeah, .BAT pretty much sucks, i should have probably used the way more powerful Windows Script (http://msdn.microsoft.com/scripting/), but i'm allergic to VB and JScript;P -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- thc-pptp-bruter problem? Marco Ivaldi (Feb 13)
- <Possible follow-ups>
- SV: thc-pptp-bruter problem? Carl-Johan Bostorp (Feb 15)