1723 - Pentesting PPTP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Point-to-Point Tunneling Protocol (PPTP) ni protocol ya zamani ya VPN inayotumika kwa ufikiaji wa mbali. Inatumia TCP port 1723 kwa chaneli ya udhibiti na IP protocol 47 (GRE) kubeba mzigo wa PPP. Trafiki ndani ya tunneli kawaida hulindwa na MPPE, wakati uthibitisho mara nyingi unategemea MS-CHAPv2.

Kutoka kwa mtazamo wa kimashambulizi, sehemu ya kuvutia kwa kawaida si muunganisho wa udhibiti wenyewe bali ukweli kwamba capturing a PPTP/MS-CHAPv2 handshake can enable offline password or NT-hash recovery. Pia kumbuka kwamba mwenyeji anaweza kujibu kwenye TCP/1723 wakati tunneli bado inashindwa kwa sababu GRE (protocol 47) imechujwa.

Bandari ya chaguo-msingi:1723

Uorodheshaji

nmap -Pn -sSV -p1723 <IP>
nmap -Pn -sO --protocol 47 <IP>

Ikiwa unathibitisha tu tcp/1723 na ukakosa GRE, unaweza kwa urahisi kupata hisia potofu kwamba VPN inafikika. Wakati wa kutatua matatizo au sniffing, rekodi trafiki ya udhibiti na trafiki iliyofungiwa ndani:

sudo tcpdump -ni <iface> 'tcp port 1723 or gre' -w pptp-handshake.pcap
tshark -r pptp-handshake.pcap -Y 'pptp || gre || ppp || chap'

Ikiwa unachukua pakiti on the VPN endpoint itself badala ya kutoka SPAN/mirror port au another on-path vantage point, kumbuka kuwa local PPP capture inaweza kuwa hakikamiliki. Haswa kwenye Linux, normal libpcap capture kwenye interface ya PPP inaweza kukosa PPP control traffic; kwa utatuzi wa matatizo ndani ya mwenyeji unaweza kuhitaji kunasa GRE packets kwenye interface ya kimwili au kutumia pppd record style logging ili kuhifadhi control exchange.

Brute Force

Maelezo ya Shambulio

MS-CHAPv2 handshake capture

Kwa PPTP, nyenzo muhimu ni PPP authentication exchange inayosafirishwa ndani ya GRE. Katika MS-CHAPv2 jibu linategemea:

  • The server AuthenticatorChallenge
  • The client Peer-Challenge
  • The username
  • The NT-Response

Hii ina maana packet capture mara nyingi ni ya kutosha kuhamisha shambulio offline. Ikiwa unaweza sniff the initial connection, muombe mtumiaji akijiondoe na kuungana tena, au kujipanga on-path, capture the handshake na extract challenge/response data.

Useful quick filters:

tshark -r pptp-handshake.pcap -Y 'chap'
tshark -r pptp-handshake.pcap -Y 'ppp and chap'

Badilisha handshake into a hashcat workload

Kwa PPTP/MS-CHAPv2, 24-byte NT-Response pekee si hadithi yote. Kwa mujibu wa RFC 2759, changamoto ya ufanisi ya 8-byte inatokana na:

  • The server AuthenticatorChallenge
  • The client Peer-Challenge
  • The UserName

Kwa vitendo, hili linamaanisha unahitaji kuhifadhi vigezo hivyo wakati wa uchimbaji ikiwa unataka kuhamisha kutoka packet capture hadi mtiririko wa GPU wa kisasa. Mchoro unaofaa ni:

  1. Parse the capture with chapcrack or tshark
  2. Extract the username, peer-challenge, authenticator challenge, and NT-Response
  3. Convert the result into a hashcat-compatible NetNTLMv1/ESS style line

The exact hashcat representation commonly used for MS-CHAPv2 is:

<user>::<domain_or_blank>:<peer_challenge>:<nt_response>:<authenticator_challenge>

Mfano wa shambulio:

hashcat -m 5500 -a 0 mschapv2.hashes /usr/share/wordlists/rockyou.txt

Hii ni muhimu kiutendaji unapotaka kuweka kila kitu kwa ndani badala ya kutuma token kwa external cracking service, au unapokuwa tayari na mtiririko uliobinafsishwa wa rules/masks wa hashcat.

Fasiri na ufumbue kwa kutumia chapcrack

chapcrack bado ni mojawapo ya njia zilizosafi zaidi za kuchakata capture ya PPTP:

chapcrack.py parse -i pptp-handshake.pcap

Ikiwa utapata nyenzo za siri za msingi, unaweza decrypt the PPTP packet capture:

chapcrack.py decrypt -i pptp-handshake.pcap -o pptp-decrypted.pcap -n <recovered_nt_hash_or_token>

Hii ni muhimu hasa wakati lengo si tu credential recovery bali pia session decryption na post-auth traffic analysis.

Crack challenge/response material

Ikiwa tayari umechukua jozi ya challenge/response, asleap bado inaweza kutumika moja kwa moja dhidi ya nyenzo za PPTP/MS-CHAPv2:

asleap -C 58:16:d5:ac:4b:dc:e4:0f -R 50:ae:a3:0a:10:9e:28:f9:33:1b:44:b1:3d:9e:20:91:85:e8:2e:c3:c5:4c:00:23 -W /usr/share/wordlists/rockyou.txt

asleap pia inaunga mkono kufanya kazi kutoka packet captures au precomputed lookup tables, lakini kwa tathmini za PPTP mtiririko wa kazi wa kawaida ni:

  1. Kukamata PPTP handshake
  2. Tokeza challenge/response
  3. Endesha offline cracking na asleap, chapcrack, au custom workflow

Mbinu za hivi karibuni pia zinajumuisha NT-hash-first workflows kama assless-chaps, ambazo hupata the NT hash kutoka MS-CHAPv2/NTLMv1 challenge-response material kwa kutumia prepared hash database. Hii inaweza kuwa haraka kuliko conventional password cracking ikiwa unatunza mkusanyiko mzuri wa NT-hash:

./assless-chaps <challenge> <response> <hashes.db>

Hii ni muhimu kwa sababu kwa PPTP the recovered NT hash is operationally valuable by itself: mara inapopatikana, inaweza kutumika kuthibitisha crack, decrypt captures, na pivot katika ukaguzi wa matumizi upya unaolenga Windows.

Ikiwa unapanga kutumia hili kwa wingi wakati wa assessments, kizuizi cha vitendo kawaida si hatua ya cracking bali ni kudumisha good NT-hash database. assless-chaps inakuwa hasa muhimu unapoweza kujenga kabla SQLite databases kutoka breached NTLM corpora, HIBP-derived NT hashes, au upanuzi mkali wa sheria za ndani uliozalishwa na hashcat.

Muhtasari wa udhaifu wa itifaki

  • PPTP inategemea separate GRE data channel, hivyo firewalls mara nyingi zinafunua tcp/1723 huku kimya kimya zikivunja tunnel.
  • MS-CHAPv2 security effectively collapses to recovering DES-derived material / NT-hash-equivalent secrets, na kufanya passive capture kuwa hatari zaidi kuliko kwa VPN za kisasa.
  • Hata kama password haipatikani mara moja, the handshake kwa kawaida inaweza stored and attacked offline later.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks