1723 - Pentesting PPTP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Point-to-Point Tunneling Protocol (PPTP) ni protocol ya zamani ya tunneling ya VPN inayotumika kwa ufikia mbali. Inatumia TCP port 1723 kwa channel ya udhibiti na IP protocol 47 (GRE) kubeba payload ya PPP. Trafiki ndani ya tunnel kawaida inalindwa na MPPE, wakati uthibitishaji mara nyingi unategemea MS-CHAPv2.

Kutoka kwa mtazamo wa kushambulia, sehemu inayovutia kawaida si muunganisho wa udhibiti wenyewe, bali ukweli kwamba kukamata handshake ya PPTP/MS-CHAPv2 kunaweza kuwezesha urejeshwaji wa password au NT-hash kwa offline. Pia kumbuka kwamba host inaweza kujibu kwenye TCP/1723 wakati tunnel bado inashindwa kwa sababu GRE (protocol 47) inachujwa.

Bandari ya chaguo-msingi:1723

Uorodheshaji

nmap -Pn -sSV -p1723 <IP>
nmap -Pn -sO --protocol 47 <IP>

Ikiwa umethibitisha tu tcp/1723 na ukikosa GRE, unaweza kwa urahisi kupata hisia potofu kwamba VPN inafikika. Wakati wa kutatua matatizo au sniffing, rekodi (capture) trafiki za udhibiti na trafiki zilizojumuishwa (encapsulated):

sudo tcpdump -ni <iface> 'tcp port 1723 or gre' -w pptp-handshake.pcap
tshark -r pptp-handshake.pcap -Y 'pptp || gre || ppp || chap'

Brute Force

Vidokezo vya Mashambulizi

MS-CHAPv2 handshake capture

Kwa PPTP, nyenzo muhimu ni mabadilishano ya uthibitishaji ya PPP yanayopelekwa ndani ya GRE. Katika MS-CHAPv2 majibu yanategemea:

• Seva AuthenticatorChallenge
• Mteja Peer-Challenge
• username
• NT-Response

Hii ina maana packet capture mara nyingi inatosha kuhamisha shambulio kuwa offline. Ikiwa unaweza sniff muunganisho wa awali, omba mtumiaji aungane tena, au jiweke on-path, fanya capture ya handshake na tosha data ya challenge/response.

Vichujio vya haraka vinavyofaa:

tshark -r pptp-handshake.pcap -Y 'chap'
tshark -r pptp-handshake.pcap -Y 'ppp and chap'

Parse and decrypt with chapcrack

chapcrack bado ni moja ya njia safi zaidi za kuchakata PPTP capture:

chapcrack.py parse -i pptp-handshake.pcap

Ikiwa utaweza kupata tena nyenzo za siri za msingi, unaweza decrypt the PPTP packet capture:

chapcrack.py decrypt -i pptp-handshake.pcap -o pptp-decrypted.pcap -n <recovered_nt_hash_or_token>

Hii ni hasa muhimu wakati lengo si tu urejeshaji wa vitambulisho bali pia session decryption na uchambuzi wa trafiki baada ya uthibitisho.

Crack challenge/response material

Ikiwa tayari umechukua jozi ya challenge/response, asleap bado inaweza kutumika moja kwa moja dhidi ya nyenzo za PPTP/MS-CHAPv2:

asleap -C 58:16:d5:ac:4b:dc:e4:0f -R 50:ae:a3:0a:10:9e:28:f9:33:1b:44:b1:3d:9e:20:91:85:e8:2e:c3:c5:4c:00:23 -W /usr/share/wordlists/rockyou.txt

asleap pia inasaidia kufanya kazi kutoka packet captures au precomputed lookup tables, lakini kwa PPTP assessments workflow inayotumika zaidi ni:

1. Capture the PPTP handshake
2. Extract the challenge/response
3. Run offline cracking with asleap, chapcrack, or a custom workflow

Tradecraft ya hivi karibuni pia inajumuisha NT-hash-first workflows kama assless-chaps, ambazo zinapata NT hash kutoka MS-CHAPv2/NTLMv1 challenge-response material kwa kutumia prepared hash database. Hii inaweza kuwa haraka kuliko conventional password cracking ikiwa una NT-hash corpus nzuri:

./assless-chaps <challenge> <response> <hashes.db>

Hili ni muhimu kwa sababu kwa PPTP NT hash iliyopatikana ina thamani kiutendaji yenyewe: mara inapopatikana, inaweza kutumika validate the crack, decrypt captures, na pivot katika Windows-oriented reuse checks.

Muhtasari wa udhaifu wa itifaki

• PPTP inategemea separate GRE data channel, kwa hivyo firewalls mara nyingi huweka wazi tcp/1723 huku zikivunja tunnel bila kutambua.
• MS-CHAPv2 security effectively collapses to recovering DES-derived material / NT-hash-equivalent secrets, na kufanya passive capture kuwa hatari zaidi ikilinganishwa na VPNs za kisasa.
• Hata kama password haipatikani mara moja, handshake kwa kawaida inaweza kuhifadhiwa na kushambuliwa offline baadaye.

Marejeo

• https://github.com/moxie0/chapcrack
• https://github.com/sensepost/assless-chaps

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.