Project 10: Hacking a PPTP VPN with Asleap (25 pts.)

What You Need

Purpose

PPTP is an old VPN protocol, known to be insecure. In its simplest form, PPTP uses MS-CHAPv2 to transmit password information over the network.

Moxie Marlinspike has set up a cloud service that performs a complete brute-force attack to recover any password sent via MS-CHAPv2 for $200. However, we don't have $200 to spend, so we'll settle for a weaker attack using a dictionary of the top 10,000 passwords.

The point is clear--PPTP with MS-CHAPv2 is unsafe to use. Even an attacker with very modest means can steal passwords from it.

This project uses the following tools:

Task 1: Making a Windows Server 2008 PPTP VPN Server

Configuring Network Adapters

Power down the Windows 2008 server from the Start button.

Open Virtual Machine Settings and add a second Ethernet adapter.

In Virtual Machine Settings, configure Network Adapter 1 to use NAT and Network Adapter 2 to use a private Host-Only network, as shown below.

     

Start the Windows 2008 Server virtual machine and log in as Administrator with the password P@ssw0rd.

Troubleshooting

If you are using the Win 2008 I handed out in class, and your virtual machine cannot start, saying that no operating system was found, go into VMware settings and remove the 102 MB hard disk.
Click Start. Search for Network. Open "Network and Sharing Center".

Click "Manage Network Connections".

Right-click "Local Area Connection" and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IP)".

Configure the adapter to "Obtain an IP address automatically" and "Obtain DNS server address automatically", as shown below.

Click OK. Click OK.

Right-click "Local Area Connection 2" and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IP)".

Configure the adapter with these settings, as shown below.

Click OK. Click OK.

Adding the Network Policy and Access Server Role

Click Start, "Administrative Tools", "Server Manager".

In Server Manager, in the right pane, scroll down to the "Roles Summary" section, as shown below, and click "Add Roles".

In the "Add Roles Wizard", click Next.

In the "Select Server Roles" page, check "Network Policy and Access Server", as shown below.

Click Next. Click Next.

In the "Select Role Services" page, check "Network Policy Server" and "Routing and Remote Access Services", as shown below.

Click Next. Click Install.

When you see an "Installation succeeded" message, as shown below, click Close.

Configuring Routing and Remote Access

In Server Manager, in the left pane, expand "Server Manager", expand Roles, and expand "Network Policy and Access Services".

Right-click "Routing and Remote Access" and click "Configure and Enable Routing and Remote Access", as shown below.

In the "Welcome to the Routing and Remote Access Server Setup Wizard" screen, click Next.

In the "Configuration" screen, click "Custom Configuration, as shown below, and click Next.

In the "Custom Configuration" screen, check "VPN access", as shown below, and click Next.

Click OK.

Click "Start Service".

Click Finish.

Configure a Policy to Allow VPN Connections

In Server Manager, in the left pane, left-click on "Remote Access Logging and Policies".

Then Right-click on "Remote Access Logging and Policies", as shown below, and click "Launch NPS".

In Network Policy Server, in the left pane, click "Network Policies".

In the right pane, near the top, right-click "Connections to Microsoft Routing and Remote Access server" policy and click Properties.

In the center of the "Connections to Microsoft Routing and Remote Access server Properties" sheet, click "Grant Access" as shown below.

Click OK.

Close the "Network Policy Server" window.

Enable IPv4 Packet Forwarding

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties, as shown below.

On the General tab, check the "IPv4 Router box.

Make sure that "Local area network (LAN) routing only" is selected, as shown below.

Check the "IPv4 Remote access server" box, as shown below.

Click the IPv4 tab.

Check the "Enable IPv4 Forwarding" box, as shown below.

Click OK.

The changes you made require the "Routing and Remote Acccess" server to restart. Click Yes to restart the server.

Activating NAT

In Server Manager, in the left pane, expand IPv4.

In the IPv4 section, right-click General, as shown below, and click "New Routing Protocol".

In the "New Routing Protocol" box, click NAT, as shown below.

Click OK.

In the left pane of Server Manager, in the IPv4 section, right-click NAT, and click "New Interface", as shown below.

In the "New Interface for IPNAT" box, click "Local Area Connection 2", the interface that connects to your private intranet, and then click OK, as shown below.

In "Local Area Connection 2 Properties", click "Private interface connected to private network", as shown below.

Then click OK, and click OK again.

Right-click NAT, and click "New Interface" again.

In the "New Interface for IPNAT" box, click "Local Area Connection", and then click OK,

In "Local Area Connection 2 Properties", click "Public interface connected to the Internet" and "Enable NAT on this interface", as shown below.

Then click OK.

Create the vpnuser Account

In Server Manager, in the left pane, expand Configuration, expand "Local Users and Groups", and click Users.

In the right pane, right-click an empty portion of the screen and click "New User", as shown below.

In the New User box, enter these values, as shown below.

NOTE: Use the exact password "Bond007". If you use some other password, the attack might fail because the password is not in the dictionary.

Click Create. Click Close.

Starting the Routing and Remote Access Server

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click "All Tasks", Start, as shown below.

Configuring the Server to use MS-CHAP2

This is an insecure choice, but it's easier to set up.

In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties.

In the "Routing and Remote Access Properties", on the "Security" tab, sheet, click the "Authentication Methods" button.

In the "Authentication Methods" box, clear the "Extensible authentication protocol (EAP)" box, so that only "Microsoft encrypted authentication version 2 (MS-CHAP-v2)" is checked, as shown below.

Click OK. Click OK.

Task 2: Preparing Asleap on Kali

Downloading Chap2asleap and a Wordlist

Start Kali 2. Log in as usual. Connect to the Internet.

Execute these commands to download the hacking tool we need, and a list of the 10,000 most common passwords:

wget https://github.com/xiao106347/chap2asleap/raw/master/chap2asleap.py

curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt > words.dat

head words.dat

You see the first 10 passwords, as shown below.

Troubleshooting

If those download links don't work, use these:
curl https://samsclass.info/124/proj14/chap2asleap.pyx > chap2asleap.py

wget https://samsclass.info/124/proj14/10k_most_common.txt

Adding Passwords with Initial Caps

These passwords contain only lowercase letters. To make a more realistic wordlist, we need to include passwords with an initial capital letter.

We'll do that with Bash commands, as you've done previously. First we'll work with only the first 10 words to develop the command, and then run it on the complete list.

Execute this command to select words that start with a letter:

head words.dat | grep "^[a-z].*"
The desired passwords appear, as shown below.

Execute this command to convert the first letters of those passwords to uppercase:

head words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/'
The desired passwords appear, as shown below.

Execute these commands to put all the capitalized passwords into a file named Words.dat, and examine the files:

cat words.dat | grep "^[a-z].*" | sed -r 's/([[:lower:]])/\U\1/' > Words.dat

ls -l

The new file Words.dat is somewhat smaller than words.dat, because it excludes passwords that begin with a numeral, as shown below.

Execute these commands to put all the passwords in a file named allwords.dat, and examine the files:

cat words.dat Words.dat >> allwords.dat

ls -l

The new file allwords.dat has a length equal to the sum of the two files "words.dat" and "Words.dat", as shown below.

Task 3: Connecting via PPTP from Kali

Preparing a PPTP Client

In your Kali VM, execute these commands to install a PPTP client. 
apt update
apt install pptp-linux
In your Kali VM, execute this command: 
nano /etc/ppp/chap-secrets
Add this line to the file, as shown below: 
vpnuser PPTP Bond007 *

Save the file by pressing Ctrl+X, Y, Enter.

In your Kali VM, execute this command: 

nano /etc/ppp/peers/YOURNAME-pptp
Enter these lines, as shown below. Replace "YOURNAME" with your own name, without any embedded spaces. 
pty "pptp 10.0.0.1 --nolaunchpppd"
name vpnuser
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam YOURNAME-pptp

Adjusting Kali's Networking

In Virtual Machine Settings, configure the Kali machine to use the private Host-only network, as shown below.

In Kali, in a Terminal window, execute these commands to assign an appropriate IP address to eth0 and test the networking:

ifconfig eth0 10.0.0.3/8

ping 10.0.0.1

You should see replies, as shown below. If you don't, make sure the Windows 2008 Server's firewall is off.

Press Ctrl+C to stop the pings.

Troubleshooting

If you cannot ping from one machine to another, change both the Windows and Kali adapters to DHCP and refresh both IP addresses. Now ping from one to another using the DHCP address. Then assign the 10.0.0.0/8 addresses.

Connecting to the PPTP Server

In your Kali VM, execute this command: 
pon YOURNAME-pptp debug dump logfd 2 nodetach
A lot of messages scroll by, ending with the lines shown below, showing a "local UP address".

Viewing the Connection on the Server

In the Windows Server 2008 machine, in Server Manager, in the left pane, click "Remote Access Clients".

In the right pane, you should see a connected machine, as shown below.

Saving a Screen Image

Make sure the connected client is visible, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.

Task 4: Attacking with Asleap

Capturing a Challenge and Response with Wireshark

On Kali, open a new Terminal window and execute this command:
wireshark
A "Lua error" box appears. Click OK.

A box warns us that running as root is dangerous. We laugh at danger. Click OK.

In Wireshark, click eth0 and click Start.

In the Filter box, type:

chap
and press Enter.

The packet list should be empty, as shown below.

Connecting to the PPTP Server Again

In your Kali VM, in the window showing the "local IP address", press Ctrl+C to break the connection.

Then execute this command to connect again: 

pon YOURNAME-pptp debug dump logfd 2 nodetach
A lot of messages scroll by, ending with the lines shown below, showing a "local IP address".

Getting the Challenge and Response from Wireshark

On Kali, the Wireshark window now shows some CHAP packets, as shown below.

Click the red square icon to stop the packet capture.

Preparing the Command

Now you need to build a long command. Open a text editor such as Notepad on your host system and paste in the following command:
python chap2asleap.py -u vpnuser -c CHALLENGE -r RESPONSE -x -p /usr/bin -d ./allwords.dat
This command will use our "allwords.dat" dictionary file and try all those passwords to match the CHALLENGE and RESPONSE strings we get from Wireshark.

At this point, your text editor should look like this:

Getting the Challenge and Response from Wireshark

In the top pane of Wireshark, click a Challenge packet.

In the middle pane, expand PPP. Expand Data. Click on Value to highlight it, as shown below.

Right-click on Value and click Copy, "Hex Stream", as shown below.

On your host system, in the text editor, paste that hex stream in the place of CHALLENGE.

Your text editor should now resemble this image:

In the top pane of Wireshark, click a Response packet.

In the middle pane, click on Value. Right-click on Value and click Copy, "Hex Stream", as shown below.

On your host system, in the text editor, paste that hex stream in the place of RESPONSE.

Your text editor should now resemble this image:

Running the Attack

Copy the whole command from your text editor and paste it into a Terminal window in Kali.

The attack should succeed immediately, finding the password, as shown below.

Notice how fast it was--this took only 0.06 seconds. We could easily use a much larger dictionary to make the attack even more powerful.

Saving a Screen Image

Make sure the password of Bond007 message is visible, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.124@gmail.com with the subject line: Proj 10 from YOUR NAME

Sources

Hacking PPTP VPNs with ASLEAP (from 2009)

Hacking PPTP VPN With Backtrack (from 2012)

How to setup a VPN Server in Windows Server 2008

VPN error 812: The connection was prevented because of a policy configured on your RAS/VPN server

Internet Access through VPN server - need help please

How to enable IP Forwarding

Last revised 10-26-17 7:55 pm
10k url updated 3-11-19
Network troubleshooting tip added 5-14-19
<