Inspired by the fine folks at L0pht I wrote my own PPTP challenge/response sniffer. This version will work on any system that has libpcap. As an added bonus, on systems that support IP_HDRINCL, it can perform an active attack on PPTP logon via the MS-CHAP password change protocol version 1 to obtain the LANMAN and NT password hashes. Some caveats: currently L0phtcrack will only crack the first entry in a password file for each user, so rename multiple entries to be different. For example, change: DOMAIN\sucker:0:XXXXX... DOMAIN\sucker:0:ZZZZZ... to: DOMAIN\sucker1:0:XXXX... DOMAIN\sucker2:0:ZZZZ... Notice that once you get the password hashes, as opposed to the the challenge/response, you dont even need to crack the password to do one of several things. You can use the password hashes to: logon onto an SMB server using a modified smbclient and logon to the PPTP server using the Linux PPTP client and a modified PPPD. The password change issue is _NOT_ fixed by the NT PPTP update and the rest of us are still waiting for the Windows 95 DUN 1.3 update that we were tolds would be out very soon now over a month and a half ago. You can get the program from: http://www.l0pht.com/l0phtcrack/dist/anger.tar.gz While I am ranting where is the LM-FIX to turn off LANMAN authentication? It was pulled from the MS ftp site almost 5 months ago never to return. Maybe MS thinks this is not a security issue anymore? Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:57 PDT