Professional Documents
Culture Documents
Project 10a Hacking A PPTP VPN With Asleap (25 PTS.)
Project 10a Hacking A PPTP VPN With Asleap (25 PTS.)
)
What You Need
A Kali 2 Linux virtual machine
A Windows Server 2008 virtual machine
Purpose
PPTP is an old VPN protocol, known to be insecure. In its simplest form, PPTP uses MS-CHAPv2 to transmit password information over the network.
Moxie Marlinspike has set up a cloud service that performs a complete brute-force attack to recover any password sent via MS-CHAPv2 for $200. However, we
don't have $200 to spend, so we'll settle for a weaker attack using a dictionary of the top 10,000 passwords.
The point is clear--PPTP with MS-CHAPv2 is unsafe to use. Even an attacker with very modest means can steal passwords from it.
In Virtual Machine Settings, configure Network Adapter 1 to use NAT and Network Adapter 2 to use a private Host-Only network, as shown below.
Start the Windows 2008 Server virtual machine and log in as Administrator with the password P@ssw0rd.
Troubleshooting
If you are using the Win 2008 I handed out in class, and your virtual machine cannot start, saying that no operating system was found, go into
VMware settings and remove the 102 MB hard disk.
Click Start. Search for Network. Open "Network and Sharing Center".
Configure the adapter to "Obtain an IP address automatically" and "Obtain DNS server address automatically", as shown below.
IP address: 10.0.0.1
Subnet mask: 255.0.0.0
Default gateway: leave blank
Preferred DNS server: 8.8.8.8
In Server Manager, in the right pane, scroll down to the "Roles Summary" section, as shown below, and click "Add Roles".
In the "Add Roles Wizard", click Next.
In the "Select Server Roles" page, check "Network Policy and Access Server", as shown below.
In the "Select Role Services" page, check "Network Policy Server" and "Routing and Remote Access Services", as shown below.
Click Next. Click Install.
When you see an "Installation succeeded" message, as shown below, click Close.
Right-click "Routing and Remote Access" and click "Configure and Enable Routing and Remote Access", as shown below.
In the "Welcome to the Routing and Remote Access Server Setup Wizard" screen, click Next.
In the "Configuration" screen, click "Custom Configuration, as shown below, and click Next.
In the "Custom Configuration" screen, check "VPN access", as shown below, and click Next.
Click OK.
Click Finish.
Configure a Policy to Allow VPN Connections
In Server Manager, in the left pane, left-click on "Remote Access Logging and Policies".
Then Right-click on "Remote Access Logging and Policies", as shown below, and click "Launch NPS".
In the right pane, near the top, right-click "Connections to Microsoft Routing and Remote Access server" policy and click Properties.
In the center of the "Connections to Microsoft Routing and Remote Access server Properties" sheet, click "Grant Access" as shown below.
Click OK.
Make sure that "Local area network (LAN) routing only" is selected, as shown below.
Click OK.
The changes you made require the "Routing and Remote Acccess" server to restart. Click Yes to restart the server.
Activating NAT
In Server Manager, in the left pane, expand IPv4.
In the IPv4 section, right-click General, as shown below, and click "New Routing Protocol".
Click OK.
In the left pane of Server Manager, in the IPv4 section, right-click NAT, and click "New Interface", as shown below.
In the "New Interface for IPNAT" box, click "Local Area Connection 2", the interface that connects to your private intranet, and then click OK, as shown
below.
In "Local Area Connection 2 Properties", click "Private interface connected to private network", as shown below.
In the "New Interface for IPNAT" box, click "Local Area Connection", and then click OK,
In "Local Area Connection 2 Properties", click "Public interface connected to the Internet" and "Enable NAT on this interface", as shown below.
In the right pane, right-click an empty portion of the screen and click "New User", as shown below.
In the New User box, enter these values, as shown below.
NOTE: Use the exact password "Bond007". If you use some other password, the attack might fail because the password is not in the dictionary.
In Server Manager, in the left pane, right-click "Routing and Remote Access" and click Properties.
In the "Routing and Remote Access Properties", on the "Security" tab, sheet, click the "Authentication Methods" button.
In the "Authentication Methods" box, clear the "Extensible authentication protocol (EAP)" box, so that only "Microsoft encrypted authentication version 2
(MS-CHAP-v2)" is checked, as shown below.
Execute these commands to download the hacking tool we need, and a list of the 10,000 most common passwords:
wget https://github.com/xiao106347/chap2asleap/raw/master/chap2asleap.py
curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10k_most_common.txt
> words.dat
head words.dat
wget https://samsclass.info/124/proj14/10k_most_common.txt
We'll do that with Bash commands, as you've done previously. First we'll work with only the first 10 words to develop the command, and then run it on the
complete list.
Execute this command to convert the first letters of those passwords to uppercase:
Execute these commands to put all the capitalized passwords into a file named Words.dat, and examine the files:
The new file Words.dat is somewhat smaller than words.dat, because it excludes passwords that begin with a numeral, as shown below.
Execute these commands to put all the passwords in a file named allwords.dat, and examine the files:
ls -l
The new file allwords.dat has a length equal to the sum of the two files "words.dat" and "Words.dat", as shown below.
apt update
apt install pptp-linux
nano /etc/ppp/chap-secrets
nano /etc/ppp/peers/YOURNAME-pptp
Enter these lines, as shown below. Replace "YOURNAME" with your own name, without any embedded spaces.
In Kali, in a Terminal window, execute these commands to assign an appropriate IP address to eth0 and test the networking:
ping 10.0.0.1
You should see replies, as shown below. If you don't, make sure the Windows 2008 Server's firewall is off.
A lot of messages scroll by, ending with the lines shown below, showing a "local UP address".
In the right pane, you should see a connected machine, as shown below.
Saving a Screen Image
Make sure the connected client is visible, as shown above.
Press the PrintScrn key to copy the whole desktop to the clipboard.
Save the document with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.
wireshark
A box warns us that running as root is dangerous. We laugh at danger. Click OK.
chap
A lot of messages scroll by, ending with the lines shown below, showing a "local IP address".
This command will use our "allwords.dat" dictionary file and try all those passwords to match the CHALLENGE and RESPONSE strings we get from
Wireshark.
In the middle pane, expand PPP. Expand Data. Click on Value to highlight it, as shown below.
In the middle pane, click on Value. Right-click on Value and click Copy, "Hex Stream", as shown below.
On your host system, in the text editor, paste that hex stream in the place of RESPONSE.
Your text editor should now resemble this image:
The attack should succeed immediately, finding the password, as shown below.
Notice how fast it was--this took only 0.06 seconds. We could easily use a much larger dictionary to make the attack even more powerful.
Press the PrintScrn key to copy the whole desktop to the clipboard.
Save the document with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.
Sources
Hacking PPTP VPNs with ASLEAP (from 2009)
VPN error 812: The connection was prevented because of a policy configured on your RAS/VPN server