|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
thc-pptp-bruter problem?
From: Marco Ivaldi (raptor
0xdeadbeef.info)
Date: Mon Feb 13 2006 - 04:29:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hey pen-testers,
Since i wasn't able to directly email people at thc.org [1], i'm writing
here. Just wanted to share some kinda weird problems i'm currently
experiencing with thc-pptp-bruter v0.1.4.
It seems to work flawlessly against Windows:
# cat test | thc-pptp-bruter x.x.x.x
Hostname 'xxx', Vendor 'Microsoft Windows NT', Firmware: 2195
5 passwords tested in 0h 00m 00s (5.00 5.00 c/s)
9 passwords tested in 0h 00m 02s (1.82 4.50 c/s)
[...]
But at least against Cisco VPN 3000 Concentrator and WatchGuard it
presents the following behaviour:
# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'Cisco Systems, Inc.', Firmware: 1031
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[it goes like this forever]
# cat test | thc-pptp-bruter x.x.x.x
PPTP Connection established.
Hostname 'xxx', Vendor 'WatchGuard Technologies, Inc.',
Firmware: 0
5 passwords tested in 0h 00m 01s (5.00 5.00 c/s)
5 passwords tested in 0h 00m 06s (0.20 0.83 c/s)
5 passwords tested in 0h 00m 11s (0.20 0.45 c/s)
5 passwords tested in 0h 00m 16s (0.20 0.31 c/s)
[same as above]
I've played a bit with the command line switches, with no appreciable
results, so i decided to investigate a bit further. After some tests
performed on Cisco and WatchGuard VPN concentrators and the development of
a small old-style .BAT hack to automate the bruteforce attack [2], i
realized that both platforms implement some sort of anti-bruteforce
mechanism, preventing thc-pptp-bruter to work properly.
Anyone here has experienced the same issues? I'd be interested in hearing
about solutions/workarounds/techniques/tools employed by other pen-testers
when testing M$ PPTP...
Ciao,
[1]
rootvoodoo:~# host -t mx thc.org
thc.org mail is handled by 20 kyle.spoiled.org.
rootvoodoo:~# telnet kyle.spoiled.org 25
Trying 217.172.183.188...
telnet: connect to address 217.172.183.188: Connection refused
[2]
http://www.0xdeadbeef.info/code/rasbrute.bat
Yeah, .BAT pretty much sucks, i should have probably used the way more
powerful Windows Script (http://msdn.microsoft.com/scripting/), but i'm
allergic to VB and JScript;P
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]