29

PPTP is the only VPN protocol supported by some devices (for example, the Asus RT-AC66U WiFi router). If PPTP is configured to only use the most secure options, does its use present any security vulnerabilities?

The most secure configuration of PPTP is to exclusively use:

  • MPPE-128 encryption (which uses RC4 encryption with a 128bit key)
  • MS-CHAPv2 authentication (which uses SHA-1)
  • strong passwords (minimum 128 bits of entropy)

I realize that RC4 and SHA-1 have weaknesses, but I am interested in practical impact. Are there known attacks or exploits that would succeed against a PPTP VPN with the above configuration?

user34241
  • 293
  • 1
  • 3
  • 4
  • This is what I'm looking for... For enterprise use, PPTP is out. But, what about a single user/family wanting to connect to their home network, or get some protection at a hotspot. How broken is PPTP for single, non-enterprise use? – MikeP Feb 16 '17 at 21:03

3 Answers3

34

Yes. The protocol itself is no longer secure, as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

The attacker can do a MITM to capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake and derive the RC4 key. Then, the attacker will be able to decrypt and analyse the traffic carried in the PPTP VPN. PPTP does not provide forward secrecy, so just cracking one PPTP session is sufficient to crack all previous PPTP sessions using the same credentials.

Additionally, PPTP provides weak protection to the integrity of the data being tunneled. The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher. PPTP also doesn't do additional integrity checks on its traffic (such as HMAC), and is hence vulnerable to bit-flipping attacks, ie. the attacker can modify PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they by nature usually transmit sensitive and large amounts of data.

If you want to, you can actually try cracking a PPTP session yourself. For a Wi-Fi user, it involves ARP poisoning your target such that the target sends the MSCHAPv2 handshake through you (which you can capture with Wireshark or any other packet capture tool). You can then crack the handshake with tools like Chap2Asleap, or if you have a few hundred dollars to spare submit the captured handshake to online cracking services. The recovered username, hash, password and encryption keys can then be used to impersonate logins to the VPN as that user, or to retroactively decrypt the target's traffic. Obviously, please do not do this without proper authorisation and outside a controlled environment.

In short, please avoid using PPTP where possible.

For more information, see http://www.computerworld.com/s/article/9229757/Tools_released_at_Defcon_can_crack_widely_used_PPTP_encryption_in_under_a_day and How can I tell if a PPTP tunnel is secure?.

Issues discovered with RC4 (resulting in real world security issues in protocols like TLS) can be found in http://www.isg.rhul.ac.uk/tls/RC4mustdie.html and https://www.rc4nomore.com/

For the cracking portion, refer to https://www.rastating.com/cracking-pptp-ms-chapv2-with-chapcrack-cloudcracker/ and https://samsclass.info/124/proj14/p10-pptp.htm.

Nasrus
  • 1,250
  • 12
  • 13
  • Thanks for the info! It sounds like it's for this very reason that Apple has removed PPTP VPN support from both their desktop (macOS) and mobile OS (iOS): https://support.apple.com/en-us/HT206844 – Uniphonic Dec 08 '17 at 17:14
1

Despite the recent findings of flaws of the MSCHAPv2 protocol handshake, there are still use-cases in which using a PPtP VPN may be considered "practically secure" (ie. if you're not paranoid and hiding from CIA, who have great computational resources at hand).

For example, my favorite use of VPN is when I connect to public WiFi hotspots when travelling. On such a hotspot, you're probably not connected more than a few minutes/hours, whereas cracking the session takes about a day even using cloud services. And it costs some money to crack the session. I can't imagine any sane cracker who'd invest the money to crack your wireless session instead of stealing any other unprotected session from the hotspot. That's the "practically safe" for me.

PPtP VPN share the MSCHAPv2 auth with WPA2 WiFi - it's the same auth protocol. But in the case of VPN over wire, it is at least a bit safer: on WiFi, anyone can issue a command to disconnect a client, hence forcing it to do the handshake when the attacker is ready to capture it. When you connect to VPN over wire, the attacker needs to wait for the handshake (if he can't unplug your wire, of course).

But as said many times, using PPtP for company VPN would be a very bad idea. From the theoretical point of view, it's really broken.

Martin Pecka
  • 161
  • 6
  • This is what I'm looking for... For enterprise use, PPTP is out. But, what about a single user/family wanting to connect to their home network, or get some protection at a hotspot. How broken is PPTP for single, non-enterprise use? – MikeP Feb 16 '17 at 21:02
  • 1
    I think it's as much broken as your data are valuable/sensitive :) If you store your credit card scans or other sensitive date somewhere (anywhere!) on your home network, I wouldn't use PPtP (or in case you have some data you're obliged by laws to protect, like personal data of third persons). If you just want to access photos, movies, normal documents, it might be just fine. – Martin Pecka Feb 17 '17 at 00:43
  • So far, I only use it to access ssh, HTTPS, and MS RDP (with encryption). So, as long as it isn't broken to allow an attacker to login to the PPTP, I'm fine with it, for now. Until I update my Apple products and can't use it (I just found out Apple deprecated it.) So, now, I need to figure out a different VPN solution that is simple and well-supported. Open VPN is not simple. And, I use DD-WRT, so not only do I need a new VPN, I need a new router... – MikeP Feb 20 '17 at 19:13
  • If this was merely an argument for whether an 80 bit cipher or something were sufficient, I might agree, but 56 bits is _really_ bad, even practically speaking. As a hacker, PPTP would _not_ discourage me if you were even remotely interesting (i.e. anything but a 12 year old kid playing Minecraft). – forest Dec 09 '17 at 09:30
0

PPTP v1 was broken a long time ago based on a questionable MS design... (https://www.schneier.com/academic/pptp/faq/)

However, Microsoft did publish fixes to address the biggest problems; also long ago:

  • The weaker LAN Manager hash is no longer sent along with the stronger Windows NT hash. This is to prevent automatic password crackers like L0phtcrack from first breaking the weaker LAN Manager hash and then using that information to break the stronger NT hash.

  • An authentication scheme for the server has been introduced. This is to prevent malicious servers from masquerading as legitimate servers. The change password packets from MS-CHAPv1 have been replaced by a single change password packet in MS-CHAPv2. This is to prevent the active attack of spoofing MS-CHAP failure packets.

  • MPPE uses unique keys in each direction. This is to prevent the trivial cryptanalytic attack of XORing the text stream in each direction to remove the effects of the encryption. source

The only thing left (according to Schneier and Mudge) is password guessing which you can circumvent by using a decent password and optionally not using integrated Windows AD authentication, but separate logins.

These changes address most of the major security weaknesses of the orginal protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack.

So, PPTP can still be quite valid and all "PPTP is hacked" messages are copies of misinformed partial info and only talk about the initial hack. Especially suitable for use in home routers. OpenVPN needs way more CPU power.

Years later another authentication issue came up. Impact?

How could an attacker exploit the weaknesses?

An attacker has to be able to intercept the victim's MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user's credentials.

We never heard of a real hack or even attempts. The hacker needs to be able to read the client's network communication which is mostly not feasible. 'Open wireless traffic' is not practised for quite some years already.

The PPTP image has been long ruined by the first incident and because of its weird MS-implementation specifics...

It still kind of works. Also 'proven' by the fact that many VPN providers still offer PPTP (with the message 'unsecure' based on the same half information). Of course, OpenVPN is safer, but that doesn't make PPTP unusable.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rinzwind
  • 1
  • 1