1

Setup: I have a simple test setup: PC (Win7) and Server (Win Server 2008) and I open a VPN tunnel between the two of them via PPTP (encrypted with MPPE 128). The server has a shared folder that the client can access and manipulate.

Scenario: I now eavesdropped on the resulting communication via Wireshark and expected the data to be encrypted. However, I was able to see both, the shared folder access requests/responses (that for example contained the files name in the folder) as well as the actual file content, when I for example changed the content and saved it.

Question: Are the contents actually transfered in plaintext within SMB2 despite the encrypted VPN tunnel or can I simply see the contents because the client that is editing the files is also the one running Wireshark and an external attacker could not?

Philip Allgaier
  • 258
  • 1
  • 5
  • 18
  • PPTP should not be used, or relied upon, for its encryption methods. Its primary use is for tunneling between two sites, nothing more. If you want to encrypt **and** tunnel at the same time, then you need to change VPNs. [See here for a bit of a backstory](http://meta.serverfault.com/questions/5168/should-we-discourage-the-use-of-pptp). – Mark Henderson Feb 05 '13 at 01:12
  • Additionally, where were you eavesdropping? In the middle of the link, or at one of the endpoints? If you're looking at the endpoint, it may very well have been decrypted by the time wireshark gets to it. – Mark Henderson Feb 05 '13 at 01:14
  • 1. Eavesdropping: on an endpoint (also see my corresponding guess in the question). 2. PPTP: Even if it is not recommend (and I plan to switch to L2TP), shouldn't PPTP be able to encrypt or does this only apply to the PPTP framework itself, but not to the SMB2 requests? – Philip Allgaier Feb 05 '13 at 01:15
  • Fair enough. I missed the part of your question where you already speculated about it being decrypted. Yes, PPTP *can* do encryption. The way to check it is to monitor your traffic at a device in the middle. Can your edge devices (firewall/router/modem) do packet pactures? – Mark Henderson Feb 05 '13 at 01:21
  • Currently not, but extended, more capable hardware is under way. I will retest it via port-mirroring once it arrived. – Philip Allgaier Feb 05 '13 at 02:38
  • You shouldn't need to do any port mirroring. Make sure Wireshark is capturing the base network interface and not the PPTP (PPP) interface. – hrunting Feb 05 '13 at 04:31
  • @hrunting not really sure what you mean. I am listening on the physical NIC and the only filter I have set in Wireshark is to only include packets from or to my server IP. – Philip Allgaier Feb 05 '13 at 08:56

0 Answers0