PPTP VPN
aka mschapv2
Legacy VPN on 1723. Its MS-CHAPv2 handshake is cryptographically broken — capture it and the DES-based response cracks to the NTLM hash (and password) with near-certainty.
Ports
| Port | Proto | Notes |
|---|---|---|
1723 | tcp | PPTP control |
Fingerprint
- nmap pptp-version returns the vendor + firmware
- GRE (proto 47) alongside the 1723 control channel
Exploitation primitives
- Capture the MS-CHAPv2 challenge/response during a login
- asleap/chapcrack recover the NT hash → crack the password (or pass it)
- Cracked creds give VPN access into the internal network
Overview
PPTP on 1723 is an obsolete VPN whose MS-CHAPv2 auth is broken — any captured handshake reduces to a single DES key crack.
Enumeration
Fingerprint the endpoint:
nmap -p1723 --script pptp-version <TARGET>Crack a captured handshake
Recover the NT hash / password from a sniffed MS-CHAPv2 exchange:
asleap -r capture.dump -W /usr/share/wordlists/rockyou.txtOr convert and brute the DES with chapcrack → hashcat (-m 14000).
Hardening
Retire PPTP entirely — move to IKEv2/OpenVPN/WireGuard with certificate auth.