Point to Point Tunneling Protocol
PPTP (Point to Point Tunneling Protocol), is an outdated communications protocol that allows the implementation of virtual private networks or VPNs.
A VPN is a private network of computers that uses the Internet to connect its nodes.
It was developed by Microsoft, U.S. Robotics, Ascend Communications, 3Com / Primary Access, ECI Telematics, collectively known as PPTP Forum.
How does it work ?
The specification for PPTP was published by RFC 2637, although it has not been ratified as a standard by the IETF.
Point-To-Point Tunneling Protocol (PPTP) allowed the secure exchange of data from a client to a server forming a Virtual Private Network, using a TCP / IP network.
Among the strengths of PPTP are its ease of configuration in Windows environments, its ability to work on demand, and its multi-protocol support that allows it to function over existing workspace infrastructures such as the Internet or PPP dial-up connections.
This feature allows a company to use the Internet to establish a virtual private network (VPN) without the expense of a leased line.
The feature that makes PPTP technology possible is a non-standard extension of the GRE encapsulation protocol.
This PPTP technology directs user IP packets over a PPP interface, which in turn is encapsulated in a GRE tunnel, for transmission over the network. The negotiation of the PPP + GRE tunnels is done through the PPTP control channel on TCP port 1723.
PPTP and VPN: The Point-To-Point Tunneling Protocol was included with WindowsNT 4.0 Server and Workstation. PCs that implement this protocol can use it to connect to a private network as remote access clients using a public network such as the Internet.
PPTP offered companies to reduce by a large percentage the cost of distribution of an extensive network, since its remote access solution for mobile users provided security and encrypted communications over existing workspace structures such as PSTNs (Public-Switched Telephone Networks) or Internet.
PPTP vulnerabilities
PPTP security has been completely broken and installations with PPTP should be retired or upgraded to another VPN technology.
The ASLEAP utility can obtain keys from PPTP sessions and decrypt VPN traffic. PPTP attacks cannot be detected by the client or the server because the exploit is passive.
The PPTP flaw is caused by design errors in cryptography in Cisco’s LEAP and Microsoft MSCHAP-v2 handshake protocols and by key length limitations in MPPE.
PPTP Security
PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.
Heere is a summary of these vulnerabilities :
- MS-CHAP-v1 is fundamentally insecure. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange.
- When using MS-CHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.
- MS-CHAP-v2 is vulnerable to dictionary attacks on the captured challenge response packets. Tools exist to perform this process rapidly.
- In 2012, it was demonstrated that the complexity of a brute-force attack on a MS-CHAP-v2 key is equivalent to a brute-force attack on a single DES key. An online service was also demonstrated which is capable of decrypting a MS-CHAP-v2 MD4 passphrase in 23 hours.
- MPPE uses the RC4 stream cipher for encryption. There is no method for authentication of the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without possibility of detection. These bit flips may be detected by the protocols themselves through checksums or other means.
EAP-TLS is seen as the superior authentication choice for PPTP; however, it requires implementation of a public-key infrastructure for both client and server certificates. As such, it may not be a viable authentication option for some remote access installations. Most networks that use PPTP have to apply additional security measures or be deemed completely inappropriate for the modern internet environment. At the same time, doing so means negating the aforementioned benefits of the protocol to some point.