pfSense Support Subscription

Author Topic: PPTP has been cracked - stop using it and migrate ASAP  (Read 21259 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21373
  • Karma: +1431/-26
    • View Profile
PPTP has been cracked - stop using it and migrate ASAP
« on: October 01, 2012, 02:51:23 pm »
PPTP is no longer considered a secure VPN technology. PPTP relies upon MS-CHAPv2 which has been completely compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party 100% of the time, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.

This is not specific to pfSense, it is the entire PPTP protocol regardless of its implementation.

More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

We have placed a warning on the PPTP page in 2.1 and 2.0.2 stating this. Other VPN clients may not be as convenient, but PPTP is dead, it's time to move on. This also means that any bugs that are pending for PPTP are not likely to be fixed. PPTP has been entirely removed from the upcoming 2.3 release.

If you insist on using it, or have a client that insists on using it, be aware that it is not providing and real measure of security. In the case of a client requiring it, it may not be a bad idea to make them sign a waiver stating they were informed of this and chose to ignore it.
« Last Edit: November 24, 2015, 02:38:46 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #1 on: July 06, 2013, 05:34:24 pm »
I'm not sure what alot of people are thinking, but I can still see a use for PPTP on wired networks where privacy isn't the goal but IP location shifting is, for example to avoid geo-filtering on US based audio/video media services and using older client hardware.  But yeah.  Anyone who thinks they are getting privacy or security in an environment where their packets are being scanned is dead wrong.

Offline m4f1050

  • Full Member
  • ***
  • Posts: 125
  • Karma: +0/-0
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #2 on: August 17, 2013, 05:22:56 am »
Ever since I upgraded to 2.0.3 I can't connect my PPTP clients to my pfSense, was this disabled?  I've tried my Android phone, a Win 7 and Win 8 with no success.  I get a message that the remote has disconnected me (on Win 8 )

EDIT:  At around the same time I switched ISP's to AT&T, could AT&T be blocking any ports?  I setup PPTP on my Win machine and selected to do pass-thru to the Win workstation and canyouseeme.org showed port 1723 open, but when I enable it on pfsense I don't see it open, that's what makes me believe it was disabled.
« Last Edit: August 17, 2013, 01:37:26 pm by m4f1050 »

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #3 on: August 17, 2013, 01:45:13 pm »
PPTP work on mine with 2.03, 32 bit so its not that.  (Although I never use it for anything)

Offline m4f1050

  • Full Member
  • ***
  • Posts: 125
  • Karma: +0/-0
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #4 on: August 17, 2013, 10:25:16 pm »
Tried a second time, same results.  I can't find any open ports, which is odd.  I opened TCP ports 1701, 1723 and UDP ports 500, 4500 and 1194.  My PPTP doesn't work nor my L2TP, but OpenVPN worked.  Problem is I have a Toshiba Excite 10 tablet that doesn't have bootloader unlocked (can't root it) and I can't use OpenVPN on it and it's the one I use the most on my home network via VPN.  So strange canyouseeme.org can see my PC when I use the pass-thru but it can't see it when I use pfSense's PPTP or L2TP.  Any advise?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #5 on: August 18, 2013, 01:07:42 am »
I opened TCP ports 1701, 1723 and UDP ports 500, 4500 and 1194.

You are missing GRE (IP protocol 47) for PPTP and ESP (IP protocol 50) for L2TP.

Problem is I have a Toshiba Excite 10 tablet that doesn't have bootloader unlocked (can't root it) and I can't use OpenVPN on it

No need for root with OpenVPN on ICS.
Do NOT PM for help!

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #6 on: August 18, 2013, 02:01:41 am »
BTW - PPTP has been cracked - stop using it and migrate ASAP.

Also, GRE sucks.  Too easy to break / not work for lots of reasons.
Use IPsec.  Use OpenvpnConnect.  Use carrier pigeon.... 
Anything except PPTP.

Offline m4f1050

  • Full Member
  • ***
  • Posts: 125
  • Karma: +0/-0
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #7 on: September 15, 2013, 10:40:40 pm »
BTW - PPTP has been cracked - stop using it and migrate ASAP.

Also, GRE sucks.  Too easy to break / not work for lots of reasons.
Use IPsec.  Use OpenvpnConnect.  Use carrier pigeon.... 
Anything except PPTP.

LOL @ carrier pigeon...  That's gotta be the slowest network!  :D   (If you refer to REAL carrier Pigeons)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #8 on: September 15, 2013, 10:46:20 pm »
YEP - Get some cages.

Offline m4f1050

  • Full Member
  • ***
  • Posts: 125
  • Karma: +0/-0
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #9 on: September 15, 2013, 11:00:04 pm »
YEP - Get some cages.

Well, I bought a lower end Toshiba Excite 10 AT300SE and rooted it and use OpenVPN but I want my higher end AT305 to have this functionality, that's why I don't want to go through the trouble just for 1 device thanks to the dreaded T company.

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #10 on: September 16, 2013, 01:17:54 am »
Anybody has considered what it takes to crack 128bit encryption (38 hours on heavy hardware) and the chance its going to be your IP?

Kind regards Brian


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #11 on: September 16, 2013, 01:20:16 am »
"Chances it will be my IP" - 100%

Yeah...

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #12 on: September 16, 2013, 01:22:43 am »
Why not use country specific characters in your password? Then the cracker needs to have the same keyboard setup to get in?

But the password/hash generator cant take that into consideration.... ;)
Kind regards Brian


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #13 on: September 16, 2013, 01:29:09 am »
Hmmmmm...   Guess that would increase the combinations and permutations that have to be tried.

That would probably make it take 5 seconds instead of 2.  (Me and you have different ideas of what constitutes a serious system)

Forget about PPTP - You would be lucky if even AES at 128 or maybe even 256 protects you much.

I want to see ECC on openvpn ASAP honestly

Although, when you see who advocates it, makes me wonder about that too...

http://www.nsa.gov/business/programs/elliptic_curve.shtml

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: PPTP has been cracked - stop using it and migrate ASAP
« Reply #14 on: September 16, 2013, 01:39:49 am »
Listen....everything is/has been cracked. If its the government that wants in, then they just take your servers anyway. If its the little guy, then he would need to be aware and has knowledge about your internal network.

When you create own certificates, you rely on people using that and not fake ones. It takes just one false click and you IT is fucked anyway.

Calm the fuck down and use multiple layers of authentication besides the logon credentials. Then they havent got a fecking chance in hell anyway. (sms passcode is one)
Kind regards Brian