[Event Admin for Windows NT] [NTBugtraq Archives][Russ Cooper's NTBugTraq][Microsoft Windows NT Server with Microsoft Internet Information Server] [Get Microsoft Internet Explorer] --------------------------------------------------------------------------- Is PPTP Secure? [ List Charter ] [ NT Fixes ] [ What *must* I fix? ] [ Editorials ] [ FAQs ] [ HotFix Central ] [ Donations? ] --------------------------------------------------------------------------- What follows are my comments on PPTP made to the Firewalls@Greatcircle.com mailing list back on November 2nd, 1997. You can find the original thread at Nexial's on-line Firewalls archive. From Tim Lebrun >So we have a T1 internet connection run which (from the outside) >first, goes through a Cisco 7000 router, then through a Gauntlet >firewall, and then the users get logged on to a NT Ras server >using PPTP. And from there the users can go and do anything >on the network, ie: Mail, Novell, Tn3270, Telnet. From Russ Cooper First let me say that my position on PPTP has changed, as you'll likely notice from the message below. You will have a couple of problems with this configuration. 1. There is no way within NT or via PPTP to force the users to use NTboxes as their clients. 2. Only NT-NT communications can be forced to *not* use LanMan hashesfor their passwords. 3. PPTP uses the OWF hash of the password as the shared key forencrypting the PPTP session. This information is sent at the session setup of every PPTP connection. 4. When the OWF hash is based on the *LanMan* hash of the password, itis extremely weak and subject to brute force decryption based on known,available, methods and tools. 5. The shared key, derived as per #3 above, is used *every* time aconnection is established, and remains the same until the user changestheir password. It is therefore long-lived (certainly live much longerthan a reasonable average of 3 days it might take to brute force theLanMan key space). 6. Given NT's TCP sequence predictability, hijacking a PPTP sessionbased on a Win95 client (or an NT client *not* configured to *not* use LanMan) should be a straight-forward process. The bottom line, in my current opinion, is that the use of PPTP cannot be relied upon to be secure. While it may be possible to prevent a Win95 client from obtaining a successful completed login to your PPTP server (say by forcing checks during the login script processing, mandatory profiles, etc...) there is no way to prevent them from trying to connect using a LanMan hash. As such, their passwords could be made available to hackers. Once captured, they could subsequently be used on NT clients to establish successful logins by hackers. Security Dynamics have said that it is possible to use SecurID with PPTP. Even if this is done I am still not convinced it would be sufficient to overcome the issues. 1. If the SecurID token value is used as the client password in the steps listed above, then the session would be encrypted with an extremely weak value (known to be a number of a specific length). Real-time brute force would likely be possible (obviously depends on the length of the sessions). Trial-and-error over a period of time would likely yield at least one session hijack, then depending on who's session is captured... 2. Assuming that the SecurID token value is not used as the session encryption key, then the risks are still present for hijacking (since the session key would then be derived from the client password). IOWs, SecurID has not really added anything to the security of the solution. 3. Assuming that normal client authentication takes place first, then the SecurID authentication, then the session encrypted with the original client password hash, you still have the same problems. The only viable solution would be for Security Dynamics to combine the SecurID token value with the client password hash (in some reasonable fashion) and then use this new value as the basis for the session encryption. If this is done, then the entire solution becomes very viable (IMO) and well worth investigating. Unfortunately I haven't asked Security Dynamics for these specifics, maybe someone from there can comment?? Finally, if you are in a situation where you can trust the clients to use NT (remember, you have no way to enforce this policy), then PPTP remains a valid mechanism IMO. The issues arise when you either; a) cannot trust the clients to use NT only, b) must use Win95 clients, c) do not have control over whether or not the NT clients have disabled LanMan hashes. Cheers, Russ Cooper R.C. Consulting, Inc. - NT/Internet Security --------------------------------------------------------------------------- This page has been viewed [Hit Counter] times sinceThursday, April 09, 1998 [Event Admin for Windows NT] [Sunbelt Software Stellar NT-Site] [LSoft's Catalist][Powered by Listserv Classic] Thinking about a donation to NTBugTraq?