Microsoft PPTP

ashman · Feb 27, 2015

I know I've asked about this before but I just need some more feedback.

I know PPTP has been cracked, but does it not still require a man in the middle attack to intercept packets and then at least two days to possibly decrypt the info?

Isn't it more work then most hackers are willing to go to unless their is a specific target?

I am just thinking for casual uses who connect a few times a week for half an hour to an hour, aren't likely to be at risk, there are easier fish to catch out there.

Am I wrong?

/usr/home · Feb 27, 2015

SSTP is easier to go through firewalls, just as easy to setup, and more secure so why not use that? It's native to Windows even.

ashman · Feb 27, 2015

I looked into it briefly and it didn't seem that simple to setup, do you have a source?

stormy1 · Mar 3, 2015

I still use it from time to time......
Its better than nothing and has better firewall support than ipsec but less than ssl on port 80 or 443.
What I do is limit it to rdp only with firewall rules.

Tee · Mar 3, 2015

You could think of this way.....

The second you connect to the internet you can be hacked.

The second you open up ports to enter your network you can be hacked.

Does it really matter? If someone wants to actually hack your business they will if they can gain from it, it's that simple. Just watch your logs and make sure nothing weird is happening.

devman · Mar 3, 2015

Tee said:
You could think of this way.....

The second you connect to the internet you can be hacked.

The second you open up ports to enter your network you can be hacked.

Does it really matter? If someone wants to actually hack your business they will if they can gain from it, it's that simple. Just watch your logs and make sure nothing weird is happening.

It does matter. There is a difference between security practices that leave you vulnerable to script kiddies and those requiring a sophisticated or novel attack. It's like saying because banks get robbed anyway they shouldn't invest in security.

ashman · Mar 3, 2015

I agree, but I hear what you are saying also.

If you go on the internet without protection we all know what will happen, so some protection is better then none, to varying degrees.

My question is about the ease of cracking PPTP. In its current form there is encryption, so there is protection, sure there are readily available tools to crack it but there are also easier targets out there. Obviously if someone targets you then it doesn't matter what you use, they will find a way through.

stormy1 · Mar 3, 2015

ashman said:
I agree, but I hear what you are saying also.

If you go on the internet without protection we all know what will happen, so some protection is better then none, to varying degrees.

My question is about the ease of cracking PPTP. In its current form there is encryption, so there is protection, sure there are readily available tools to crack it but there are also easier targets out there. Obviously if someone targets you then it doesn't matter what you use, they will find a way through.

That reminds me of a story.
One day I was sitting down with the ceo of a fairly large non-profit and he mentioned that he was worried about someone hacking the vpn.
I said if I wanted to hack your network I would send "ann" an email saying for free smileys click here then click run.
He cracked up because she always included a hundred smileys in every email and would complain that the antivirus would not let her install some random program from a smiley site.

/usr/sbin · Mar 3, 2015

http://www.computerworld.com/articl...dely-used-pptp-encryption-in-under-a-day.html

In short, it still requires a captured MS-CHAPv2 handshake to crack. It's a matter of cracking the DES key at that point.

For anything considered important to keep confidential I'd want IPsec/L2 or OpenVPN. If you are just looking to get around Geo-blocking, or transferring non-sensitive information I *personally* wouldn't be worried about my PPTP VPN being cracked. I'd generally ask, "If this information was exposed would we have a major problem?". If the answer is yes then you need something more secure than PPTP.

ashman · Mar 3, 2015

I know I need something more secure and I am working on that, I just wondering about the likelyhood of someone going to the bother of cracking it, seems more work then it might be worth unless it was targeted mark like a bank or executive, doesn't seem like something a casual hacker or script kiddie would bother with, or am I wrong.'

Im my case all but one user is using RDP over the PPTP VPN anyway, so I think exposure is minimal.

Tee · Mar 4, 2015

devman said:
It does matter. There is a difference between security practices that leave you vulnerable to script kiddies and those requiring a sophisticated or novel attack. It's like saying because banks get robbed anyway they shouldn't invest in security.

Yeah... Do you think your business is getting hacked everyday by bored script kiddies?

I don't know about you but the banks I bank at have cameras and alarms to protect them. Last time I checked those didn't stop crazy people from robbing banks but the truth is people rob banks for money and if they didn't, why would they rob the bank in the first place.

A person is only going to attack a place if there is a reason.

Going back to my point, a network will only be hacked if someone has a reason. No one is going to hack your network for the fun of hacking your network.

devman · Mar 4, 2015

Tee said:
Yeah... Do you think your business is getting hacked everyday by bored script kiddies?

I don't know about you but the banks I bank at have cameras and alarms to protect them. Last time I checked those didn't stop crazy people from robbing banks but the truth is people rob banks for money and if they didn't, why would they rob the bank in the first place.

A person is only going to attack a place if there is a reason.

Going back to my point, a network will only be hacked if someone has a reason. No one is going to hack your network for the fun of hacking your network.

There are automated attacks going on all the time. Sometimes the all the reason someone needs is "it was there, and I detected a vulnerability." or for "lulz"

Liger88 · Mar 4, 2015

Tee said:
Yeah... Do you think your business is getting hacked everyday by bored script kiddies?

I don't know about you but the banks I bank at have cameras and alarms to protect them. Last time I checked those didn't stop crazy people from robbing banks but the truth is people rob banks for money and if they didn't, why would they rob the bank in the first place.

A person is only going to attack a place if there is a reason.

Going back to my point, a network will only be hacked if someone has a reason. No one is going to hack your network for the fun of hacking your network.

True, but even the average joe is a worthy nugget. Most attacks have been automated since the 90's, only 0-day vulnerabilities are done manually until they can get automated. Hackers are incredibly lazy; White, Grey, or Black.

Analogy to the bank would be the firewall. It's enough to turn most people away, especially when done properly, however in the event someone does decide to get through you have the vault to protect most of the assets. Hence layered security.

You are right though regarding the attack vectors though. The bigger and juicier of a target you are the more prone you are to attackers. An attacker will probably be turned off from attacking an individuals PPTP connection unless they had some kind of vendetta. A business, regardless of size, is a completely other story.

Tee · Mar 4, 2015

devman said:
There are automated attacks going on all the time. Sometimes the all the reason someone needs is "it was there, and I detected a vulnerability." or for "lulz"

Liger88 said:
True, but even the average joe is a worthy nugget. Most attacks have been automated since the 90's, only 0-day vulnerabilities are done manually until they can get automated. Hackers are incredibly lazy; White, Grey, or Black.

Analogy to the bank would be the firewall. It's enough to turn most people away, especially when done properly, however in the event someone does decide to get through you have the vault to protect most of the assets. Hence layered security.

You are right though regarding the attack vectors though. The bigger and juicier of a target you are the more prone you are to attackers. An attacker will probably be turned off from attacking an individuals PPTP connection unless they had some kind of vendetta. A business, regardless of size, is a completely other story.

Attacks are not as automated as you think.

Also most so called "attacks" are port scans or DDoS - DoS which I wouldn't consider a hack. Actually no one would unless you didn't know any better.

I have 7 honeypots, things don't just attack, it's not the way it works I am sorry if you feel it does.

Microsoft PPTP

ashman

Gawd

/usr/home

Supreme [H]ardness

ashman

Gawd

stormy1

[H]ard|Gawd

Tee

Limp Gawd

devman

2[H]4U

ashman

Gawd

stormy1

[H]ard|Gawd

/usr/sbin

Successfully Trolled by Megalith

ashman

Gawd

Tee

Limp Gawd

devman

2[H]4U

Liger88

2[H]4U

Tee

Limp Gawd