What is PPTP security vulnerable to?
PPTP is the only VPN protocol supported by some devices (for example, the Asus RT-AC66U WiFi router). If PPTP is configured to only use the most secure options, does its use present any security vulnerabilities? The most secure configuration of PPTP is to exclusively use:
MPPE-128 encryption (which uses RC4 encryption with a 128bit key)
MS-CHAPv2 authentication (which uses SHA-1)
strong passwords (minimum 128 bits of entropy)
I realise that RC4 and SHA-1 have weaknesses, but I am interested in practical impact. Are there known attacks or exploits that would succeed against a PPTP VPN with the above configuration?
PPTP v1 was broken a long time ago based on a questionable MS design... (https://www.schneier.com/academic/pptp/faq/) However, Microsoft did publish fixes to address the biggest problems; also long ago: The weaker LAN Manager hash is no longer sent along with the stronger Windows NT hash. This is to prevent automatic password crackers like L0phtcrack from first breaking the weaker LAN Manager hash and then using that information to break the stronger NT hash.
An authentication scheme for the server has been introduced. This is to prevent malicious servers from masquerading as legitimate servers. The change password packets from MS-CHAPv1 have been replaced by a single change password packet in MS-CHAPv2. This is to prevent the active attack of spoofing MS-CHAP failure packets. MPPE uses unique keys in each direction. This is to prevent the trivial cryptanalytic attack of XORing the text stream in each direction to remove the effects of the encryption. source The only thing left (according to Schneier and Mudge) is password guessing which you can circumvent by using a decent password and optionally not using integrated Windows AD authentication, but separate logins.
These changes address most of the major security weaknesses of the original protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack. So, PPTP security can still be quite valid and all "PPTP is hacked" messages are copies of misinformed partial info and only talk about the initial hack. Especially suitable for use in home routers. OpenVPN needs way more CPU power.
An attacker has to be able to intercept the victim's MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user's credentials.
We never heard of a real hack or even attempts. The hacker needs to be able to read the client's network communication which is mostly not feasible. 'Open wireless traffic' has not been practised for quite some years already. The PPTP image has been long ruined by the first incident and because of its weird MS-implementation specifics… It still kind of works. Also 'proven' by the fact that many VPN providers still offer PPTP (with the message 'unsecure' based on the same half information). Of course, OpenVPN is safer, but that doesn't make PPTP unusable.