New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@sman
Imagine you're having a nice holiday somewhere in a country where Internet censorship is common or where heavy content restrictions apply. You're sitting in a nice hotel with free WiFi. You are aware of the limits mentioned above (either services not available to censorship or simply not available due to license restrictions on the content). Let's say it's the censorship case because it's really common in those nice hot countries where most people go to have a nice holiday.
You have to access some services that are not available in the country you are in now due to heavy filtering applied to censor the Internet. You remember that you've a VPN running on one of your LEB boxes. So you decide to use the VPN and with some luck the ISP hasn't blocked that protocol/ports. So you get into your VPN and no more censorship for as long as you're using the VPN. It's about as much as what you use your VPS for now (changing your country location to avoid the censorship or whyever you need it).
You may remember and you might have read it so often. VPNs are good on public WiFi hotspots to avoid having your network traffic sniffed and to keep your privacy in good standing while being online. Good thing maybe but not much of use with PPTP. Your traffic cannot be directly sniffed anymore however the attacker (imagine a group of local cyber criminals who love to mess with tourists while they do some online banking) can still sniff the PPTP traffic and capture it. No problem because it's encrypted, right? Right but PPTP has a few issues a) weak encryption and b) it's easy to break into as proven before by security researchers like Bruce Schneier or SANS.
So here we are now. You are sitting in the lobby with your notebook, connected to the free WiFi and your VPN... surfing without thinking about anything bad. There are many people around you with computers. The attackers are sitting there, too. They sniff and capture some of your PPTP traffic. Spend some hundreds (which they stole of other people or earned with other criminal activities) on that little nice Cloudcracker service or have their own farm for that. On the next day they have the hash that allows them to decrypt all your PPTP traffic with a program like chapcrack or similar.
You are still at the hotel as you're staying longer than a few days. You run out of cash or something. So you decide to do some online banking to get something arranged locally to get cash. The attackers are there again. Watching you. Sniffing your traffic again. Decrypting it with ease and using other tools to do some harm with the decrypted traffic to you. Maybe a MITM on the bank site or something similar by forging traffic between your VPN and your notebook.
Now I know as little as your brain is you can't imagine that or simply think I'm talking bullshit and something like that would never happen... Well, you're so wrong kiddo. Agencies do this kind of stuff for fucks and millitary has some nice skilled people to observe and hack communication between terrorists in hotels and etc..
Continue asking me how exactly it will go. I won't be able to answer that to you because I never did it (for the sake of god (oh wait I'm an atheist) why should I do this dumb shit? I'm not looking forward to harm people) and I'm not looking forward to get down into the deep web to get some pretty nice and detailed instructions.
@Hidden_Refuge To be fair, avoiding curious eyes spying on the upstream is so very far from the only reason to use a VPN. You're talking about something that is vulnerable for not using a VPN, therefore not specifically relevant to PPTP but to open Internet as a whole.
And just like that we are back down the rabbit hole...lol. Now walk me through an actual hack to show just how 'vulnerable' I will be. The time involved and setup requred etc. Because Flying Spaghetti Monster only knows just how badly the Chinese want to know what websites I visit.
I am sure they must have an entire department dedicated to cracking smans VPN because now they know he uses (gasp!) PPTP ...BOOGA BOOGA. That's easier to crack than just like...you know...watching my ISP internet connection. I know that's true because someone posted some links (some of which STILL work!) about it from their google search. So it's just FACT!
Still waiting for one of you
keyboard commandossecurity experts to point out the real truth. That security is all about risk management. Not throwing as much shit at the wall as you can. That's a sure sign of someone who doesn't even understand the threat much less the solution.Still waiting for someone to explain the threat of PPTP. Like actually explain it. Not post links from google written by other people with no firsthand experience..lol. I dare anyone here to setup a pptp connection and demonstrate an actual hack of it.
Basement.
Well, we gave you suggestions about using other easy protocols, and you keep bashing. And you love to ninja-edit, could you even think before you write?
And the Softether was my last "useful" opinion about this matter.
"It's a beautiful world, we live in
A sweet romantic place
Beautiful people everywhere
The way they show they care
Makes me want to say
It's a beautiful world
Oh, a beautiful world
For you
For you, for you
For you, for you
For you, not me"
I'm going with @netomx and sign off this thread.
Edit: Carry on to the year of the boomerang, ras clot.
You had a useful opinion? You were the first person to derail the thread into what it has now become. That is the ONLY useful thing you did.
You think telling me about Softether was useful? It's almost as if you think you are the only one who can use Google or something.
WHAT WAS THE FUCKING BASEMENT THING ABOUT YOU IGNORANT BASTARD
I manage a VPN server supporting both PPTP and L2TP. When clients call and complain they can't connect, the first question is what do you use, PPTP or L2TP. And the first advice is to try switching to L2TP. And it helps in 90% of cases, only 10% or so the problem is something else.
What, you thought I didn't like PPTP just because I read something in google?
The weirdest thing about this thread is that the OP seems to have created it for the sole purpose of arguing with others.
No one can deny the security issues with PPTP, but granted the OP, of course, has some valid points that it can be used for other reasons.
Nevertheless, the OP's comment:
Doesn't really make a lot of sense since OTHER VPNs are also easy to setup and their utility not only covers the use-cases of the OP but also provide real security.
Like I said, the weirdest thing about this thread is that the OP seems to have created it for the sole purpose of arguing with others.
And seriously, answer the question about the basement.
No. You acted extremely butthurt right away and deleted your original post. How could anyone respond anything positive now?
Yeah, it's your opinion of PPTP.
I personally never liked PPTP, never worked on my school WiFi.
Then OpenVPN came, and I used port 21 instead -- worked like a charm.
Oh, this thread is still alive? So troll feeding is still a thing in 2015?
The problem is OP is right in a limited sense. If you only use PPTP to bypass firewalls, and you treat it as essentially a cleartext tunnel, it's not a security problem. You are never less secure with PPTP than just connecting in clear[*]. Security all boils down to whether your system provides certain guarantees assuming an attacker can view/spoof/compute various. If you don't require anything of PPTP (no guarantees like, say, confidentiality), it is secure.
[*] here we make a slight assumption that PPTP does not have bugs that can be exploited to gain privileges by cleverly modifying the traffic going into it.
That being said, I have never personally felt that strong encryption was unacceptably difficult to set up or unacceptably bottlenecking my throughput, so I would never use PPTP myself. Fewer people have been bitten by problems resulting from upgrading a cleartext channel to an (properly) encrypted one rather than vice versa.
Those are words of wisdom
Yea so wierd that instead of trying to unfuck a derailed thread (thanks again @netomx) I just decided to have fun with it.
Oh look you posted a LMGTFY. Such an innovator....You must be a REAL security expert.
Now how about walking me through an actual hack. Giving an estimate of time involved. Cleary you all think that any PPTP connection is just automatically popped open by doing a google search. Must be because that is ALL you keyboard commandos are doing. How about getting off your lazy uncritical thinking asses and proving it to me.
I challenge you to show an actually successful hack of a pptp connection using MS-CHAPS v2. Not saying it can't be done. I want someone to actually for once show the actual vulnerability from a time effort achievability perspective.
Tagging me? Are you retard or something?
How much will you pay if we show you the vulnerabilities of it? Bc AFAIK, you want us to prove you that is not secure. Instead, you just bash.
Please @sman , stop harrasing me.
Thanks
Doubt you have the aptitude for it google boy. It's not the same as google searching and derailing threads. Just stick with what you know. I heard someone say Softether is pretty good.
You miss the point... can you afford me, pal? Go work a year to afford me, pal.
Nice try, though. Nice try
Or, we could send @netomx to a bar, buy him a "few" drinks and see how he charges then...
@sman, why don't you stick to what you know? You know PPTP, and that's fine. People offer you other solutions/alternatives to PPTP which they know about, but you're barely considering them if at all. Do realise that we're trying to help, not succumb to your insults.
I dont drink alcohol, nice try
Give me a PPTP server using MS-CHAPv2 (the default in Windows Server 2003, XP and older - Older than XP by default with even more insecure 128Bit key) and i crack you that in less than 14 days.
Here is technical info about cracking PPTP/MS-CHAPv2 - Essentially it boils down to crack a single DES key which takes around 24 hours with ASICs and 10-14 days on a recent quadcore CPU (i7-4770+).
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
I don't use windows servers.
Once again you are posting friggin google links. That proves precisley NOTHING other than the fact you know how to do a google search! So congratulations on that accomplishment.
Here is where the inconvenient truth of feasability comes into play. It requires you to actually think about it a little bit rather than just using google. How about you explain to me how you are going to get a packet capture of my VPN traffic in order to then feed that into their cracking software? I'll wait for you to google it.
BASEMENT
The link i posted CLEARLY and DETAILED explains how MS-CHAPv2 - which by the way is NOT Windows exclusive as you seem to think, just a default there, which it is also on many ARM devices with even recent FW - can be cracked easily in a very short timeframe compared to any other encryption (hours to days vs. (at least) centuries). I'm not going to write my own study on it for a LET post when there is a reliable source already existing.
Give me a VPN server IP without login and you will see. I even pay for the cloud cracking.
Regardless of what you seem to think is the problem here - it is FACT that older PPTP implementations, which are still the default setting especially on integrated devices like routers, are vulnerable to cracking in merely hours-days while any other VPN system mentioned (OpenVPN, SSTP, IPSEC, Softether) even in old versions and grossly misconfigured with low key size and sideband attack possibilities is at LEAST in the area of months to years.
Unlike MS-CHAPv2 there is also currently no (available) solution to crack ANY other crypt/proto mentioned by using ASICs (and only very limited by FPGAs) which again improves theoretical security by removing a highly energy efficient attack method (not dissimilar to bitcoin/scrypt miners).
While PPTP in newer versions is not inherently a risk - which i also never stated - the technology is old (old-old), was never really updated (to stay compatible) and simply not designed for current security standards, the other mentioned methods are not only more efficient by using specific CPU flags (aes-ni) but also designed with other targets in mind, notably higher security as now also possible on low cost devices with "low" CPU power.
CAN you use PPTP? Sure. If you insist on it. Is it a good idea when you compare CPU cost and security, especially when your server has aes-ni? No, it is not - The cost is not much higher but the provided security is much higher. Considering nearly any device nowadays supports either support OpenVPN, SSTP or IPSEC out of the box i really don't see much reason to use PPTP and risk it.
(Wait, there is even more if we take things like perfect forward secrecy into account, but then this would get even longer)
Here ya go.
https://www.vpnme.me/freevpn.html
https://billing.purevpn.com/pptp_l2tp_hostname_list.php
https://billing.purevpn.com/pptp_l2tp_hostname_list.php
http://www.vpnbook.com/
I....googled it....tehee! I guess that makes me a security expert around here.
Now I'm sure you are think you are just going to give me the publicly available username/password or capture after login.
You have to give the IP and describe the steps so that someone can reproduce it. I am also assuming all these outfits don't already have vulnerable servers for other reasons. After all they are using PPTP (gasp!) and according to @netomx that means they all do not know what they are doing and don't know how to google and find out about SoftEther.
B A S E M E N T
Looks like Nekki's invisible keyboard died again...
I'm just trying to attract the attention of someone who's being wilfully ignorant.