At 05:40 PM 6/4/98 -0400, you wrote:

...

Give me 10 minutes with a sniffer and a few nifty tools and not only can I find the PPTP session but, take control. Now, *I* have access to your file on that NiceTry Server.

<http://www.counterpane.com/pptp.html> of course.

No, actually, this is a tool that a close friend wrote while working on a test harness for the PPTP protocol. It seems that MS PPTP doesn't quite work as advertized and it was necessary to sniff a ton of sessions to determine the protocol and write the state machine to interface to something other than Winblows as a client or server. I suppose that "releasing" the crack will brings with it notoriety in the community if that's what you're after. Personally, I find it more gratifying to know it can be done and have the prowess to do it than to provide the code to every bored 13y/o on the planet via anonymous ftp.

According to my Microsoft insider, "depends what the client is. If it's NT and uses the NTLM hash, it's quite secure. If it's 9x and uses the LM hash, it's easy to crack. Basically the deal is that 9x clients use a shitty old hash method that's really easy to sniff and crack."

The session hijacked was NT<->NT. With 3DES/Blowfish/etc freely available, why does MS feel the need to _attempt_ to write their own encryption?

Supposedly there are patches that close the holes, but PPTP still doesn't appear to have been designed nicely to begin with.

---START PATCH.BAT--- ;patch.bat echo "Please insert Linux Bootable Installation CD in CD drive." pause "Press <ENTER> when ready." echo "This process may take several minutes depending on the speed of your computer" pause "Please press CTRL-ALT-DEL to begin the patch process..." ---END PATCH.BAT--- ------- John Fraizer (root) | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:root@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...