Point-to-Point Tunneling Protocol[PPTP]

Team: Invincibles

Deepak TripathiHabibeh Deyhim

Karthikeyan GopalSatish Madiraju

Tusshar RakeshNLN

Agenda

• Overview• PPTP Connections• PPTP Architecture• PPTP Underlying Technology• PPP Architechure• PPTP Security

PPTP ?

PPTP - enables secure data transfers between a remote client and an enterprise server by creating a VPN across an IP-based internetwork

Success of PPTP The use of PSTNs (Public Switched Telephone

Networks).

Support to Non-IP protocols.

PPTP Connections

For Remote Access:

•PPTP Client connects to the ISP using Dial Up Networking

• PPTP then creates a tunnel between the VPN client and VPN server.

For LAN internetworking:

•It does not require the ISP connection phase so the tunnel could be directly created.

PPTP Architecture

PPTP employs three processes to secure PPTP-based communication over unsecured media

PPP-based connection establishment

PPTP Connection control

PPTP tunneling and data transfer

PPTP Connection Control

Common PPTP control messages

Name Description

Start-Control-Connection-Request Request from the PPTP client to establish control connection.

Start-Control-Connection-Reply Reply from the PPTP server to the client.

Outgoing-Call-Request Request from the PPTP client to the server to establish a PPTP tunnel

Outgoing-Call-Reply Response from the PPTP server to the client

Echo-Request Keep-alive mechanism from either server or client.

Echo-Reply Response to the Echo-Request message.

Stop-Control-Connection-Request Request Message from the PPTP client or server notifying the other end of the termination of control connection.

Stop-Control-Connection-Reply Reply Response from the opposite end.

PPTP Data Tunneling and Processing

Recipient endSender end

Underlying Technology

PPTP is based on PPP Operates at layer 2 of OSI Advantages:

Can operate any DTE or DCE including EIA/TIA-232-C and ITUV.3

Does not restrict transmission rates

Requirement: Availability of a duplex connection

Synchronous Asynchronous

PPP architecture

PPP standards-based protocol. PPP's frame format is based on the HDLC PPP can negotiate link options dynamically support multiple Layer 3 protocols, such as IP,

IPX, and AppleTalk.

PPP architecture - LCP

PPP defines the Link Control Protocol (LCP). The job of the LCP

Establish, configure, and test the data-link connection.

Callback Data compression Multilink PAP authentication CHAP authentication

LCP Authentication

PAP vs. CHAP

PAP(password authentication protocol) Remote host is in control of login

requests. (Trial and error attack) Password is sent in clear text

LCP Authentication

PAP vs. CHAP

CHAP(challenge handshake authentication protocol)

Access servers is in control of login attempts Password is not transmitted in clear text

CHAP Operation

PPP architecture –NCP

Link partners exchange NCP packets to establish and configure different network-layer protocols including IP, IPX, and AppleTalk.

Each Layer 3 protocol has its own NCP. The NCP can build up and tear down

multiple Layer 3 protocol sessions over a single data link.

PPTP Security

Data Encryption Data Authentication Packet Filtering Firewalls & Routers

Encryption

Microsoft Point to Point Encryption RSA RC4 Algorithm with 40 or 128

Bit key XOR Attack Bit Flipping Attack

Authentication Methods

Clear Text password LANMAN Hash NT Encryption Hash Challenge/Response MSCHAP

LAN Manager Hash

Password Convert to uppercase Divide into two 7 character strings Encrypt a fixed constant with a

string Merge both 8 byte strings 16 byte hashed string

14 Byte String

NT Encryption Hash

Password

Hash using MD4

16 Byte hash

Unicode

MSCHAP Client requests login challenge Server sends 8 byte random

challenge Client calculates LANMAN hash or NT

hash Partitions the key into three keys Each key encrypts the challenge Three keys are merged and sent as

response

P0 P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13

H0 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10H11H12H13 H15H14

K0 K1 K2 K3 K4 K5 K6 K7 K8 K9 K10K11K12K13

R0 R1 R2 R3 R4 R5 R6 R7

K15K14 018 019 020017016

R8 R9 R10R11R12R13 R15R14 R16 R17 R18 R19 R20 R21 R23R22

Secret Password:

LM hash of the password:

3 DES keys derived:

Challenge response: 3 DES encryptions of 8-byte challenge: DES

MSCHAP…

Packet Filtering & Firewalls

Packet filtering allows a server to route packets to only authenticated clients

Firewalls filter the traffic on the basis of ACL ( Access Control List )

Cakewalk! AsLEAP

No Such Thing As Free Lunch!

PPTP is weaker option, security wise, IPSec, L2TP are more secure

PPTP is platform dependent

Requires extensive configuration

References

IPSec VPN DesignBy Vijay Bollapragada, ISBN-13: 978-1-58705-111-1 

http://cabrillo.edu/~rgraziani/courses/ccnp_sem6.html

http://www.faqs.org/rfcs/rfc1661.html

http://grok2.tripod.com/ppp.html