Password Attackspptpbrute-forcevpnmschapv2windowscisco

THC PPTP Bruter

Brute force program against PPTP VPN endpoints on TCP port 1723. Supports MSChapV2 authentication and exploits a weakness in Microsoft's anti-brute force implementation to try 300 passwords per second.

Description

thc-pptp-bruter is a standalone tool designed for brute-forcing PPTP VPN endpoints. It targets the PPTP protocol on TCP port 1723 and has been tested against both Windows and Cisco gateways. The tool fully supports the latest MSChapV2 authentication mechanism commonly used in PPTP VPNs.

It exploits a specific weakness in Microsoft's anti-brute force protection, allowing it to reuse LCP connections with the same caller-id. This Windows hack is enabled by default and enables extremely high-speed password attempts, up to 300 per second.

Use cases include penetration testing of PPTP VPN services where weak credentials are suspected. The tool is efficient due to its parallel processing capabilities and rate limiting options, making it suitable for targeted brute-force attacks against vulnerable endpoints.

How It Works

The tool establishes PPTP connections to the target host on TCP port 1723 and performs brute-force authentication using MSChapV2. By default, it enables the Windows hack, which reuses the LCP connection with the same caller-id to bypass Microsoft's anti-brute force protection. This allows multiple password attempts over the same connection without triggering rate limits. It supports parallel tries and can limit passwords per second for controlled operation.

Installation

bash

sudo apt install thc-pptp-bruter

Flags

-vVerbose output / Debug output

-WDisable windows hack [default: enabled]

-u <user>User [default: administrator]

-w <file>Wordlist file [default: stdin]

-p <n>PPTP port [default: 1723]

-n <n>Number of parallel tries [default: 5]

-l <n>Limit to n passwords / sec [default: 100]

Examples

Display help and usage information for the tool

thc-pptp-bruter -h

Brute force PPTP on target IP using default settings: administrator user, stdin wordlist, port 1723, 5 parallel tries, 100 passwords/sec, Windows hack enabled

thc-pptp-bruter 192.168.1.1

Brute force with custom user 'admin' and wordlist file passwords.txt

thc-pptp-bruter -u admin -w passwords.txt 192.168.1.1

Use non-standard PPTP port 1724 with 10 parallel tries

thc-pptp-bruter -p 1724 -n 10 192.168.1.1

Disable Windows hack and limit to 50 passwords per second

thc-pptp-bruter -W -l 50 192.168.1.1

Verbose mode with custom user and rockyou wordlist against target

thc-pptp-bruter -v -u testuser -w /usr/share/wordlists/rockyou.txt 10.0.0.1

Updated 2026-04-16kali.org ↗