PPTP VPN Security Risks

Diagram showing PPTP VPN with a red cross through it.

PPTP is Microsoft’s VPN implementation, which has been around since Windows NT. Users tend to like using PPTP as it’s typically configured on Windows Desktops with a shortcut that remembers username and password for quick access.

With proper name resolution (historically WINS) and now DNS, users can easily browse the network for shares and printers. On the back end, the system administrator configures Windows Server PPTP with the Routing and Remote Access role (RRAS).

While the tools used to manage and deploy PPTP Systems have changed with each new version of Windows it’s universally agreed that PPTP is insecure as compared to modern alternatives and adds additional indirect support costs even when upgraded to support SSTP.

The PPTP protocol itself is no longer considered secure as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

An attacker can capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake, and derive the RC4 key. Once the RC4 key is derived, the attacker will be able to decrypt and analyze the traffic carried in the PPTP VPN. PTP does not support forward secrecy, so just cracking one PPTP session is sufficient to crack all prior PPTP sessions using the same credentials.

PPTP provides weak protection to the integrity of the data being tunneled. The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher.

PPTP also doesn’t do additional integrity checks on its traffic and is vulnerable to bit-flipping attacks, e.g. the attacker can modify the PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they typically transmit sensitive and large amounts of data.

PPTP Port

Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 and IP protocol 47 Generic Routing Encapsulation (GRE). Port 1723 may be blocked by ISP’s and GRE IP Protocol 47 may not be passed by many modern firewalls and routers.

PPTP VPN Vulnerabilities

Security experts have reviewed PPTP and listed numerous known vulnerabilities including:

MS-CHAP-V1 is Fundamentally Insecure

Tools exist that can easily extract the NT Password hashes from MS-CHAP-V1 authentication traffic. MS-CHAP-V1 is the default setting on older Windows Servers.

MS-CHAP-V2 is Vulnerable

MS-CHAP-V2 is vulnerable to dictionary attacks on captured challenge response packets. Tools exist to crack these exchanges rapidly.

PPTP VPN Brute Force Attack Possibilities

It has been demonstrated that the complexity of a brute-force attack on an MS-CHAP-v2 key is equivalent to a brute-force attack on a single DES key. With no built-in options for Multi-Factor/Two-factor authentication, this leaves PPTP implementations highly vulnerable.

PPTP VPN Additional Support Costs

Beware of the additional support costs commonly associated with PPTP & Microsoft VPN Client.

  • By default, an end user’s Windows network is routed through the office VPN network. As a result, this leaves the internal network open to Malware and slows down all internet for all users at the office.
  • PPTP is typically blocked at many locations due to known security issues resulting in calls to the help desk to resolve connectivity issues.
  • Conflicts with office internal subnets at remote sites can block Microsoft VPN routing resulting in no connectivity and again leading to additional support costs.
  • Minor network fluctuations can disconnect the Microsoft VPN client while in use corrupting files and leading to restores and lost work.
  • The IT Department will need to maintain an additional fleet of corporate laptops with Microsoft VPN preconfigured for each potential remote user.
  • Crypto Locker type malware is free to encrypt files over the VPN tunnel.

PPTP VPN – MyWorkDrive as a Solution

MyWorkDrive acts as the perfect VPN Alternative solution

In contrast with MyWorkDrive, the security risks of supporting Microsoft PPTP or SSTP VPN’s are eliminated:

  • Users get an elegant easy to use Web File Manager client accessible from any browser.
  • IT Support costs are eliminated – users simply log on with their existing Windows Active Directory/Entra ID credentials or use ADFS or any SAML provider to access company shares, home drives, and edit/view documents online.
  • Mobile Client’s for Android/iOS and MyWorkDrive Desktop Mapped Drive clients are available.
  • Unlike VPN block file types and receive alerts when file changes exceed set thresholds to block ransomware.
  • For security, all MyWorkDrive clients support DUO Two Factor authentication.

Daniel, Founder of MyWorkDrive.com, has worked in various technology management roles serving enterprises, government and education in the San Francisco bay area since 1992. Daniel is certified in Microsoft Technologies and writes about information technology, security and strategy and has been awarded US Patent #9985930 in Remote Access Networking