What is THC-PPTP-Bruter?
THC-PPTP-Bruter is a specialized penetration testing tool designed to brute-force PPTP (Point-to-Point Tunneling Protocol) VPN endpoints. Developed by The Hacker’s Choice (THC), this tool is particularly useful for testing the strength of PPTP VPN passwords.
PPTP is an older VPN protocol that has known vulnerabilities, making it a common target for security assessments. THC-PPTP-Bruter allows security professionals to test their own PPTP VPN servers for weak passwords that could be exploited by attackers.
How THC-PPTP-Bruter Works
The tool works by:
- Connecting to a PPTP VPN endpoint
- Attempting authentication with provided credentials (either single password or from a wordlist)
- Monitoring the response to determine if authentication was successful
- Reporting valid credentials when found
PPTP uses MS-CHAPv2 authentication by default, which has known cryptographic weaknesses that tools like this can exploit.
Installation on Kali Linux
THC-PPTP-Bruter is not included by default in Kali Linux, but can be installed easily:
# Install dependencies
sudo apt update
sudo apt install -y build-essential libssl-dev
# Download and extract THC-PPTP-Bruter
wget https://www.thc.org/thc-pptp-bruter-0.1.4.tar.gz
tar xvfz thc-pptp-bruter-0.1.4.tar.gz
cd thc-pptp-bruter-*
# Compile and install
./configure
make
sudo make installBasic Usage Examples
Basic brute-force attack:
thc-pptp-bruter -h vpn.target.com -u admin -W /usr/share/wordlists/rockyou.txtUsing a username list:
thc-pptp-bruter -h 192.168.1.100 -U users.txt -p Password123Testing a single credential:
thc-pptp-bruter -h corp-vpn.example.com -u jsmith -p Winter2023Advanced Usage Examples
Parallel attacks with multiple threads:
thc-pptp-bruter -h vpn.example.org -U users.txt -W passwords.txt -t 10Using a different port (non-standard PPTP port):
thc-pptp-bruter -h target.com -p 5432 -u admin -W big_wordlist.txtSaving results to a file:
thc-pptp-bruter -h 10.0.0.1 -U userlist.txt -W passlist.txt -o results.txtContinuing an interrupted attack:
thc-pptp-bruter -h vpn.target.com -u admin -W big_list.txt -c last_try.txtCommand-Line Options
Options Breakdown
| Option | Description |
|---|---|
-v | Verbose/Debug output – Shows detailed logs of the brute-force process. Useful for troubleshooting. |
-W | Disable Windows Hack (enabled by default) – Bypasses Microsoft’s anti-bruteforce protection by reusing the same LCP connection and Caller-ID. Disabling this may trigger lockouts. |
-u | Username to attack (default: administrator). Can be a single username or a file with -U (if supported). |
-w | Wordlist file containing passwords (default: reads from stdin). Example: -w /usr/share/wordlists/rockyou.txt. |
-p | PPTP port (default: 1723). Change if the VPN uses a non-standard port. |
-n | Number of parallel attempts (default: 5). Increasing this speeds up attacks but may trigger rate-limiting. |
-l | Limit password attempts per second (default: 100). Helps avoid detection. |
Windows Hack (-W Option)
- By default, THC-PPTP-Bruter bypasses Microsoft’s anti-bruteforce by reusing the same LCP (Link Control Protocol) session and Caller-ID.
- If disabled (
-W), the server may detect and block repeated login attempts. - Why it works: MS-CHAPv2 (PPTP’s auth protocol) is weak and allows session reuse, making brute-forcing easier.
Practical Usage Examples
1. Basic Attack (Single User + Wordlist)
thc-pptp-bruter -u admin -w passwords.txt 192.168.1.100- Targets
192.168.1.100with usernameadminand passwords frompasswords.txt.
2. Verbose Mode + Non-Standard Port
thc-pptp-bruter -v -u vpnuser -w rockyou.txt -p 1234 10.0.0.5- Tests against port
1234with debug output.
3. Disabling Windows Hack (Slower, Less Detectable)
thc-pptp-bruter -W -u administrator -w dict.txt 203.0.113.10- Disables the LCP reuse trick (may trigger account lockouts).
4. Rate-Limited Attack (Avoid Detection)
thc-pptp-bruter -u guest -w wordlist.txt -l 30 192.168.1.1- Limits to 30 passwords per second to evade rate-based detection.
5. Parallel Attacks (Faster Bruteforce)
thc-pptp-bruter -u admin -w biglist.txt -n 10 172.16.0.1- Uses 10 parallel threads for faster cracking.
Real-World Use Cases
- Penetration Testing: Ethical hackers use THC-PPTP-Bruter to test organizational VPN security during authorized security assessments.
- Security Audits: IT security teams can verify if their PPTP VPN implementations are vulnerable to brute-force attacks.
- Password Policy Validation: Testing whether current password policies are effective against brute-force attempts.
- Incident Response: After a breach, determining if compromised credentials could have been obtained via PPTP brute-forcing.
- Security Research: Studying attack patterns and improving defensive measures against PPTP-based attacks.
Troubleshooting Tips
Connection Issues:
- Verify the target PPTP service is running:
telnet1723 - Check firewall rules that might block PPTP traffic (TCP 1723 and GRE protocol 47)
Authentication Problems:
- Ensure the server supports MS-CHAPv2 (required for this tool)
- Try known-good credentials manually first to verify the service works
Performance Issues:
- Reduce thread count (
-t) if experiencing network timeouts - Increase timeout (
-T) for high-latency networks
Tool-Specific Problems:
- Recompile if experiencing crashes:
make clean && make - Verify all dependencies are installed (
libssl-devis critical) - Check Kali’s repository for an updated version if experiencing bugs
Ethical Considerations:
- Always obtain proper authorization before testing
- Use only on systems you own or have permission to test
- Be aware of legal implications – unauthorized use is illegal
Important Notes
Always document your testing activities and obtain written permission before conducting any security assessments.
PPTP is considered insecure and should not be used for sensitive communications. Microsoft has recommended against using PPTP since 2012.
THC-PPTP-Bruter should only be used for legitimate security testing purposes with proper authorization.
Many modern networks have moved away from PPTP to more secure VPN protocols like OpenVPN, IPSec, or WireGuard, against which this tool is ineffective.
