Anyway to sniff PPP authentication?

Printable View

02-10-2010, 07:41 AM
A Student

Anyway to sniff PPP authentication?

Our instructor brought up a question in class, asking whether it is possible to sniff PPP authentication? My answer would be no, as it is only a point-to-point protocol. But that brings up the idea of PPPoE and whether a capture program could "peel" the frames off enough to get to the encrypted username and password?

Anyone have any thoughts?
02-10-2010, 10:12 AM
lupin

Re: Anyway to sniff PPP authentication?

OK, just so I dont accidentally answer a homework question Im going to provide vague hints instead of direct answers. So, you need to look deeper. Have a read of this.
02-10-2010, 10:14 AM
Gitsnik

Re: Anyway to sniff PPP authentication?

Quote:

Originally Posted by A Student

Our instructor brought up a question in class, asking whether it is possible to sniff PPP authentication? My answer would be no, as it is only a point-to-point protocol. But that brings up the idea of PPPoE and whether a capture program could "peel" the frames off enough to get to the encrypted username and password?

Anyone have any thoughts?

I seem to recall it being a no, though that may have something to do with how RADIUS works in dial-up situations and such.

PPP as a standard supports CHAP and PAP, so if you can decode those (or MiTM them) then I would say it's possible. I'm not familiar with any tools though, some others may be, and a quick google didn't reveal any while I was thinking about it.

Edit: Or what lupin said :)
02-10-2010, 07:25 PM
A Student

Re: Anyway to sniff PPP authentication?

No this is not homework we are doing layer 2 security in lab. And thanks for the read, but I am aware of the differences of PAP and CHAP, gotta love teh BCMSN book. I set up a CHAP DCE/DTE connection between two of my 2610 routers, and I couldn't think of a way to sniff what was happening between the two. Then he mentioned something about PPPoE, and got me thinking that it might be possible. If you could somehow sniff the link between the routers.

Thanks
02-11-2010, 01:22 AM
lupin

Re: Anyway to sniff PPP authentication?

Quote:

Originally Posted by A Student

I am aware of the differences of PAP and CHAP, gotta love teh BCMSN book

A proper understanding of PAP and CHAP (the authentication protocols used in PPP) should tell you whether it is possible to sniff PPP authentication. Don't think about specific technical means of reading the packets sent over PPP links, because that is always possible given physical access to the media itself and the right tools (the specific method will be media dependent given that PPP links can be established over various types of media). If the software solution you are using to establish the link doesn't support sniffing, you can always physically tap the line.

Instead, think about how the data is transferred over the wire. Is it encrypted or not?

Edit: And if encrypted, can it be easily decrypted (or even replayed if you want to consider other attacks)?