Are there any known vulnerabilities in PPTP VPNs when configured properly?

  • PPTP is the only VPN protocol supported by some devices (for example, the Asus RT-AC66U WiFi router). If PPTP is configured to only use the most secure options, does its use present any security vulnerabilities?

    The most secure configuration of PPTP is to exclusively use:

    • MPPE-128 encryption (which uses RC4 encryption with a 128bit key)
    • MS-CHAPv2 authentication (which uses SHA-1)
    • strong passwords (minimum 128 bits of entropy)

    I realize that RC4 and SHA-1 have weaknesses, but I am interested in practical impact. Are there known attacks or exploits that would succeed against a PPTP VPN with the above configuration?

    This is what I'm looking for... For enterprise use, PPTP is out. But, what about a single user/family wanting to connect to their home network, or get some protection at a hotspot. How broken is PPTP for single, non-enterprise use?

  • Nasrus

    Nasrus Correct answer

    8 years ago

    Yes. The protocol itself is no longer secure, as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

    The attacker can do a MITM to capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake and derive the RC4 key. Then, the attacker will be able to decrypt and analyse the traffic carried in the PPTP VPN. PPTP does not provide forward secrecy, so just cracking one PPTP session is sufficient to crack all previous PPTP sessions using the same credentials.

    Additionally, PPTP provides weak protection to the integrity of the data being tunneled. The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher. PPTP also doesn't do additional integrity checks on its traffic (such as HMAC), and is hence vulnerable to bit-flipping attacks, ie. the attacker can modify PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they by nature usually transmit sensitive and large amounts of data.

    If you want to, you can actually try cracking a PPTP session yourself. For a Wi-Fi user, it involves ARP poisoning your target such that the target sends the MSCHAPv2 handshake through you (which you can capture with Wireshark or any other packet capture tool). You can then crack the handshake with tools like Chap2Asleap, or if you have a few hundred dollars to spare submit the captured handshake to online cracking services. The recovered username, hash, password and encryption keys can then be used to impersonate logins to the VPN as that user, or to retroactively decrypt the target's traffic. Obviously, please do not do this without proper authorisation and outside a controlled environment.

    In short, please avoid using PPTP where possible.

    For more information, see and How can I tell if a PPTP tunnel is secure?.

    Issues discovered with RC4 (resulting in real world security issues in protocols like TLS) can be found in and

    For the cracking portion, refer to and

    Thanks for the info! It sounds like it's for this very reason that Apple has removed PPTP VPN support from both their desktop (macOS) and mobile OS (iOS):

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM