Look for the MS-CHAPv2 authentication sequence. In Wireshark, you can filter for ppp.protocol == 0xc223 . You are looking for three specific packets: Challenge : The server sends a random nonce to the client.
: MS-CHAPv2 relies on the DES algorithm, which is susceptible to brute-force attacks. vpn-jantit-pptp
: The client sends its username and a hashed response (NT-Response). Success/Failure : Confirms if the credentials were correct. Look for the MS-CHAPv2 authentication sequence
: The entire authentication exchange (challenges and responses) is sent in the clear, allowing an eavesdropper to capture the data needed for offline cracking. vpn-jantit-pptp
: The 16-byte random value from the server.