To crack a PPTP VPN first go grab a copy of Moxie Marlinspike’s chapcrack and follow the directions.

The first thing you’ll need to do is obtain the network traffic for the PPTP VPN MS-CHAPv2 handshake you’d like to crack. To do that, simply use a tool such as tcpdump or wireshark in order to obtain a network capture of a client connecting to a PPTP VPN service.

Extracting Handshake
Next you’ll use chapcrack in order to parse and extract the PPTP VPN MS-CHAPv2 handshake.

# chapcrack.py parse -i /path/to/capture.cap

Then submit the token chapcrack gives you into the Get Cracking page.

Using the Results
When you get the resulting NTHASH, you can decrypt a PPTP packet capture:

chapcrack.py decrypt -i </path/to/capture.cap> -o output.cap -n NTHASH

In theory, the NTHASH can also be used as a password equivalent to authenticate to the network.