Skip to content
PortsDB

Port reference

Port 1723 (TCP) – PPTP VPN

PPTP VPN control channel — a legacy tunneling protocol whose encryption (MS-CHAPv2) is considered broken.

tcpRegisteredCommonly attacked

Default state

Open on legacy VPN servers and routers configured for PPTP. Disabled on modern platforms that have dropped PPTP support.

Common attacks

  • Offline cracking of MS-CHAPv2 handshakes to recover VPN credentials
  • Credential brute force and password spraying against the VPN
  • Traffic interception due to weak/broken encryption
  • VPN endpoint and user enumeration

Hardening

  • Retire PPTP entirely — migrate to WireGuard, IKEv2/IPsec or OpenVPN
  • If PPTP must remain temporarily, restrict by source IP and enforce strong, unique passwords
  • Add MFA at an upstream gateway since PPTP cannot be trusted alone
  • Block 1723 and GRE (protocol 47) at the firewall once migrated
  • Monitor for credential brute force against the VPN

nmap snippet

nmap -p1723 --script pptp-version <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1723?

Port 1723 is the control channel for PPTP, the Point-to-Point Tunneling Protocol — an early VPN technology. PPTP uses TCP 1723 to negotiate and manage the tunnel, while the actual encapsulated data travels over GRE (IP protocol 47). It was once ubiquitous because Windows shipped a built-in PPTP client, but its security is now considered fundamentally broken.

Why it matters for security

PPTP's authentication relies on MS-CHAPv2, which has known cryptographic weaknesses: captured handshakes can be cracked offline, with the effective key strength collapsing to a single DES key that can be brute-forced. That means an attacker who intercepts a PPTP authentication can recover the user's credentials and potentially decrypt the session. There is no safe configuration that fully fixes this — the protocol itself is the problem.

How it's attacked

Attackers capture the MS-CHAPv2 handshake and crack it offline (e.g. via chapcrack/cloud DES cracking) to recover VPN credentials, then log straight in. PPTP endpoints are also probed and brute-forced directly, and the weak encryption exposes traffic to interception. The nmap pptp-version script fingerprints exposed servers for targeting.

Hardening checklist

The only real fix is to retire PPTP and migrate to WireGuard, IKEv2/IPsec, or OpenVPN. If PPTP must run temporarily, restrict access by source IP, enforce strong unique passwords, and front it with MFA at an upstream gateway — but treat it as untrusted. Once migrated, block both 1723 and GRE (protocol 47) at the firewall and monitor for brute-force attempts. Use the nmap snippet above to find lingering PPTP servers you are authorized to assess.

Related ports

Port 500Port 4500Port 1194Port 51820

Frequently asked questions

Is PPTP on port 1723 secure?
No. PPTP relies on MS-CHAPv2, whose handshakes can be cracked offline to reduce the key to a single DES operation. It is considered broken and should be replaced with a modern VPN.
What should I use instead of PPTP?
Migrate to WireGuard, IKEv2/IPsec, or OpenVPN. These provide strong, modern cryptography and active maintenance, unlike PPTP which is effectively obsolete.