hacktricks/network-services-pentesting/49-pentesting-tacacs+.md

# 49 - Pentesting TACACS+

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

**Try Hard Security Group**

<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

## Osnovne informacije

Protokol **Terminal Access Controller Access Control System (TACACS)** se koristi za centralnu validaciju korisnika koji pokušavaju da pristupe ruterima ili mrežnim pristupnim serverima (NAS). Njegova unapređena verzija, **TACACS+**, deli usluge na autentifikaciju, autorizaciju i obračun (AAA).
```
PORT   STATE  SERVICE
49/tcp open   tacacs
```
**Podrazumevani port:** 49

## Presretanje ključa za autentifikaciju

Ako napadač presretne komunikaciju između klijenta i TACACS servera, **kriptovani ključ za autentifikaciju može biti presretnut**. Napadač može pokušati **lokalni napad silom protiv ključa bez da bude otkriven u logovima**. Ako uspe u napadu silom, napadač dobija pristup mrežnoj opremi i može dekriptovati saobraćaj koristeći alate poput Wireshark.

### Izvođenje MitM napada

**ARP spoofing napad se može iskoristiti za izvođenje Man-in-the-Middle (MitM) napada**.

### Napad silom na ključ

[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) se može koristiti za napad silom na ključ:
```
sudo loki_gtk.py
```
Ako je ključ uspešno **bruteforced** (**obično u MD5 enkriptovanom formatu**), **možemo pristupiti opremi i dekriptovati TACACS-enkriptovani saobraćaj.**

### Dekriptovanje Saobraćaja
Kada je ključ uspešno otkriven, sledeći korak je **dekriptovanje TACACS-enkriptovanog saobraćaja**. Wireshark može obraditi enkriptovani TACACS saobraćaj ako je ključ dostupan. Analizom dekriptovanog saobraćaja, informacije kao što su **baner koji se koristi i korisničko ime admin** korisnika mogu se dobiti.

Sticanjem pristupa kontrolnoj tabli mrežne opreme koristeći dobijene akreditive, napadač može ostvariti kontrolu nad mrežom. Važno je napomenuti da su ove akcije isključivo u obrazovne svrhe i ne bi se trebale koristiti bez odgovarajuće autorizacije.

## Reference

* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)

**Try Hard Security Group**

<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00			`# 49 - Pentesting TACACS+`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<details>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<summary>Support HackTricks</summary>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% endhint %}`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00
			`Try Hard Security Group`

			`<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`***`

			`## Osnovne informacije`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Protokol Terminal Access Controller Access Control System (TACACS) se koristi za centralnu validaciju korisnika koji pokušavaju da pristupe ruterima ili mrežnim pristupnim serverima (NAS). Njegova unapređena verzija, TACACS+, deli usluge na autentifikaciju, autorizaciju i obračun (AAA).`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00			```
			`PORT STATE SERVICE`
			`49/tcp open tacacs`
			```
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Podrazumevani port: 49`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`## Presretanje ključa za autentifikaciju`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Ako napadač presretne komunikaciju između klijenta i TACACS servera, kriptovani ključ za autentifikaciju može biti presretnut. Napadač može pokušati lokalni napad silom protiv ključa bez da bude otkriven u logovima. Ako uspe u napadu silom, napadač dobija pristup mrežnoj opremi i može dekriptovati saobraćaj koristeći alate poput Wireshark.`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Izvođenje MitM napada`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`ARP spoofing napad se može iskoristiti za izvođenje Man-in-the-Middle (MitM) napada.`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`### Napad silom na ključ`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) se može koristiti za napad silom na ključ:`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00			```
			`sudo loki_gtk.py`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Ako je ključ uspešno bruteforced (obično u MD5 enkriptovanom formatu), možemo pristupiti opremi i dekriptovati TACACS-enkriptovani saobraćaj.`

			`### Dekriptovanje Saobraćaja`
			`Kada je ključ uspešno otkriven, sledeći korak je dekriptovanje TACACS-enkriptovanog saobraćaja. Wireshark može obraditi enkriptovani TACACS saobraćaj ako je ključ dostupan. Analizom dekriptovanog saobraćaja, informacije kao što su baner koji se koristi i korisničko ime admin korisnika mogu se dobiti.`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Sticanjem pristupa kontrolnoj tabli mrežne opreme koristeći dobijene akreditive, napadač može ostvariti kontrolu nad mrežom. Važno je napomenuti da su ove akcije isključivo u obrazovne svrhe i ne bi se trebale koristiti bez odgovarajuće autorizacije.`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Reference`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
a 2024-02-03 16:02:14 +00:00			`* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:38:08 +00:00			`Try Hard Security Group`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:52:14 +00:00			`<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:38:08 +00:00
			`{% embed url="https://discord.gg/tryhardsecurity" %}`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<details>`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-03 10:43:38 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% endhint %}`