# 49 - Pentesting TACACS+
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** ๐ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐ฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
**Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %}
***
## ๊ธฐ๋ณธ ์ ๋ณด
**Terminal Access Controller Access Control System (TACACS)** ํ๋กํ ์ฝ์ ๋ผ์ฐํฐ๋ ๋คํธ์ํฌ ์ ๊ทผ ์๋ฒ(NAS)์ ์ ๊ทผํ๋ ค๋ ์ฌ์ฉ์๋ฅผ ์ค์์์ ๊ฒ์ฆํ๋ ๋ฐ ์ฌ์ฉ๋ฉ๋๋ค. ์ ๊ทธ๋ ์ด๋๋ ๋ฒ์ ์ธ **TACACS+**๋ ์๋น์ค๋ฅผ ์ธ์ฆ, ๊ถํ ๋ถ์ฌ ๋ฐ ํ๊ณ(AAA)๋ก ๋ถ๋ฆฌํฉ๋๋ค.
```
PORT STATE SERVICE
49/tcp open tacacs
```
**๊ธฐ๋ณธ ํฌํธ:** 49
## ์ธ์ฆ ํค ๊ฐ๋ก์ฑ๊ธฐ
ํด๋ผ์ด์ธํธ์ TACACS ์๋ฒ ๊ฐ์ ํต์ ์ด ๊ณต๊ฒฉ์์ ์ํด ๊ฐ๋ก์ฑ์ด์ง๋ฉด, **์ํธํ๋ ์ธ์ฆ ํค๋ฅผ ๊ฐ๋ก์ฑ ์ ์์ต๋๋ค**. ๊ณต๊ฒฉ์๋ **๋ก๊ทธ์ ๊ฐ์ง๋์ง ์๊ณ ํค์ ๋ํด ๋ก์ปฌ ๋ฌด์ฐจ๋ณ ๋์ ๊ณต๊ฒฉ์ ์๋ํ ์ ์์ต๋๋ค**. ํค๋ฅผ ๋ฌด์ฐจ๋ณ ๋์ ๊ณต๊ฒฉ์ผ๋ก ์ฑ๊ณต์ ์ผ๋ก ํด๋ ํ๋ฉด, ๊ณต๊ฒฉ์๋ ๋คํธ์ํฌ ์ฅ๋น์ ์ ๊ทผํ ์ ์์ผ๋ฉฐ Wireshark์ ๊ฐ์ ๋๊ตฌ๋ฅผ ์ฌ์ฉํ์ฌ ํธ๋ํฝ์ ๋ณตํธํํ ์ ์์ต๋๋ค.
### MitM ๊ณต๊ฒฉ ์ํ
**ARP ์คํธํ ๊ณต๊ฒฉ์ ์ฌ์ฉํ์ฌ ์ค๊ฐ์(MitM) ๊ณต๊ฒฉ์ ์ํํ ์ ์์ต๋๋ค**.
### ํค ๋ฌด์ฐจ๋ณ ๋์ ๊ณต๊ฒฉ
[Loki](https://c0decafe.de/svn/codename\_loki/trunk/)๋ฅผ ์ฌ์ฉํ์ฌ ํค๋ฅผ ๋ฌด์ฐจ๋ณ ๋์ ๊ณต๊ฒฉํ ์ ์์ต๋๋ค:
```
sudo loki_gtk.py
```
If the key is successfully **bruteforced** (**usually in MD5 encrypted format)**, **we can access the equipment and decrypt the TACACS-encrypted traffic.**
### Decrypting Traffic
Once the key is successfully cracked, the next step is to **decrypt the TACACS-encrypted traffic**. Wireshark can handle encrypted TACACS traffic if the key is provided. By analyzing the decrypted traffic, information such as the **๋ฐฐ๋์ ๊ด๋ฆฌ์ ์ฌ์ฉ์ ์ด๋ฆ**์ ์ป์ ์ ์์ต๋๋ค.
By gaining access to the control panel of network equipment using the obtained credentials, the attacker can exert control over the network. It's important to note that these actions are strictly for educational purposes and should not be used without proper authorization.
## References
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
**Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** ๐ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐ฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**