hacktricks/network-services-pentesting/49-pentesting-tacacs+.md

49 - Pentesting TACACS+

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

PORT   STATE  SERVICE
49/tcp open   tacacs

Default port: 49

Intercept Authentication Key

If the client and TACACS server communication is intercepted by an attacker, the encrypted authentication key can be intercepted. The attacker can then attempt a local brute-force attack against the key without being detected in the logs. If successful in brute-forcing the key, the attacker gains access to the network equipment and can decrypt the traffic using tools like Wireshark.

Performing a MitM Attack

An ARP spoofing attack can be utilized to perform a Man-in-the-Middle (MitM) attack.

Brute-forcing the Key

Loki can be used to brute force the key:

sudo loki_gtk.py

If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.

Decrypting Traffic

Once the key is successfully cracked, the next step is to decrypt the TACACS-encrypted traffic. Wireshark can handle encrypted TACACS traffic if the key is provided. By analyzing the decrypted traffic, information such as the banner used and the username of the admin user can be obtaine.

By gaining access to the control panel of network equipment using the obtained credentials, the attacker can exert control over the network. It's important to note that these actions are strictly for educational purposes and should not be used without proper authorization.

References

• https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.