hacktricks/network-services-pentesting/49-pentesting-tacacs+.md
Carlos Polop 5d26a0c40a arte
2024-01-03 11:43:38 +01:00

94 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 49 - Pentesting TACACS+
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Basic Information
**Terminal Access Controller Access Control System (TACACS)** is a security protocol that provides centralized validation of users who are attempting to gain **access to a router or NAS**. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.
```
PORT STATE SERVICE
49/tcp open tacacs
```
**Default port:** 49
## Intercept Authentication Key
If an attacker manages to get in the middle between the client and the TACACS server, **he can intercept the authentication key** in encrypted form and then do a local bruteforce against it. So you both bruteforce the key and you dont show up in the logs. And if you manage to bruteforce the key, **youll be able to access the network equipment and decrypt the traffic** in **Wireshark**.
### MitM
In order to perform a MitM attack you could use an [**ARP spoofing attack**](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing).
### Brute-force Key
Now you need to run [Loki](https://c0decafe.de/svn/codename\_loki/trunk/). This is a special tool designed to analyze the security of L2/L3 protocols. Its capabilities are just as good as those of the popular **Yersinia** and it is a serious competitor to it. Loki can also bruteforce TACACS keys. If the key is successfully **bruteforced** (**usually in MD5 encrypted format)**, **we can access the equipment and decrypt the TACACS-encrypted traffic.**
```
sudo loki_gtk.py
```
<figure><img src="../.gitbook/assets/image (31) (2).png" alt=""><figcaption></figcaption></figure>
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the **Use Bruteforce** option, otherwise Loki will bruteforce the password without using the dictionary.
<figure><img src="../.gitbook/assets/image (11) (2).png" alt=""><figcaption></figcaption></figure>
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, **standing in the middle via ARP spoofing**, intercept the traffic. And in doing so, the legitimate hosts dont realize that someone else has interfered with their connection.
<figure><img src="../.gitbook/assets/image (8) (2) (3).png" alt=""><figcaption></figcaption></figure>
Now click the **CRACK** button and wait for **Loki** to break the password.
<figure><img src="../.gitbook/assets/image (17) (2).png" alt=""><figcaption></figcaption></figure>
### Decrypt Traffic
Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.
<figure><img src="../.gitbook/assets/image (28) (1).png" alt=""><figcaption></figcaption></figure>
We see which banner was used.
<figure><img src="../.gitbook/assets/image (24) (1) (2).png" alt=""><figcaption></figcaption></figure>
We find the username of the user `admin`
<figure><img src="../.gitbook/assets/image (7) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think Ill check their validity.**
<figure><img src="../.gitbook/assets/image (19) (2).png" alt=""><figcaption></figcaption></figure>
This is how you can attack TACACS+ and **gain access** to the control panel of network equipment.
## References
* The interception key section was copied from [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>