Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/49-pentesting-tacacs+.md

66 lines
3.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 49 - Pentesting TACACS+
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## 基本信息
**终端访问控制器访问控制系统 (TACACS)** 协议用于集中验证试图访问路由器或网络接入服务器 (NAS) 的用户。其升级版本 **TACACS+** 将服务分为身份验证、授权和计费 (AAA)。
```
PORT STATE SERVICE
49/tcp open tacacs
```
**默认端口:** 49
## 拦截认证密钥
如果客户端与 TACACS 服务器的通信被攻击者拦截,**加密的认证密钥可以被拦截**。攻击者可以尝试对密钥进行**本地暴力破解攻击,而不会在日志中被检测到**。如果成功破解密钥,攻击者将获得对网络设备的访问权限,并可以使用 Wireshark 等工具解密流量。
### 执行中间人攻击
**可以利用 ARP 欺骗攻击来执行中间人 (MitM) 攻击**
### 暴力破解密钥
[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) 可以用来暴力破解密钥:
```
sudo loki_gtk.py
```
如果密钥成功**暴力破解****通常是MD5加密格式****我们可以访问设备并解密TACACS加密的流量。**
### 解密流量
一旦密钥成功破解,下一步是**解密TACACS加密的流量**。如果提供密钥Wireshark可以处理加密的TACACS流量。通过分析解密后的流量可以获取诸如**使用的横幅和管理员用户的用户名**等信息。
通过使用获得的凭据访问网络设备的控制面板,攻击者可以对网络施加控制。需要注意的是,这些行为仅限于教育目的,未经适当授权不得使用。
## 参考文献
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink