49 - Pentesting TACACS+

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Basic Information

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

PORT   STATE  SERVICE
49/tcp open   tacacs

Default port: 49

Intercept Authentication Key

If an attacker manages to get in the middle between the client and the TACACS server, he can intercept the authentication key in encrypted form and then do a local bruteforce against it. So you both bruteforce the key and you don’t show up in the logs. And if you manage to bruteforce the key, you’ll be able to access the network equipment and decrypt the traffic in Wireshark.

MitM

In order to perform a MitM attack you could use an ARP spoofing attack.

Brute-force Key

Now you need to run Loki. This is a special tool designed to analyze the security of L2/L3 protocols. Its capabilities are just as good as those of the popular Yersinia and it is a serious competitor to it. Loki can also bruteforce TACACS keys. If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.

sudo loki_gtk.py

You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the Use Bruteforce option, otherwise Loki will bruteforce the password without using the dictionary.

Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, standing in the middle via ARP spoofing, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.

Now click the CRACK button and wait for Loki to break the password.

Decrypt Traffic

Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.

We see which banner was used.

We find the username of the user admin

As a result, we have the admin:secret1234 credentials, which can be used to access the hardware itself. I think I’ll check their validity.

This is how you can attack TACACS+ and gain access to the control panel of network equipment.

References

The interception key section was copied from https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9