# TACACS+ - Port 49

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**

</details>

## Basic Information

The **Terminal Access Controller Access Control System** (TACACS) protocol is primarily used to centrally authenticate users attempting to access routers or Network Access Servers (NAS). Its enhanced version, **TACACS+**, takes things further by splitting services into three key functions: **authentication**, **authorization**, and **accounting** (AAA). This separation allows for better control and security when managing network access.

**Default Port:**

```arduino
PORT   STATE  SERVICE  
49/tcp open   tacacs  
```

TACACS+ operates on **TCP port 49** by default, making this port a primary target for attackers trying to exploit weaknesses in the protocol.

***

## Intercepting the Authentication Key

If an attacker intercepts communication between the TACACS client and server, the **encrypted authentication key** used in the process can also be captured. This key is critical because it is used to authenticate users, and gaining access to it means the attacker can potentially decrypt sensitive traffic.

The advantage for an attacker here is that they can attempt to brute-force the key **offline**, which means they won’t appear in any logs and can go undetected. Once successful, they could have unrestricted access to the network equipment.

***

## Performing a Man-in-the-Middle (MitM) Attack

To intercept TACACS+ traffic, a **Man-in-the-Middle (MitM)** attack can be carried out using **ARP spoofing**. Here’s a simple, practical method for setting up an ARP spoofing attack:

1. Install `arpspoof` (if not already installed):

   ```bash
   sudo apt install dsniff
   ```
2. Launch ARP spoofing on the target:

   ```bash
   sudo arpspoof -i <interface> -t <target_ip> <gateway_ip>
   ```

   This will redirect traffic between the target and gateway through the attacker’s machine, allowing interception of TACACS+ packets.
3. Use a network capturing tool like **Wireshark** to capture the encrypted traffic on **TCP port 49**:

   ```bash
   sudo wireshark
   ```
4. Once the encrypted TACACS+ traffic is captured, it's time to attempt to brute-force the authentication key.

***

## Brute-forcing the TACACS+ Key

A key tool for brute-forcing TACACS+ authentication keys is **Loki**. Loki is designed to brute-force various types of encrypted keys, including those used in TACACS+ authentication.

**brute-forcing TACACS+ keys:**

1. **Download and install Loki**: Loki is often packaged with other pen-testing suites, but if you need to install it manually:

   ```bash
   sudo apt install loki
   ```
2. **Run Loki’s GTK interface** to begin brute-forcing the TACACS+ key:

   ```bash
   sudo loki_gtk.py
   ```
3. In the Loki interface, specify the captured encrypted authentication key and choose the type of encryption (commonly MD5 for TACACS+).
4. **Start the brute-force attack**.&#x20;

If the key is successfully cracked, it will typically be in **MD5-encrypted format**. Once you have the key, you’re ready to decrypt the intercepted traffic.

***

## Decrypting TACACS+ Traffic with Wireshark

After obtaining the key, the next step is to decrypt the TACACS-encrypted traffic using **Wireshark**. By analyzing the decrypted traffic, you can gather valuable information such as:

* The banner used by the network
* Admin usernames
* Other sensitive data

With the decrypted credentials in hand, you could log in to the control panel of the network equipment. From there, you can gain control over the network, modify configurations, or escalate the attack. The implications of this are significant, especially if access to critical infrastructure or devices is granted.

**Open Wireshark** and load the previously captured traffic file (the one from the MitM attack).

```bash
sudo wireshark capture.pcap
```

In Wireshark, go to **Edit** -> **Preferences**.

Under **Protocols**, find **TACACS+** and input the cracked key in the “**Decryption Key**” field.

Apply the changes and analyze the decrypted traffic.

Once decrypted, valuable information such as **admin usernames** and **banners** used by network equipment can be viewed.

For example, TACACS+ banners may reveal the type of equipment or even custom messages that could assist further in an attack.