TACACS+ - Port 49
Basic Information
The Terminal Access Controller Access Control System (TACACS) protocol is primarily used to centrally authenticate users attempting to access routers or Network Access Servers (NAS). Its enhanced version, TACACS+, takes things further by splitting services into three key functions: authentication, authorization, and accounting (AAA). This separation allows for better control and security when managing network access.
Default Port:
PORT STATE SERVICE
49/tcp open tacacs TACACS+ operates on TCP port 49 by default, making this port a primary target for attackers trying to exploit weaknesses in the protocol.
Intercepting the Authentication Key
If an attacker intercepts communication between the TACACS client and server, the encrypted authentication key used in the process can also be captured. This key is critical because it is used to authenticate users, and gaining access to it means the attacker can potentially decrypt sensitive traffic.
The advantage for an attacker here is that they can attempt to brute-force the key offline, which means they won’t appear in any logs and can go undetected. Once successful, they could have unrestricted access to the network equipment.
Performing a Man-in-the-Middle (MitM) Attack
To intercept TACACS+ traffic, a Man-in-the-Middle (MitM) attack can be carried out using ARP spoofing. Here’s a simple, practical method for setting up an ARP spoofing attack:
Install
arpspoof(if not already installed):sudo apt install dsniffLaunch ARP spoofing on the target:
sudo arpspoof -i <interface> -t <target_ip> <gateway_ip>This will redirect traffic between the target and gateway through the attacker’s machine, allowing interception of TACACS+ packets.
Use a network capturing tool like Wireshark to capture the encrypted traffic on TCP port 49:
sudo wiresharkOnce the encrypted TACACS+ traffic is captured, it's time to attempt to brute-force the authentication key.
Brute-forcing the TACACS+ Key
A key tool for brute-forcing TACACS+ authentication keys is Loki. Loki is designed to brute-force various types of encrypted keys, including those used in TACACS+ authentication.
brute-forcing TACACS+ keys:
Download and install Loki: Loki is often packaged with other pen-testing suites, but if you need to install it manually:
sudo apt install lokiRun Loki’s GTK interface to begin brute-forcing the TACACS+ key:
sudo loki_gtk.pyIn the Loki interface, specify the captured encrypted authentication key and choose the type of encryption (commonly MD5 for TACACS+).
Start the brute-force attack.
If the key is successfully cracked, it will typically be in MD5-encrypted format. Once you have the key, you’re ready to decrypt the intercepted traffic.
Decrypting TACACS+ Traffic with Wireshark
After obtaining the key, the next step is to decrypt the TACACS-encrypted traffic using Wireshark. By analyzing the decrypted traffic, you can gather valuable information such as:
The banner used by the network
Admin usernames
Other sensitive data
With the decrypted credentials in hand, you could log in to the control panel of the network equipment. From there, you can gain control over the network, modify configurations, or escalate the attack. The implications of this are significant, especially if access to critical infrastructure or devices is granted.
Open Wireshark and load the previously captured traffic file (the one from the MitM attack).
sudo wireshark capture.pcapIn Wireshark, go to Edit -> Preferences.
Under Protocols, find TACACS+ and input the cracked key in the “Decryption Key” field.
Apply the changes and analyze the decrypted traffic.
Once decrypted, valuable information such as admin usernames and banners used by network equipment can be viewed.
For example, TACACS+ banners may reveal the type of equipment or even custom messages that could assist further in an attack.
Last updated
Was this helpful?