TACACS+ - Port 49

Basic Information

The Terminal Access Controller Access Control System (TACACS) protocol is primarily used to centrally authenticate users attempting to access routers or Network Access Servers (NAS). Its enhanced version, TACACS+, takes things further by splitting services into three key functions: authentication, authorization, and accounting (AAA). This separation allows for better control and security when managing network access.

Default Port:

PORT   STATE  SERVICE  
49/tcp open   tacacs  

TACACS+ operates on TCP port 49 by default, making this port a primary target for attackers trying to exploit weaknesses in the protocol.

Intercepting the Authentication Key

If an attacker intercepts communication between the TACACS client and server, the encrypted authentication key used in the process can also be captured. This key is critical because it is used to authenticate users, and gaining access to it means the attacker can potentially decrypt sensitive traffic.

The advantage for an attacker here is that they can attempt to brute-force the key offline, which means they won’t appear in any logs and can go undetected. Once successful, they could have unrestricted access to the network equipment.

Performing a Man-in-the-Middle (MitM) Attack

To intercept TACACS+ traffic, a Man-in-the-Middle (MitM) attack can be carried out using ARP spoofing. Here’s a simple, practical method for setting up an ARP spoofing attack:

1. Install arpspoof (if not already installed):

   Copy

   sudo apt install dsniff

2. Launch ARP spoofing on the target:

   Copy

   sudo arpspoof -i <interface> -t <target_ip> <gateway_ip>

   This will redirect traffic between the target and gateway through the attacker’s machine, allowing interception of TACACS+ packets.

3. Use a network capturing tool like Wireshark to capture the encrypted traffic on TCP port 49:

   Copy

   sudo wireshark

4. Once the encrypted TACACS+ traffic is captured, it's time to attempt to brute-force the authentication key.

Brute-forcing the TACACS+ Key

A key tool for brute-forcing TACACS+ authentication keys is Loki. Loki is designed to brute-force various types of encrypted keys, including those used in TACACS+ authentication.

brute-forcing TACACS+ keys:

1. Download and install Loki: Loki is often packaged with other pen-testing suites, but if you need to install it manually:

   Copy

   sudo apt install loki

2. Run Loki’s GTK interface to begin brute-forcing the TACACS+ key:

   Copy

   sudo loki_gtk.py

3. In the Loki interface, specify the captured encrypted authentication key and choose the type of encryption (commonly MD5 for TACACS+).

4. Start the brute-force attack.

If the key is successfully cracked, it will typically be in MD5-encrypted format. Once you have the key, you’re ready to decrypt the intercepted traffic.

Decrypting TACACS+ Traffic with Wireshark

After obtaining the key, the next step is to decrypt the TACACS-encrypted traffic using Wireshark. By analyzing the decrypted traffic, you can gather valuable information such as:

• The banner used by the network

• Admin usernames

• Other sensitive data

With the decrypted credentials in hand, you could log in to the control panel of the network equipment. From there, you can gain control over the network, modify configurations, or escalate the attack. The implications of this are significant, especially if access to critical infrastructure or devices is granted.

Open Wireshark and load the previously captured traffic file (the one from the MitM attack).

sudo wireshark capture.pcap

In Wireshark, go to Edit -> Preferences.

Under Protocols, find TACACS+ and input the cracked key in the “Decryption Key” field.

Apply the changes and analyze the decrypted traffic.

Once decrypted, valuable information such as admin usernames and banners used by network equipment can be viewed.

For example, TACACS+ banners may reveal the type of equipment or even custom messages that could assist further in an attack.