49 - Tacacs+
💡 学习提示: 本文档介绍 49 - TACACS+ 的渗透测试方法,适合信息安全初学者和从业人员参考。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
49 - 渗透测试 TACACS+
基本信息
The Terminal Access Controller Access Control System (TACACS) protocol is used to centrally validate users trying to access routers or 网络 Access Servers (NAS). Its upgraded version, TACACS+, separates the services into authentication, authorization, and accounting (AAA).
默认 port: 49
Intercept 认证 Key
If the client and TACACS server communication is intercepted by an attacker, the encrypted authentication key can be intercepted. The attacker can then attempt a local brute-force attack against the key without being detected in the logs. If successful in brute-forcing the key, the attacker gains access to the network equipment and can decrypt the traffic using tools like Wireshark.
Performing a MitM 攻击
An ARP spoofing attack can be utilized to perform a 中间人攻击 (MitM) attack.
Brute-forcing the Key
Loki can be used to brute force the key:
If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.
Decrypting Traffic
Once the key is successfully cracked, the next step is to decrypt the TACACS-encrypted traffic. Wireshark can handle encrypted TACACS traffic if the key is provided. By analyzing the decrypted traffic, information such as the banner used and the username of the admin user can be obtaine.
By gaining access to the control panel of network equipment using the obtained credentials, the attacker can exert control over the network. It’s important to note that these actions are strictly for educational purposes and should not be used without proper authorization.