Cracking TACACS+ with hashcat - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: Cracking TACACS+ with hashcat (/thread-7062.html) |
Cracking TACACS+ with hashcat - atom - 11-30-2017 The TACACS+ hash-mode was kind of fun to implement, as it's almost as close as being completely broken. However, I wouldn't use it personally as we only need to crack a single raw MD5 to break it. Additionally there's a good analysis of the protocol security from Solar Designer, you can find it here: http://www.openwall.com/articles/TACACS+-Protocol-Security For the rest of this post I will assume that you have understood the basic algorithm used by TACACS+ explained in the link above or the RFC that you can find here: https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-07. Here's some example hashes from JtR: Code: $tacacs-plus$0$6d0e1631$573908bd8ed2c28efaff1bf00d07578a9a$c001 The third column is a session id. Since we also know the password (1234) I can use it in combination with the the sequence number in the fifth column to manually decrypt that data. It's important to visualize the plaintext data in order to explain how to crack TACACS+ in hashcat. It's not important how I did that exactly, I only need it for demonstration. Here's some keystreams I manually computed for each sequence: Code: 563809bc8ed6c78e8e8b62c06c742ee4f9e2aee3482505cceabc608b90bfaea9f9e2aee3482505cceabc608b90bfaea9 And if I apply these sequences and decrypt them, the output is the following: 1: Code: 00000000: 0101 0101 0004 0500 7474 7930 6173 796e ........tty0asyn 2: Code: 00000000: 0400 0025 0000 0a55 7365 7220 4163 6365 ...%...User Acce 3: Code: 00000000: 0005 0000 0061 646d 696e .....admin 4: Code: 00000000: 0501 000a 0000 5061 7373 776f 7264 3a20 ......Password: 5: Code: 00000000: 0005 0000 0061 646d 696e .....admin 6: Code: 00000000: 0100 0000 0000 ...... Beside all the protocol insecurities described in Solar Designer analysis (the missing padding problem in this example), how can we crack the TACACS+ password? The problem is that we can't easily crack it, because there's not much of known plaintext data. Good thing is: We can attack it even if we only know *some* of the plaintext. But be warned, it's not much. Actually it's only the header (5-8 byte depending on sequence). Since there's multiple variations possible this goes down from 56 bits to 40 bits. We will end up in lots of false positives. However, there's a solution! The sequence number in the MD5 comes to the rescue. Since this effectively changes the key produced by the MD5 we can compare all the passwords with each other. Very important: A password that is a false positive in sequence 2 will (very very likely) not produce a false positive in sequence 4. To make use of that, I recommend putting hashcat into --keep-guessing mode for this hash-mode. In a post-process, we can then compare them and if we find one password that matched in all the sequences we can easily filter out the correct one: Code: $tacacs-plus$0$6d0e1631$f7711e...400d7b915$c002:I[s)|~# Here's a little perl script to automate that process and to use with your potfile: Code: $ perl -ne 'while (<>) { chomp; /(c00\d):(.*)/ or next; $db->{$2}->{$1} = undef; } for $pw (keys %{$db}) { next if scalar keys %{$db->{$pw}} == 1; print "$pw\n" }' < hashcat.potfile And here it is: Code: 1234 Finally let me add that you can convert your .cap files to hashcat compatible hashes using the hcxtools from https://github.com/ZerBea/hcxtools/commits/master RE: Cracking TACACS+ with hashcat - philsmd - 11-30-2017 This is very interesting information and a nice find about how to best filter out "wrong results". Good job. Thanks for the research. I must admit that I didn't have much to do with tacacs+ so far, but it looks interesting (even though as you said pretty broken). |