Cracking TACACS+ with hashcat
The TACACS+ hash-mode was kind of fun to implement, as it's almost as close as being completely broken. However, I wouldn't use it personally as we only need to crack a single raw MD5 to break it.

Additionally there's a good analysis of the protocol security from Solar Designer, you can find it here: 

For the rest of this post I will assume that you have understood the basic algorithm used by TACACS+ explained in the link above or the RFC that you can find here:

Here's some example hashes from JtR:


The third column is a session id. Since we also know the password (1234) I can use it in combination with the the sequence number in the fifth column to manually decrypt that data. It's important to visualize the plaintext data in order to explain how to crack TACACS+ in hashcat. It's not important how I did that exactly, I only need it for demonstration. Here's some keystreams I manually computed for each sequence:


And if I apply these sequences and decrypt them, the output is the following:

00000000: 0101 0101 0004 0500 7474 7930 6173 796e  ........tty0asyn
00000010: 63                                       c

00000000: 0400 0025 0000 0a55 7365 7220 4163 6365  ...%...User Acce
00000010: 7373 2056 6572 6966 6963 6174 696f 6e0a  ss Verification.
00000020: 0a55 7365 726e 616d 653a 20              .Username: 

00000000: 0005 0000 0061 646d 696e                 .....admin

00000000: 0501 000a 0000 5061 7373 776f 7264 3a20  ......Password: 

00000000: 0005 0000 0061 646d 696e                 .....admin

00000000: 0100 0000 0000                           ......

Beside all the protocol insecurities described in Solar Designer analysis (the missing padding problem in this example), how can we crack the TACACS+ password? The problem is that we can't easily crack it, because there's not much of known plaintext data. 

Good thing is: We can attack it even if we only know *some* of the plaintext. But be warned, it's not much. Actually it's only the header (5-8 byte depending on sequence). Since there's multiple variations possible this goes down from 56 bits to 40 bits. We will end up in lots of false positives. However, there's a solution!

The sequence number in the MD5 comes to the rescue. Since this effectively changes the key produced by the MD5 we can compare all the passwords with each other. Very important: A password that is a false positive in sequence 2 will (very very likely) not produce a false positive in sequence 4.

To make use of that, I recommend putting hashcat into --keep-guessing mode for this hash-mode. In a post-process, we can then compare them and if we find one password that matched in all the sequences we can easily filter out the correct one:


Here's a little perl script to automate that process and to use with your potfile:

$ perl -ne 'while (<>) { chomp; /(c00\d):(.*)/ or next; $db->{$2}->{$1} = undef; } for $pw (keys %{$db}) { next if scalar keys %{$db->{$pw}} == 1; print "$pw\n" }' < hashcat.potfile

And here it is:


Finally let me add that you can convert your .cap files to hashcat compatible hashes using the hcxtools from
This is very interesting information and a nice find about how to best filter out "wrong results".

Good job.
Thanks for the research.

I must admit that I didn't have much to do with tacacs+ so far, but it looks interesting (even though as you said pretty broken).