Skip to content

GrrrDog/TacoTaco

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TacoTaco

TacoTaco is a project about attacks on TACACS+ protocol.


  1. tac2cat.py - A converter of a TACACS+ packet to a format of the HashCat. The script helps you to extract a MD5_1 hash from a TACACS+ authentication packet. Then you can perform a local brute force attack on the MD5 hash and get a PSK.

Example:

  python tac2cat.py -t 1  -m "Password: " -p c0010200acf4c30b00000010c73c409532a4a80e58ba94391111e300

Where:

  -t 1 – 1 – SSH, 2 - Telnet
  -m "Password: " – a greeting message from a ssh service of a Cisco device
  -p – a hex stream of the second packet (TACACS+ layer) from the Wireshark.

  1. tacoflip.py is a script that you the opportunity to bypass authentication and authorization on a Cisco device that uses a TACACS+ server for AAA. You just need to perform a MitM attack on the Cisco device and the TACACS+ server (arp spoofing, for example)

Example:

  python tacoflip.py –t 192.168.0.100

Where 192.168.0.100 is an IP address of a TACACS+ server.

The video shows whole process of the attack: http://www.youtube.com/watch?v=HdTib8wftHA

Note! Because tacoflip.py works as TCP proxy, if TACACS server is located within different broadcast domain, you may want to use NAT in order to redirect intercepted TACACS communication to script listening on 0.0.0.0:49. Example commands:

iptables -t nat -A PREROUTING -p tcp --dport 49 -d <TACACS_SERVER> -j DNAT --to-destination <YOUR_IP>
iptables -t nat -A POSTROUTING -p tcp --dport 49 -s <YOUR_IP> -j SNAT --to <CISCO_TARGET>

  1. sample dir consists some examples: a router config, a tac_plus config and pcap files of authentication process (telnet, ssh).

About

Some scripts for attacks on Tacacs+ protocol

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages