Decrypt TACACS+ Packets
Results 1 to 4 of 4

Thread: Decrypt TACACS+ Packets

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Decrypt TACACS+ Packets

    Hey Hey,

    Anyone know of a program for decrypting TACACS+ packets? I'm doing a homework assignment for my Security II class and we have to do an assignment on Authentication Proxy and TACACS+... we basically setup a lab according to specs provided and sniffed the information, now we have to provide a write-up explaining what we sniffed. I know the key that was used, and I have the session IDs...that's not a problem... I'm just wondering if anyone knows the algo or a program that decrypts the data... I'm just aiming to go above and beyond the scope of the assignment. Being home sick for a week has inspired me to put forth a little extra effort, especially since I've procrastinated until now and it's due wednesday afternoon.

    Regardless of whether or not something is found...I've got a complete write-up detailing the process and outlining everything that happens (including block diagrams... ) and I'll post it here for anyone that's interested in the process but doesn't have the equipment to test it themselves.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    "The body of TACACS+ packets is encrypted by XOR'ing it with a series
    of MD5 hashes (each 16 bytes long). The first two hashes (used to
    encrypt first 32 bytes of the packet body) are as specified in the
    RFC draft:

    MD5_1 = MD5{session_id, key, version, seq_no}
    MD5_2 = MD5{session_id, key, version, seq_no, MD5_1}"


    http://www.openwall.com/advisories/OW-001-tac_plus/


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,


    Maestr0 provided me with a link via PM to a dissector that was written in 2000 for TACACS+ decryption inside ethereal. From that page I found an updated one from 2002... I decided to check ethereal and sure enough in preferences, there's a location to specify the key so that the packets are decoded for you...


    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I said I'd provide the paper when I was finished with it... Here it is... I can post it on it's own later if anyone's interested... but we'll see first if anyone stumbles across it here..

    It's on Authentication Proxy using a Cisco Router against a TACACS+ Server (CSACS).

    Apparently the Original version is too large to post here (1.3MB)... so I've done it again in BW... the images look sort of funky but are still legible. If anyone is seriously interested and wants a printable version, let me know and I'll either put the colour version on my server, or I'll email it over.

    Peace,
    HT

    [Edit]

    PS
    Think this is worth 5% of my final mark?

    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •