Decrypt TACACS+ Packets

Printable View

May 31st, 2005, 08:02 AM
HTRegz

Decrypt TACACS+ Packets

Hey Hey,

Anyone know of a program for decrypting TACACS+ packets? I'm doing a homework assignment for my Security II class and we have to do an assignment on Authentication Proxy and TACACS+... we basically setup a lab according to specs provided and sniffed the information, now we have to provide a write-up explaining what we sniffed. I know the key that was used, and I have the session IDs...that's not a problem... I'm just wondering if anyone knows the algo or a program that decrypts the data... I'm just aiming to go above and beyond the scope of the assignment. Being home sick for a week has inspired me to put forth a little extra effort, especially since I've procrastinated until now and it's due wednesday afternoon.

Regardless of whether or not something is found...I've got a complete write-up detailing the process and outlining everything that happens (including block diagrams... ) and I'll post it here for anyone that's interested in the process but doesn't have the equipment to test it themselves.

Peace,
HT
May 31st, 2005, 11:14 PM
Maestr0

"The body of TACACS+ packets is encrypted by XOR'ing it with a series
of MD5 hashes (each 16 bytes long). The first two hashes (used to
encrypt first 32 bytes of the packet body) are as specified in the
RFC draft:

MD5_1 = MD5{session_id, key, version, seq_no}
MD5_2 = MD5{session_id, key, version, seq_no, MD5_1}"

http://www.openwall.com/advisories/OW-001-tac_plus/

-Maestr0
June 1st, 2005, 12:14 AM
HTRegz

Hey Hey,

Maestr0 provided me with a link via PM to a dissector that was written in 2000 for TACACS+ decryption inside ethereal. From that page I found an updated one from 2002... I decided to check ethereal and sure enough in preferences, there's a location to specify the key so that the packets are decoded for you...

Peace,
HT
June 1st, 2005, 06:24 AM
HTRegz

Hey Hey,

I said I'd provide the paper when I was finished with it... Here it is... I can post it on it's own later if anyone's interested... but we'll see first if anyone stumbles across it here..

It's on Authentication Proxy using a Cisco Router against a TACACS+ Server (CSACS).

Apparently the Original version is too large to post here (1.3MB)... so I've done it again in BW... the images look sort of funky but are still legible. If anyone is seriously interested and wants a printable version, let me know and I'll either put the colour version on my server, or I'll email it over.

Peace,
HT

[Edit]

PS
Think this is worth 5% of my final mark?

[/Edit]