49 - Pentesting TACACS+

Support HackTricks and get benefits!

Basic Information

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.
49/tcp open tacacs
Default port: 49

Intercept Authentication Key

If an attacker manages to get in the middle between the client and the TACACS server, he can intercept the authentication key in encrypted form and then do a local bruteforce against it. So you both bruteforce the key and you don’t show up in the logs. And if you manage to bruteforce the key, you’ll be able to access the network equipment and decrypt the traffic in Wireshark.


In order to perform a MitM attack you could use an ARP spoofing attack.

Brute-force Key

Now you need to run Loki. This is a special tool designed to analyze the security of L2/L3 protocols. Its capabilities are just as good as those of the popular Yersinia and it is a serious competitor to it. Loki can also bruteforce TACACS keys. If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.
sudo loki_gtk.py
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the Use Bruteforce option, otherwise Loki will bruteforce the password without using the dictionary.
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, standing in the middle via ARP spoofing, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.
Now click the CRACK button and wait for Loki to break the password.

Decrypt Traffic

Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.
We see which banner was used.
We find the username of the user admin
As a result, we have the admin:secret1234 credentials, which can be used to access the hardware itself. I think I’ll check their validity.
This is how you can attack TACACS+ and gain access to the control panel of network equipment.


Support HackTricks and get benefits!