Re: Penetration Test: TACACS

[Rob J Meijer <rmeijer () xs4all nl>]

On Thu, 21 Jun 2001, Alan Olsen wrote:

> This is a bad thing.  Passwords should never be kept in clear text.

This is not a correct statement I beleive, it could be completely
valid to choose to 'store' passwords cleartext on a secured server
in order to prevent passwords from being 'send' cleartext.
If for example tacacs is used to authenticate ppp connections using
crypted paswords on the AAA server, this will require the ppp
authentication to be PAP. CHAP will require the AAA server to 'know'
the password in order to create a challenge.
When this option is chosen however the AAA server should be secured
verry carefully and verry tightly.
Unfortunately choosing CHAP over PAP is something that is done with
the false sense that it is more secure by itself without considdering
the implied concequences to aditional the level of security needed by the
AAA server.

Rob

> The tacacs+ install I maintained a while back used the /etc/passwd file as
> a reference.
>
> They need to fix their configuration of tacacs. (Or move to a more current
> implemetation.)
>
> On Thu, 21 Jun 2001 padrino () hushmail com wrote:
>
> > Greetings...
> >
> > Recently while performing a penetration test of a large client 
> > I was able to gain access to the Solaris server that runs the
> > Cisco Tacacs Authentication Server... 
> >
> > After perusing the system for a while I realized that the Java/JDBC 
> > client program for administering the TACACS Database
> > read a config file that had the DB username/password in clear
> > text.   Using a little experience with PERL ODBC I connected to 
> > the Database server and grabbed the data from tables:
> > cs_user_profile, cs_password, cs_privilege.  My client
> > used Clear as the password type.  
> >
> > Is this normal?  Seems to me like one of the core things you
> > try to protect on a WAN are Router passwords... Should Tacacs
> > allow you to store in password inside the database in cleartext?
> >
> > Don't know if this is something big or if I've merely had too much
> > coffee...  Someone please let me know if I've been smoking too much
> > caffeine!
> >
> > Thanks in advance,
> > el padrino
> >
> > ........................................................................................................
> > liquidmatrix.Org [ til i get my own website ]
> > ........................................................................................................
> > Free, encrypted, secure Web-based email at www.hushmail.com
>
> alan () ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply
> Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
>  "All power is derived from the barrel of a gnu." - Mao Tse Stallman