Penetration Testing mailing list archives
Re: Penetration Test: TACACS
From: Rob J Meijer <rmeijer () xs4all nl>
Date: Sat, 23 Jun 2001 00:08:58 +0200 (CEST)
On Thu, 21 Jun 2001, Alan Olsen wrote:
This is a bad thing. Passwords should never be kept in clear text.
This is not a correct statement I beleive, it could be completely valid to choose to 'store' passwords cleartext on a secured server in order to prevent passwords from being 'send' cleartext. If for example tacacs is used to authenticate ppp connections using crypted paswords on the AAA server, this will require the ppp authentication to be PAP. CHAP will require the AAA server to 'know' the password in order to create a challenge. When this option is chosen however the AAA server should be secured verry carefully and verry tightly. Unfortunately choosing CHAP over PAP is something that is done with the false sense that it is more secure by itself without considdering the implied concequences to aditional the level of security needed by the AAA server. Rob
The tacacs+ install I maintained a while back used the /etc/passwd file as a reference. They need to fix their configuration of tacacs. (Or move to a more current implemetation.) On Thu, 21 Jun 2001 padrino () hushmail com wrote:Greetings... Recently while performing a penetration test of a large client I was able to gain access to the Solaris server that runs the Cisco Tacacs Authentication Server... After perusing the system for a while I realized that the Java/JDBC client program for administering the TACACS Database read a config file that had the DB username/password in clear text. Using a little experience with PERL ODBC I connected to the Database server and grabbed the data from tables: cs_user_profile, cs_password, cs_privilege. My client used Clear as the password type. Is this normal? Seems to me like one of the core things you try to protect on a WAN are Router passwords... Should Tacacs allow you to store in password inside the database in cleartext? Don't know if this is something big or if I've merely had too much coffee... Someone please let me know if I've been smoking too much caffeine! Thanks in advance, el padrino ........................................................................................................ liquidmatrix.Org [ til i get my own website ] ........................................................................................................ Free, encrypted, secure Web-based email at www.hushmail.comalan () ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
Current thread:
- Penetration Test: TACACS padrino (Jun 21)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)
- Re: Penetration Test: TACACS Rob J Meijer (Jun 24)
- Re: Penetration Test: TACACS Pawel Krawczyk (Jun 24)
- RE: Penetration Test: TACACS Andrew van der Stock (Jun 22)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)