Penetration Testing mailing list archives
RE: Penetration Test: TACACS
From: "Andrew van der Stock" <ajv () e-secure com au>
Date: Fri, 22 Jun 2001 23:43:12 +1000
Database password management is one of the all time worst offenders. Often DSN names and sa/password combos are to be found in the clear all over the place. One review I did had them in an .inc file, which was retrievable using a normal browser. So, it's not unusual to find bad password handling in security products. Other places/products to be cautious of like this: * VNC on NT (its in the registry, and can be easily retrieved from NT 4.0 hosts) * VNC in general (it stores the password in 3des with the same salt for all instances) * DSN names in NT/2K are often fully specified, sometimes even in URLs or hidden fields * database connectors in general * global.asa for IIS * database rows (if you know the product's schema) * Checkpoint's Session Authentication agent is a joke And so on... Andrew -----Original Message----- From: padrino () hushmail com [mailto:padrino () hushmail com] Sent: Friday, 22 June 2001 01:07 To: pen-test () securityfocus com Subject: Penetration Test: TACACS Greetings... Recently while performing a penetration test of a large client I was able to gain access to the Solaris server that runs the Cisco Tacacs Authentication Server... After perusing the system for a while I realized that the Java/JDBC client program for administering the TACACS Database read a config file that had the DB username/password in clear text. Using a little experience with PERL ODBC I connected to the Database server and grabbed the data from tables: cs_user_profile, cs_password, cs_privilege. My client used Clear as the password type. Is this normal? Seems to me like one of the core things you try to protect on a WAN are Router passwords... Should Tacacs allow you to store in password inside the database in cleartext? Don't know if this is something big or if I've merely had too much coffee... Someone please let me know if I've been smoking too much caffeine! Thanks in advance, el padrino ............................................................................ ............................ liquidmatrix.Org [ til i get my own website ] ............................................................................ ............................ Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- Penetration Test: TACACS padrino (Jun 21)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)
- Re: Penetration Test: TACACS Rob J Meijer (Jun 24)
- Re: Penetration Test: TACACS Pawel Krawczyk (Jun 24)
- RE: Penetration Test: TACACS Andrew van der Stock (Jun 22)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)