1Cracking TACACS+ hashes with JtR
2---------------------------------
3
4* Extract TACACS+ hashes from the .pcap file.
5
6  $ ../run/pcap2john.py target.pcap > hashes
7
8
9* Attack these hashes using JtR Jumbo.
10
11  $ ../run/john --format:tacacs-plus hashes
12
13
14* Reducing false positives based on the raw ideas contained in PR #2926. These
15  ideas were also discovered by atom from the hashcat project.
16
17  This technique requires having (at least) two TACACS+ packets with the same
18  "seq_no" (last field in the hash) value, and using the same password.
19
20  Sample hashes which satisy both these constraints,
21
22  $ cat hashes
23  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004
24  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002
25
26  Cracking these hashes results in the following pot file,
27
28  $ cat ../run/john.pot
29  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:1234
30  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:2u}0K!^
31  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:ei,}3W#
32  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:1234
33  $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:i8}42d$
34  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:I[s)|~#
35  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:4XdKNPF
36  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:9bf_6z+
37  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:1234
38  $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:1234
39
40  Filtering out the false positives (thanks to atom),
41
42  $ perl -ne 'while (<>) { chomp; /(c00\d):(.*)/ or next; $db->{$2}->{$1} = undef; } for $pw (keys %{$db}) { next if scalar keys %{$db->{$pw}} == 1; print "$pw\n" }' < ../run/john.pot
43  1234
44
45  This reveals the actual password to be "1234".
46