1Cracking TACACS+ hashes with JtR 2--------------------------------- 3 4* Extract TACACS+ hashes from the .pcap file. 5 6 $ ../run/pcap2john.py target.pcap > hashes 7 8 9* Attack these hashes using JtR Jumbo. 10 11 $ ../run/john --format:tacacs-plus hashes 12 13 14* Reducing false positives based on the raw ideas contained in PR #2926. These 15 ideas were also discovered by atom from the hashcat project. 16 17 This technique requires having (at least) two TACACS+ packets with the same 18 "seq_no" (last field in the hash) value, and using the same password. 19 20 Sample hashes which satisy both these constraints, 21 22 $ cat hashes 23 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004 24 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002 25 26 Cracking these hashes results in the following pot file, 27 28 $ cat ../run/john.pot 29 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:1234 30 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:2u}0K!^ 31 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:ei,}3W# 32 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:1234 33 $tacacs-plus$0$6d0e1631$d623c7692ca7b12f7ecef113bea72845$c004:i8}42d$ 34 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:I[s)|~# 35 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:4XdKNPF 36 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:9bf_6z+ 37 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:1234 38 $tacacs-plus$0$6d0e1631$f7711e4b904fc4a4753e923e9bf3d2cc33e9febd3d2db74b9aa6d20462c2072013c77345d7112400d7b915$c002:1234 39 40 Filtering out the false positives (thanks to atom), 41 42 $ perl -ne 'while (<>) { chomp; /(c00\d):(.*)/ or next; $db->{$2}->{$1} = undef; } for $pw (keys %{$db}) { next if scalar keys %{$db->{$pw}} == 1; print "$pw\n" }' < ../run/john.pot 43 1234 44 45 This reveals the actual password to be "1234". 46