Penetration Test: TACACS

From: padrinoat_private
Date: Thu Jun 21 2001 - 08:07:21 PDT

  • Next message: Lance Spitzner: "Re: A kind of Honeypot"

    Greetings...
    
    Recently while performing a penetration test of a large client 
    I was able to gain access to the Solaris server that runs the
    Cisco Tacacs Authentication Server... 
    
    After perusing the system for a while I realized that the Java/JDBC 
    client program for administering the TACACS Database
    read a config file that had the DB username/password in clear
    text.   Using a little experience with PERL ODBC I connected to 
    the Database server and grabbed the data from tables:
    cs_user_profile, cs_password, cs_privilege.  My client
    used Clear as the password type.  
    
    Is this normal?  Seems to me like one of the core things you
    try to protect on a WAN are Router passwords... Should Tacacs
    allow you to store in password inside the database in cleartext?
    
    Don't know if this is something big or if I've merely had too much
    coffee...  Someone please let me know if I've been smoking too much
    caffeine!
    
    Thanks in advance,
    el padrino
    
    ........................................................................................................
    liquidmatrix.Org [ til i get my own website ]
    ........................................................................................................
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.
    



    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 13:25:09 PDT