Database password management is one of the all time worst offenders. Often DSN names and sa/password combos are to be found in the clear all over the place. One review I did had them in an .inc file, which was retrievable using a normal browser. So, it's not unusual to find bad password handling in security products. Other places/products to be cautious of like this: * VNC on NT (its in the registry, and can be easily retrieved from NT 4.0 hosts) * VNC in general (it stores the password in 3des with the same salt for all instances) * DSN names in NT/2K are often fully specified, sometimes even in URLs or hidden fields * database connectors in general * global.asa for IIS * database rows (if you know the product's schema) * Checkpoint's Session Authentication agent is a joke And so on... Andrew -----Original Message----- From: padrinoat_private [mailto:padrinoat_private] Sent: Friday, 22 June 2001 01:07 To: pen-testat_private Subject: Penetration Test: TACACS Greetings... Recently while performing a penetration test of a large client I was able to gain access to the Solaris server that runs the Cisco Tacacs Authentication Server... After perusing the system for a while I realized that the Java/JDBC client program for administering the TACACS Database read a config file that had the DB username/password in clear text. Using a little experience with PERL ODBC I connected to the Database server and grabbed the data from tables: cs_user_profile, cs_password, cs_privilege. My client used Clear as the password type. Is this normal? Seems to me like one of the core things you try to protect on a WAN are Router passwords... Should Tacacs allow you to store in password inside the database in cleartext? Don't know if this is something big or if I've merely had too much coffee... Someone please let me know if I've been smoking too much caffeine! Thanks in advance, el padrino ............................................................................ ............................ liquidmatrix.Org [ til i get my own website ] ............................................................................ ............................ Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 15:19:10 PDT