TACACS+
aka tacacs+, aaa
Cisco AAA protocol on 49 used to authenticate admins to network devices. The body is obfuscated with a shared key — capture the exchange and crack the key offline to recover device-admin credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
49 | tcp | TACACS+ |
Fingerprint
- TACACS+ packets between switches/routers and the AAA server
- nmap detects the service on 49
Exploitation primitives
- MITM/sniff the TACACS+ exchange on the management network
- Crack the shared key offline (loki / tac2cat → hashcat)
- With the key, decrypt the captured packets to read admin usernames/passwords
Overview
TACACS+ on 49 centralises admin logins for Cisco gear. Its encryption is only as strong as the shared key, so a captured exchange plus a weak key hands you network-device admin creds.
Enumeration
Confirm the service:
nmap -p49 -sV <TARGET>Capture & crack
Sniff the exchange (on the management segment), then crack the shared key:
python2 loki.pyConvert a captured packet to a crackable hash and run hashcat:
tac2cat -f capture.pcap > tacacs.hash && hashcat -m 16100 tacacs.hash /usr/share/wordlists/rockyou.txtHardening
Use a long random shared key (per-device), encrypt management traffic, and isolate the AAA segment.