Penetration Testing mailing list archives
Re: Penetration Test: TACACS
From: Alan Olsen <alan () clueserver org>
Date: Thu, 21 Jun 2001 15:01:29 -0700 (PDT)
This is a bad thing. Passwords should never be kept in clear text. The tacacs+ install I maintained a while back used the /etc/passwd file as a reference. They need to fix their configuration of tacacs. (Or move to a more current implemetation.) On Thu, 21 Jun 2001 padrino () hushmail com wrote:
Greetings... Recently while performing a penetration test of a large client I was able to gain access to the Solaris server that runs the Cisco Tacacs Authentication Server... After perusing the system for a while I realized that the Java/JDBC client program for administering the TACACS Database read a config file that had the DB username/password in clear text. Using a little experience with PERL ODBC I connected to the Database server and grabbed the data from tables: cs_user_profile, cs_password, cs_privilege. My client used Clear as the password type. Is this normal? Seems to me like one of the core things you try to protect on a WAN are Router passwords... Should Tacacs allow you to store in password inside the database in cleartext? Don't know if this is something big or if I've merely had too much coffee... Someone please let me know if I've been smoking too much caffeine! Thanks in advance, el padrino ........................................................................................................ liquidmatrix.Org [ til i get my own website ] ........................................................................................................ Free, encrypted, secure Web-based email at www.hushmail.com
alan () ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
Current thread:
- Penetration Test: TACACS padrino (Jun 21)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)
- Re: Penetration Test: TACACS Rob J Meijer (Jun 24)
- Re: Penetration Test: TACACS Pawel Krawczyk (Jun 24)
- RE: Penetration Test: TACACS Andrew van der Stock (Jun 22)
- Re: Penetration Test: TACACS Alan Olsen (Jun 22)