PCAP :: TACACS+ .PCAP File

In this post, I would like to share a .PCAP file of a TACACS+ TCP stream. This file was captured in a lab environment and is for educational purposes only.

TACACS+ communication is encrypted by default so I have included the TACACS+ key so that you can see the decrypted information.

Download link: https://blog.synack.co.uk/download/pcap-tacacs-pcap-file/

Key: Cisco123

Let me explain a little about the capture…

  • We can see the initial TCP 3-way handshake occurs from a source of 10.1.1.1 with a destination port of 49 (TACACS+). The device starts by sending an SYN request to 10.1.1.10.
  • Device 10.1.1.10 responds with a source port of 49 to destination 10.1.1.1 with a TCP SYN-ACK
  • 10.1.1.1 receives the SYN-ACK and responds with an ACK

 

  • After the TCP 3-way handshake has finished, device 10.1.1.1 sends a TACACS+ authentication request. At this stage, you can use the key to decrypted and analyse the TACACS+ communication. We can see that a user: synack has sent a login authentication request to 10.1.1.10.
  • Device 10.1.1.10 sends an acknowledgement and then sends a TACACS+ packet back to 10.1.1.1. Once this TACACS+ message is decrypted we can see that the TACACS+ server has now asked for a password for user: synack.
  • Device 10.1.1.1 sends an acknowledgement to say that is has received the request for the password.
  • Device 10.1.1.1 then sends the password: Password1 back to the TACACS+ server
  • The TACACS+ server responds with an authentication passed. This means that the user: synack has now been authenticated
  • The TCP session is now torn down with the device 10.1.1.1 sending a FIN-ACK

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.