Rating:
**The challenge** :
Using WireShark we can open and explore the file “Chall.pcapng”.
The packets are the result of a TFTP communication using TACACS+ authentication protocol.
This type of protocol is cyphering all messages using a generated shared key.
So to be able to read those messages we need to find a way to recover the shared key.
And the good news is that WireShard is able to do this on is own!
**1- Recover the shared key :**
One of the solutions to achieve this goal, is to extract the router(or switch) configuration within Wireshark :
File > Objects Explorer > TFTP
Alternate method :
Create a filter «udp.stream eq 5», then right click on one of packets and : Follow > UDP stream.
We now have access to the shared key that was generated to communicate with the TACAS server :
tacacs-server host 192.168.1.100 key 7 0325612F2835701E1D5D3F2033
Knowing this, we can easily decipher that key, witch is a type 7 CISCO key, to get the original password on this web site :
https://www.ifm.net.nz/cookbooks/passwordcracker.html
**2- Decipher messages using that key :**
Go to the following menus : Edit > Preferences > Protocols > TACAS+.
Fill in the field «TACAS+ Encryption Key» with the deciphered key and then click “OK” button.
Filter all the packets by selecting "tacplus" filter, and extract all messages in relation with TACAS+ protocol.
And we now have access to the flag, in plain text mode :
**shkCTF{T4c4c5_ch4ll3n63_br0}**
