Cain and Abel
Presentation and notes by: Tharmiga Loganathan, Manavjot Singh, Mili Choksi
Cain & Abel is by far one of the best password recovery utilities out there, it is a very powerful tool that was originally used for password recovery. It is designed to run on Microsoft Windows OS but has methods to recover passwords for other systems. It is able to find passwords in the local cache, decode scrambled passwords, find wireless network keys or use brute-force and dictionary attacks. The program has since been re-purposed for many off-label use cases.
Current List of Features:
| Protected Storage Password Manager | LSA Secrets Dumper | Service Manager |
| Route Table Manager | SID Scanner | Sniffer |
| Credential Manager Password Decoder | Dialup Password Decoder | APR (ARP Poison Routing) |
| Network Enumerator | Remote Registry | Routing Protocol Monitors |
| Full RDP sessions sniffer for APR | Full SSH-1 sessions sniffer for APR | Full HTTPS sessions sniffer for APR |
| Full FTPS sessions sniffer for APR | Full IMAPS sessions sniffer for APR | Certificates Collector |
| Wireless Scanner | PWL Cached Password Decoder | Password Crackers |
| Base64 Password Decoder | Cryptanalysis attacks | Rainbowcrack-online client |
| TCP/UDP/ICMP Traceroute | RSA SecurID Token Calculator | Syskey Decoder |
For recovering passwords on other devices, Cain & Abel has the ability to sniff the local network for passwords transmitted via HTTP/HTTPS, POP3, IMAP, SMTP and much more. Cryptanalysis attacks are performed using rainbow tables. Rainbow tables are generated with a program winrtgen.exe provided by the Cain and Abel package.
The latest version of Cain and Abel is faster and contains a lot of new features like APR (ARP Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
Cain & Abel is a tool that has been quite useful for network administrators, teachers, professional penetration testers, security consultants/professionals, forensic staff and security software vendors.
Dictionary Attack and Rainbow Table Attack
This is a type of brute force attack, in this attack all the words from a dictionary or multiple dictionaries (a list of predefined words) are used to help crack a password. In certain cases even hashes are precomputed of the words in the dictionaries in order to speed up this process. Dictionary attacks are usually successful when the user has a common (popular) password.
Sniffing
Cain has a feature where we can sniff (monitor) and capture the network packets. Attackers can capture the packets and analyze them to extract useful information for them.
Traceroute
This feature allows to trace the route of a packet, details like the number of hops, time taken at each hop, etc. are provided.
ARP Poisoning
Basics of LAN/WAN Communication
It is important to note before we go forward that communication is initiated differently on a WAN in comparison to a LAN. On a WAN, packets are directed to different routers based on IP address. On the other hand, devices on a LAN use MAC addresses to identify the devices on their network. ARP is the protocol that is used to help discover devices and start communication on a LAN. It is important to note that ARP packets do not traverse routers, this is why a strong WiFi password is always encouraged.
Address Resolution Protocol (ARP)
Before diving into the hacking method, let’s first discuss what ARP is in order to better understand how it can be used by a hacker to gather private information. ARP stands for Address Resolution Protocol, it is the protocol that is used on a LAN when a computer wants to find the MAC address of a specific device they want start communicating with. For example, computer A will send out a broadcast message to all computers on the network asking Who has IP 192.168.1.3. Computer B receives the ARP message and realizes that its IP address is 192.168.1.3. Computer B will then respond to computer A with another ARP message containing computer B’s MAC address. Computer A will then associate computer B’s IP address and MAC address and add it to its ARP cache.
What makes this protocol interesting is that there is no security associated with it, any computer can send an ARP message to any other computer claiming they are the device with the IP address 192.168.1.3 and the unsuspecting victim computer will believe it…
Dynamic versus Static ARP Entries
The ARP cache helps the network operate more efficiently. If you want to view your ARP cache, you can do so by issuing the command arp -a. There are two types of ARP entries: dynamic and static. Dynamic entries are not permanent, this prevents the cache from being filled with a bunch of entries that aren’t being used. Static entries are only created manually arp -s [ip-address] [mac-address]. Static entries are ideal if two devices are constantly going to be communicating with each other, there will be no timeout and this will result in fewer ARP broadcast messages over time.
Man in the Middle Attack (MITM)
If you have taken a networking course previously, you will be familiar with this type of attack. You likely have learned how to create protocols that would overcome MITM attacks. But how exactly is an MITM attack carried out? ARP poisoning can easily be used to perform this attack. Here is how:
After computer A has already added computer B to its cache, let’s say computer C comes along and sends an unsolicited message to computer A stating that it actually is the device with IP address 192.168.1.3. Since there is no way to verify this message in ARP, computer A will take this message as fact and update its cache to associate IP address 192.168.1.3 with computer C’s MAC address.
Computer C can then also send a similar message to computer B, claiming that it has computer A’s IP address. Computer B will then update its cache. Now all traffic that is meant to flow between computer A and B will now also travel through computer C. Computer C will be able to read and/or modify all information flowing between the two computers! If computer A and B do not have software installed to detect ARP poisoning, this MITM attack will go completely unnoticed!
Passive versus Active Attacks
A passive attack would consist of computer C simply reading all of the packets transmitted between computer A and B and potentially stealing private information. An active attack on the other hand, would involve computer C modifying some or all of the data transferred between the two computers.
Resources
Learn more about Cain and Abel:
ARP Poisoning: