img

Introduction

  • Cain and Able is a password recovery tool for Microsost Windows that can exploit vulnerabilities in security system and result to hazrdous onslaughts in the computer networks. .
  • Originally it was developed for educational purposes to reveal possible vulnerabilities. It has been used in numerous studies as a test environment to demonstarte any cyber security attacks.
  • This tool is normally paired with other tools which makes it extremely powerful and versatile in its functionality. It works in violating the ARP protocol
  • It has several built in utilities that can initiate a number of intelligent attacks on the target computer.

Who should use CAIN tool and Why?

  • Network administrators
  • Professional penetration testers:These professionals can help an enterprise or business to explore vulnerabilities and flaws in their network security system with the help of Cain and Able.
  • Forensic staff
  • Security forensic vendors

    Requirements

    The system requirements needed to successfully setup Cain & Abel are:

  • At least 10MB hard disk space
  • Microsoft Windows 2000/XP/2003/Vista OS
  • Winpcap Packet Driver (v2.3 or above).
  • Airpcap Packet Driver (for passive wireless sniffer / WEP cracker). # Installion process We can install this tool with the help of the link http://www.oxid.it/cain.html We can click on the second available path in this link to download the tool. While downloading we can get few issues like the security of your system detects its as a hazardous file and blocks it. To over come this we need to make the changes in Chrome setting i.e. we need to off the security. This will allow you to download the file. While running the .exe file we may get an error saying cain cannot be opened. In this case we need to off you fire wall setting to run it. # Technicalities

    Barriers encountered in WiFi hacking

    Barrier 1: OverCome WiFi encryption

    Cain overcomes the wifi encryption using the method called ARP spoofing which involves the technique of AP(Access Point) association and MITM(Man In The Mild).

    ARP Spoofing

    With the rapid evolvement in the Network system in today’s era, there is a dire need to secure the wireless networks to protect the data transit. Network vulnerability at the DLL layer can put the whole system itself at stake. Address Resolution Protocol is an inevitable part of network protocol architecture and plays a significant role in successful communication within a network. But, it has been observed that ARP protocols are susceptible to Spoofing attacks and thus can be shaped up to carry out the most dangerous attacks :-

  • Man in the Middle
  • Denial of Service Attacks

Since the ARP protocol is a stateless protocol that receives and processes ARP replies without issuing ARP requests.There is no methodology by which the ARP protocol can authenticate the peer from which the packet originated. This behavior results in the vulnerability that allows ARP spoofing to occur. The manipulation of the IP-MAC bindings by the attackers become unsophisticated and easy. The authentication mechanisms used earlier were weak in their mechanisms and have often led to numerous credential harvesting attacks.Thus, to provide additional security Transport Layer Security/Secure Sockets Layer (TLS/SSL) were introduced that authenticate the server to the client and vice a versa. Signed digital certificates are used in SSL security, however, with the inroduction of new tools like Cain and Able password recovery has become an easy task ,thereby ,rendering the use of SSL digital certificates unfruitful. From this it can be clearly stated that vulnerabilities can not only be exploited in the case of HTTP connection but there exists a greater risk in case of HTTPS connections as well.We get a better idea of how will the ARP spoofing occurs using the cain by going through the content in https://thecybersecurityman.com/2017/12/06/creating-a-man-in-the-middle-attack-using-cain-abel-tutorial/

Barrier 2: Overcome TLS encryption

We can overcome TLS encrryption, either through a direct cryptographic attack or through some indirect method (e.g., XSS or other code injection attack). Cain uses Cryptographic attack to overcome TLS encryption.

What can be acheived through Cain and Able attacks?

In ARP spoofing malicious actor sends falsified ARP messages over LAN. As a result of this Attacker MAC address gets linked to the IP address of legimatate computer on network. Whatever data is intended for legitimate computer will be sent over to the attacker. Attacker can acheive follwing things thrugh this interruption-

  • Intercept data
  • Modify data
  • Stop data in-transit
  • Steal sensitive information

# Features Cain and Abel is a well-recognized software cracking tool which is proficient in acheiveing results through the numerous features it encompasses.

  • It works as sniffers in the network
  • It cracks password using the dictionary attack, recording VoIP chats, brute force attacks, cryptanalysis attacks, revealing password boxes, discovery cached passwords, decrypting scrambled passwords, and examining routing procedures.
  • Cain and Able does not make use of viruses to crack the target system ,instead it just works upon the vulverabilities that exist in the security of the system inorder to acheive the attack.
  • It is a Base64 Password Decoder, Cisco Type-7 Password Decoder,Cisco VPN Client Password Decoder,VNC Password Decoder,Credential Manager Password Decoder,Dialup Password Decoder and Syskey Decoder.
  • It is a MySQL and Oracle Password Extractor.
  • It is a UDP/TCP table viewer and traceroute.
  • It works as a route table manager, box revealer and a hash calculator.

    Usage

    Now after launching the application, we have to configure it to use appropriate network card.If you have multiple network cards, it’s better to know the MAC address of the network card that you will use for the sniffer. To get the MAC address of your network interface card, do the following:

    1. Open CMD prompt. /p>

    2. Write the following command “ipconfig /all”.

    3. Determine the MAC address of the desired Ethernet adapters, write it on Notepad,and then use this information to help determine which NIC to select in the Cain application.

Now clickConfigure on the main menu. It will open the configuration dialog box where you can select the desired network interface card.

# Tabs in Cain and Abel

Sniffer Tab:

This tab allows us to specify which Ethernet interface card we will use for sniffing.

ARP Tab:

This tab allows us to configure ARP poison routing to perform ARP poisoning attack, which tricks the victim’s computer by impersonating other devices to get all traffic that belongs to that device, which is usually the router or an important server.

Filters and Ports Tab:

This tab has the most standard services with their default port running on.You can change the port by right-clicking on the service whose port you want to change and then enabling or disabling it.Cain’s sniffer filters and application protocol TCP/UDP port.

HTTP Fields Tab:

There are some features of Cain that parse information from web pages viewed by the victim such as LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS,so the more fields you add to the username and passwords fields, the more you capture HTTP usernames and passwords from HTTP and HTTPS requests. Here is an example:

The following cookie uses the fields “logonusername=” and “userpassword=” for authentication purposes. If you don’t include these two fields in the list, the sniffer will not extract relative credentials.

Traceroute Tab:

Traceroute is a technique to determine the path between two points by simply counting how many hops the packet will take from the source machine to reach the destination machine. Cain also adds more functionality that allows hostname resolution, Net mask resolution, and Whois information gathering.

Certificate Spoofing Tab:

This tab will allow Certificate spoofing.From Wikipedia:

“In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document that uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.”We can simply think of it as some sort of data (cipher suites & Public key and some other information about the owner of the certificate) that has information about the destination server and is encrypted by trusted companies (CA) that are authorized for creating these types of data.The server sends its own certificate to the client application to make sure it’s talking to the right server.

Certificate Collector Tab:

This tab will collect all certificates back and forth between servers and clients by setting proxy IPs and ports that listen to it.

CHALLENGE SPOOFING TAB:

Here you can set the custom challenge value to rewrite into NTLM authentications packets. This feature can be enabled quickly from Cain’s toolbar and must be used with APR. A fixed challenge enables cracking of NTLM hashes captured on the network by means of Rainbow Tables.

Password Cracking

Now it’s time to speak about the cracker tab,the most important feature of Cain. When Cain captures some LM and NTLM hashes or any kind of passwords for any supported protocols, Cain sends them automatically to the Cracker tab.We will import a local SAM file just for demonstration purposes to illustrate this point. Here is how to import the SAM file:

img

Here are the 4 NTLM and LM hashes which will appear like the following image:

img

In the below image you can see the different types of techniques which are very effective in password cracking. So as per the requirement of the password and the time taken by the technique to crack the passwords we can select a particular technique to crack a particular password.

img

Now lets us get a breif idea of the attacks which we saw in the above image

Dictionary Attack

“A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable.”

Brute forcing attack

“In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

The key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. A cipher with a key length of N bits can be broken in a worst-case time proportional to 2N and an average time of half that. Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.”

Cryptographic Attack

A cryptographic attack is a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme. This process is also called “cryptanalysis”.In cain we use rainbow table to make this attack.

Rainbow table

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a password (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack infeasible. We can create this table by many tools available in the online but the advantage of the Cain tool is we have an inbuilt tool called winrtgen located in the installation folder.​We can choose the hash algorithm and give the minimum and maximum length of the passwords.​

How to create a Rainbow table using Winrtgen

In the below image we can find the path where the winrtgen is present in the cain folder

img

Now we can choose the type of hash algorithm, minimum and maximum length of the password and also the charset which the password will use. After filling all the details click on Ok.

img

How can we defend our system from Cain

We can defend our system form the cain attacks by majorly stopping the ARP spoofing which can be achieved by the following techniques

  • Static ARP entries
  • ARP spoofing detection and prevention software
  • OS security

We can more information regarding this by going through the below link https://en.wikipedia.org/wiki/ARP_spoofing

Comparision of the Cain with the similar tools

In the below table we can see the summary of the comparision of the similar tools

Tool Use Pros/Corns
Cain & Abel Capturing and monitoring traffic for passwords, recording voice over IP (VoIP) conversations, cracking encrypted passwords etc. Free Windows based password recovery tool. Various techniques available to crack passwords.Requires Rainbow tables that must be downloaded from other sources online. Bit more complicated to use as some built in features might be difficult for invoice users.
Wireshark Fantastic open source packet analyzer that allows you to examine the data from a live network. Troubleshoot network problems;Debug protocol implementations.Used to learn network protocol internals.Must be able to capture an interface which is not in existence presently.Must have compressor to compress the data while writing to hard disk.
NetworkMiner Passive forensic analysis tool that works in the background to check the packets coming from host server to dig out data such as operating system, sessions, open ports etc. Does not put any burden on the network and works silently. Parse the files for off-line analysis. Host centric rather than packet centric.Young tool, still numerous functionality enhancements pending

Conclusion

Cain and Abel is a powerful tool that does a great job in password cracking. It can crack almost all kinds of passwords, and it’s usually just a matter of time before you get it.

References

  1. An Integrated Approach to ARP Poisoning and its Mitigation using Empirical Paradigm by Goldendeep Kaur and Dr. Jyoteesh Malhotra
  2. https://thecybersecurityman.com/2017/12/06/creating-a-man-in-the-middle-attack-using-cain-abel-tutorial/
  3. https://en.wikipedia.org/wiki/ARP_spoofing
  4. https://resources.infosecinstitute.com/password-cracking-using-cain-abel/#gref
  5. https://www.wikipedia.org
  6. https://www.oxid.it