Cain and Abel Logo

Cain and Abel

Presentation and notes by: Tharmiga Loganathan, Manavjot Singh, Mili Choksi

Cain & Abel is by far one of the best password recovery utilities out there, it is a very powerful tool that was originally used for password recovery. It is designed to run on Microsoft Windows OS but has methods to recover passwords for other systems. It is able to find passwords in the local cache, decode scrambled passwords, find wireless network keys or use brute-force and dictionary attacks. The program has since been re-purposed for many off-label use cases.

Current List of Features:

 
 
 

Protected Storage Password Manager
LSA Secrets Dumper
Service Manager

Route Table Manager
SID Scanner
Sniffer

Credential Manager Password Decoder
Dialup Password Decoder
APR (ARP Poison Routing)

Network Enumerator
Remote Registry
Routing Protocol Monitors

Full RDP sessions sniffer for APR
Full SSH-1 sessions sniffer for APR
Full HTTPS sessions sniffer for APR

Full FTPS sessions sniffer for APR
Full IMAPS sessions sniffer for APR
Certificates Collector

Wireless Scanner
PWL Cached Password Decoder
Password Crackers

Base64 Password Decoder
Cryptanalysis attacks
Rainbowcrack-online client

TCP/UDP/ICMP Traceroute
RSA SecurID Token Calculator
Syskey Decoder

 
 
 

For recovering passwords on other devices, Cain & Abel has the ability to sniff the local network for passwords transmitted via HTTP/HTTPS, POP3, IMAP, SMTP and much more. Cryptanalysis attacks are performed using rainbow tables. Rainbow tables are generated with a program winrtgen.exe provided by the Cain and Abel package.

The latest version of Cain and Abel is faster and contains a lot of new features like APR (ARP Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Cain & Abel is a tool that has been quite useful for network administrators, teachers, professional penetration testers, security consultants/professionals, forensic staff and security software vendors.

Dictionary Attack and Rainbow Table Attack

This is a type of brute force attack, in this attack all the words from a dictionary or multiple dictionaries (a list of predefined words) are used to help crack a password. In certain cases even hashes are precomputed of the words in the dictionaries in order to speed up this process. Dictionary attacks are usually successful when the user has a common (popular) password.

Sniffing

Cain has a feature where we can sniff (monitor) and capture the network packets. Attackers can capture the packets and analyze them to extract useful information for them.

Traceroute

This feature allows to trace the route of a packet, details like the number of hops, time taken at each hop, etc. are provided.

ARP Poisoning

Basics of LAN/WAN Communication

It is important to note before we go forward that communication is initiated differently on a WAN in comparison to a LAN. On a WAN, packets are directed to different routers based on IP address. On the other hand, devices on a LAN use MAC addresses to identify the devices on their network. ARP is the protocol that is used to help discover devices and start communication on a LAN. It is important to note that ARP packets do not traverse routers, this is why a strong WiFi password is always encouraged.

Address Resolution Protocol (ARP)

Before diving into the hacking method, let’s first discuss what ARP is in order to better understand how it can be used by a hacker to gather private information. ARP stands for Address Resolution Protocol, it is the protocol that is used on a LAN when a computer wants to find the MAC address of a specific device they want start communicating with. For example, computer A will send out a broadcast message to all computers on the network asking Who has IP 192.168.1.3. Computer B receives the ARP message and realizes that its IP address is 192.168.1.3. Computer B will then respond to computer A with another ARP message containing computer B’s MAC address. Computer A will then associate computer B’s IP address and MAC address and add it to its ARP cache.

What makes this protocol interesting is that there is no security associated with it, any computer can send an ARP message to any other computer claiming they are the device with the IP address 192.168.1.3 and the unsuspecting victim computer will believe it…

Dynamic versus Static ARP Entries

The ARP cache helps the network operate more efficiently. If you want to view your ARP cache, you can do so by issuing the command arp -a. There are two types of ARP entries: dynamic and static. Dynamic entries are not permanent, this prevents the cache from being filled with a bunch of entries that aren’t being used. Static entries are only created manually arp -s [ip-address] [mac-address]. Static entries are ideal if two devices are constantly going to be communicating with each other, there will be no timeout and this will result in fewer ARP broadcast messages over time.

Man in the Middle Attack (MITM)

If you have taken a networking course previously, you will be familiar with this type of attack. You likely have learned how to create protocols that would overcome MITM attacks. But how exactly is an MITM attack carried out? ARP poisoning can easily be used to perform this attack. Here is how:

After computer A has already added computer B to its cache, let’s say computer C comes along and sends an unsolicited message to computer A stating that it actually is the device with IP address 192.168.1.3. Since there is no way to verify this message in ARP, computer A will take this message as fact and update its cache to associate IP address 192.168.1.3 with computer C’s MAC address.

Computer C can then also send a similar message to computer B, claiming that it has computer A’s IP address. Computer B will then update its cache. Now all traffic that is meant to flow between computer A and B will now also travel through computer C. Computer C will be able to read and/or modify all information flowing between the two computers! If computer A and B do not have software installed to detect ARP poisoning, this MITM attack will go completely unnoticed!

Passive versus Active Attacks

A passive attack would consist of computer C simply reading all of the packets transmitted between computer A and B and potentially stealing private information. An active attack on the other hand, would involve computer C modifying some or all of the data transferred between the two computers.

Resources

Learn more about Cain and Abel:

ARP Poisoning: