Vous êtes sur la page 1sur 27

CAIN AND ABEL

An Overview

BY

SYEDA AMBREEN ZAFAR (57337)

PAF Karachi Institute of Economics &


Technology
DECEMBER, 2014

ACKNOWLEDGMENT

I found out this course quite interesting, informative and knowledgeable. During the
course of study, I enhanced knowledge and information about the subject through internet
and the study material provided as a reference from our course teacher.
I would like to thank our course teacher Respected Waqar Ahmed who not only shared his
practical experiences related to the subject with us but also extended his utmost
guidance/support during the course and at the same time keeping a very close look at our
performances in this whole session. I feel it is his guidance that i am able to complete this
study in due course of time. During the study of, i consider Internet to be the best source of
information and were very helpful.

ABSTRACT
This study briefly provides an overview of the tool CAIN & ABEL. It covers its various
techniques and features that would be helpful for a security professional. Cain & Abel tool
has been developed in the hope that it will be useful for network administrators, teachers,
security consultants/professionals, forensic staff, security software vendors, professional
penetration testers and everyone else that plans to use it for ethical reasons.

CONTENTS
INTRODUCTION
PROGRAM FEATURES
DECODERS
Protected Storage
LSA Secrets
Wireless Password Dumper
Dialup Password
Enterprise Manager Password Decoder
Credential Manager Password Decoder
Window Vault
NETWORK
SNIFFERS
ARP Poison Routing
CRACKER
WIRELESS SCANNERS
TRACEROUTE
QUERY
CCDU
TOOLS
Route & TCP/UDP tables
Base64 Password Decoder
Access Database Password Decoder
Cisco Type -7 Password Decoder
Cisco VPN Client Password Decoder
VNC Password Decoder
Hash Calculator
RSA SecureID Token Calculator
Abel
REFERENCES

CAIN & ABEL


INTRODUCTION
Cain & Abel offers wide variety of capabilities. It is a password recovery tool for Microsoft
Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network,
cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording
VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing
password boxes, uncovering cached passwords and analyzing routing protocols. Cryptanalysis
attacks are done via rainbow tables which can be generated with the winrtgen.exe program
provided with Cain and Abel. It another main feature is ARP poisoning also known as man in middle
attack.
Cain is the first part of the program. Developed with a simple Windows graphical user interface, its
main purpose is to concentrate several hacking techniques and proof of concepts providing a
simplified tool focused on the recovery of passwords and authentication credentials from various
sources. Abel is the second part of the program. Designed as a Windows NT service it is composed
by two files "Abel.exe" and "Abel.dll"; the first is the main service executable program and the
second is a library that contains some required functions.

The program does not exploit any software vulnerabilities or bugs that could not be fixed
with little effort. It covers some security aspects/weakness intrinsic of protocol's standards,
authentication methods and caching mechanisms; its main purpose is the simplified the recovery of
passwords and credentials from various sources, however it also ships some "nonstandard" utilities
for Microsoft Windows users.

PROGRAM FEATURES
DECODERS
A decoder is a device which does the reverse operation of an encoder, undoing the encoding
so that the original information can be retrieved. In simple words, it is used to simple decrypt the
information. Cain and Abel provide various ways of decoding cached passwords.
Protected Storage
The Protected Store is a storage facility provided as part of Microsoft CryptoAPI. It's primarily
use is to securely store private keys that have been issued to a user. All of the information in the
Protected Store is encrypted, using a key that is derived from the user's logon password. Access to
the information is tightly regulated so that only the owner of the material can access it.
Credentials are stored in the registry under the key
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\
Many Windows applications use this feature; Internet Explorer, Outlook and Outlook Express for
example store user names and passwords using this service. This feature enumerates those entries
and decodes the following type of credentials:
- MS Outlook 2002's passwords (POP3, SMTP, IMAP, HTTP)
- Outlook Express's passwords (POP3, NNTP, SMTP, IMAP, HTTP, LDAP, HTTP-Mail)
- Outlook Express Identities
- MS Outlook's passwords (POP3, NNTP, SMTP, IMAP, LDAP, HTTP-Mail)
- MSN Explorer's Sign In passwords
- MSN Explorer's Auto Complete passwords
- Internet Explorer's protected sites passwords
- Internet Explorer's Auto complete passwords

LSA Secrets
LSA Secrets are used to store information such as the passwords for service accounts used to
start services under an account other than local System. Dial-Up credentials and other application
defined passwords also reside here:-

Wireless Password Dumper


This feature enables the recovery of wireless keys stored by Windows's Wireless
Configuration Service. WEP keys are automatically decoded. WPA-PSK keys are displayed in their
hexadecimal format because of the usage of the SHA1 one-way hashing function.

Dial-Up Password
The Dial-Up Password Decoder reveals passwords stored by Windows "Dial-Up Networking" component. RAS credentials
are usually stored in LSA Secrets "L$_RasDefaultCredentials" while all other connection parameters (phone number, ip
address....) reside into Phonebook files (.pbk).

Enterprise Manager Password Decoder


Enterprise Manager is a Windows application used to manage Microsoft SQL Server 7.0 and
2000. When configured to use SQL Server authentication, Enterprise Manager stores the connection
credentials in the registry under the key
QL2000: HKEY_CURRENT_USER\\Software\\Microsoft\\MicrosoftSQLServer\\80\\Tools\\SQLEW\\RegisteredServers X\\
and SQL 7.0: HKEY_CURRENT_USER\\Software\\Microsoft\\MSSQLServer\\SQLEW\\Registered Servers X\\

Credential Manager Password Decoder


Credential Manager is a new solution that Microsoft offers in Windows Server 2003 and
Windows XP to provide a secured store for credential information. It allows user names and
passwords as inputs for various network resources and applications once, and then the system
automatically supply that information for subsequent visits to those resources without any
involvement.
Credential Manager stores the supplied password in the so called "Enterprise Credential Set"
of the local machine. This set of credentials is stored in the file and is encrypted.
\DocumentsandSettings\%Username%\ApplicationData\Microsoft\Credentials\%UserSID%\
Credentials
There is also another set used for credentials that should persist on the local machine only
and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file:
\DocumentsandSettings\%Username%\Localsettings\ApplicationData\Microsoft\Credentials\
%UserSID % \Credentials
Accordingly with the MSDN documentation, Credential Manager can store different types of
credentials under the form of passwords, security or certificate files.
Value

Description

CRED_TYPE_GENERIC

The credential is a generic credential. The credential will not be used by


any particular authentication package. The credential will be stored
securely but has no other significant characteristics.

CRED_TYPE_DOMAIN_PASSWORD

The credential is a password credential and is specific to Microsoft's


authentication packages. The NTLM, Kerberos, and Negotiate
authentication packages will automatically use this credential when
connecting to the named target.

CRED_TYPE_DOMAIN_CERTIFICATE

The credential is a certificate credential and is specific to Microsoft's


authentication packages.

The credential is a password credential and is specific to Microsoft's


CRED_TYPE_DOMAIN_VISIBLE_PASSWORD authentication packages. The Passport authentication package will
automatically use this credential when connecting to the named target.

* Non-developer users can interact with Credential Manager using the application "Stored User Names and Passwords"
that can be found under: Start-> Settings-> Control Panel-> User Accounts-> %Account% -> Manage my network
passwords.

Window Vault
This feature provides the stored user name and password of resources that is used on
the particular system:-

NETWORK
The Network Enumerator uses the native Windows network management functions (Net*)
to discover what is present on the network. It allows a quick identification of Domain Controllers,
SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers,
Terminal Servers and so on. It can also display when possible the version of their operating system.
The left tree is used to browse the entire network and quick list to connect to remote
machines; once connected to a server one can also enumerate user names, groups, services and
shares present on it. By default the program connects to remote IPC$ shares using the current local
logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible
to specify the credentials to be used for the connection. The Quick List can be used to insert IP
addresses of hosts that are seen browsing the network.

SNIFFER
Cain's sniffer is principally focused on the capture of passwords and authentication
information travelling on the network. It has been developed to work on switched networks by
mean of APR (Arp Poison Routing).
Protocol Filters
There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial
traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic;
Password Filters
The sniffer includes several password filters that can be enabled/ disabled from the main
configuration dialog; they are used to capture credentials from the following protocols many
different types of protocols like FTP, HTTP, POP3, MySQL, etc).
Cain uses different protocol state machines to extract from network packets all the
information needed to recover the plain text form of a transmitted password. Some authentication
protocols use a challenge-response mechanism. On switched networks this can be achieved with a
mirror port on the switch or if APR reaches the FULL-Routing state.

When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally
aren't seen and also re-route them to the correct destination; this can cause performance
bottlenecks on heavy traffic networks. APR's main advantage is that it enables sniffing on switched
networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.
Passwords and hashes are stored in .LST files in the program's directory. These files are TAB
separated files so can be viewed or import with preferred word processor (e.g.: POP3.LST contains
passwords and hashes sniffed from the POP3 protocol). For HTTPS, SSH-1 and Telnet protocols
entire sessions are decrypted and dumped into text files.
Routing Protocols Analysis
Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This
enables a quick identification of the subnet routing and perimeter.

ARP (ARP Poison Routing) is a main feature of the program, this type of attack is based on
the manipulation of the hosts ARP cache. When two host want to communicate with each other,
they must know their MAC addresses, here the ARP table of source host look for MAC address of
destination to broadcast an ARP request. Although this ARP request reach to every host in the
network but the host, whose MAC is specified in the request will reply. In this way it can also be the
victim of communicating with the in correct MAC address also known as Man in the Middle Attack.

CRACKER
Enables the recovery of clear text passwords scrambled using several hashing or encryption
algorithms. All crackers support Dictionary and Brute-Force attacks.
Password Crackers can be found in the program under the "Cracker" sub tab. The tree on the
left allows you to select the list containing desired encrypted passwords or hashes to crack. Those
selected are then loaded into the Dictionary / Brute-Force dialog using the relative function within
the list pop up menu.

In a brute force attack, the computer tries all the possible combinations in a hope that at
least one will work. This method of breaking password is very time consuming and the success
factor remains very low, especially for strong passwords. For example, even if a password length is
known precisely to be 9 characters, the brute force attack may take up to 8 days to break.

The dictionary attack could be faster than brute force but it again depends upon the size of
the dictionary. In this case, a dictionary file containing one word per line is provided as an input file
to the Cain & Abel software. The software then tries each word as the password and stops as soon
as the password is matched. This type of attack is used to break computer login passwords.

WIRELESS SCANNER
Cain's wireless scanner scans the wireless networks that are in range of the computer. Cain's
Wireless Scanner detects Wireless Local Area Networks (WLANs) using 802.11x.
How Active Scanner works
The active scanner opens the wireless network adapter using the Winpcap protocol driver
then it uses the "Packet Request" function of the same driver to communicate with the wireless
network card. This API can be used from the Windows User Mode to perform a query/set operation
on an internal variable of the network card driver.
Passive Scanner
The passive scanner recognize wireless Access Points (upper list) and clients (lower list)
decoding 802.11b/g packets that travels on the air in a completely passive way. The "Channel
Hopping" feature changes the frequency of the adapter every second and let you discover wireless
networks on different channels. Cain also supports automatic ARP Requests injection (to speed up
the collection of unique WEP IVs) and the capture of WPA-PSK authentication hashes.
Requirements
This feature requires a Windows compatible wireless network interface and the Winpcap protocol
driver. The Passive Scan feature requires the AirPcap adapter and drivers from CACE Technologies.

QUERY
The query feature allows a user to open Excel files, dBase or MS Access database and search
the records using commands of Structured Query Language.
The scope of SQL includes data insert, query, update and delete, schema creation and
modification, and data access control. Although SQL is often described as, and to a great extent is, a
declarative language (4GL), it also includes procedural elements. The most common operation in
SQL is the query, which is performed with the declarative SELECT statement. SELECT retrieves data
from one or more tables, or expressions. Standard SELECT statements have no persistent effects on
the database. A query includes a list of columns to include in the final result, immediately following
the SELECT keyword. An asterisk ("*") can also be used to specify that the query should return all
columns of the queried tables. SELECT is the most complex statement in SQL, with optional
keywords and clauses that include:

The FROM clause, which indicates the table(s) to retrieve data from. The FROM clause can
include optional JOIN sub clauses to specify the rules for joining tables.
The WHERE clause includes a comparison predicate, which restricts the rows returned by the
query. The WHERE clause eliminates all rows from the result set where the comparison
predicate does not evaluate to True.

The following example shows a result of simple SQL query "SELECT * FROM [Table1]" which is used
to select and display all records of table named Table1. Table1 has two fields, namely "Tools" and
"Projects".

The contents of each these tables can also be viewed through OXID by right clicking on Table1 and
clicking on "Return All Rows". An example is shown below:

Queries may be entered either in the Query statement box or run by clicking on the VIEW
drop down list and selecting the query. For example, if we want to select "Tools" of Electronics
"Project", i may execute the query shown below:

CCDU
CISCO Configuration Downloader/Uploader use to upload and download configuration files
for the CISCO devices via SNMP. Its a hardware feature.

TOOLS
The tools that are defined in Cain and Abel are:Route Table & TCP/IP Tables:These tables can be viewed through Alt+R and Alt+P commands or from the tool bar
in tools Manu.

Base64 Password Decoder


Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an
ASCII string format by translating it into a radix-64 representation. The term Base64 originates from
a specific MIME content transfer encoding.
Base64 encoding schemes are commonly used when there is a need to encode binary data
that needs to be stored and transferred over media that are designed to deal with textual data. This
is to ensure that the data remains intact without modification during transport. Base64 is commonly
used in a number of applications including email via MIME, and storing complex data in XML.
ALT+6 shortcut is used to access Base64 password decoder. Alternatively, one can click on
Tools menu and then on Base64 Password Decoder option. A button to access this feature is also
available on the OXID toolbar. A screenshot of decrypted password (password = XenShi) is shown
below:-

ACCESS Database Password Decoder


Introduction
Microsoft Access, also known as Microsoft Office Access, is a database management system
from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user
interface and software-development tools. It is a member of the Microsoft Office suite of
applications, included in the Professional and higher editions or sold separately.

Microsoft Access stores data in its own format based on the Access Jet Database Engine. It can also
import or link directly to data stored in other applications and databases.
Breaking Into Access Passwords
Due to the fact that OXID is designed for Windows XP or earlier version of Microsoft
operating systems, it can only be used to break passwords of MS Access 2003 or earlier versions
(.mdb format not .accdb format).
In order to break MS Access database passwords, one can either press CTRL+A or choose
Access Database Password Decoder from the Tools menu. In the popup form that appears on the
screen, one can choose the MS Access database filename and OXID can instantly provide the
password of that database. A screen shot of the example is shown below in which the decrypted
password ('sony') can be seen.

CISCO Type 7 Password Decoder


CISCO IOS stands for Cisco Internetworking Operating System. IOS can be thought of as Cisco
router's operating system. There are three different types of CISCO IOS passwords:
1. Cisco IOS Type 0 Passwords
Type 0 passwords use no encryption. Only digit 0 is added before the passwords in this type.
2. Cisco IOS Type 7 Passwords
Cisco IOS Type 7 passwords are encrypted. The encryption algorithm is weaker than that of
Type 5 passwords. An example of Cisco Type-7 password decryption is shown below.
Password used was 'Xenshi' and was encrypted through an online encryption and decryption
tool available at m00nie.com and entered in OXID for decryption.

3. Cisco IOS Type 5 Passwords


This type of passwords are encrypted using MD5 hashing algorithm and is used by the Cisco
IOS to encrypt enable secret password. The MD5 message-digest algorithm is a widely used
cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in
text format as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of
cryptographic applications, and is also commonly used to verify data integrity.
*This feature is not supported in OXID application.

CISCO VPN Client Password Decoder


The Cisco Systems VPN Client was a software application for connecting to a virtual private
network. The client makes remote resources of another network available in a secure way as if the
user was connected directly to that "private" network. The client uses profile files (.pcf) that store
VPN passwords either hashed with type 7, or stored as cleartext. A vulnerability has been identified,
and those passwords can easily be decoded using software or online services. To work around these
issues, network administrators are advised to use the Mutual Group Authentication feature, or use
unique passwords (that aren't related to other important network passwords).
Example
Say for example, the password is MySecretpass200. enc_GroupPwd en enc_User Password
contains encrypted passwords. One .pcf file looks like this:
[main]
UserPassword=
enc_UserPassword=
Description=
Host=vpn.mywork.com
AuthType=1
GroupName=Sales
GroupPwd=
enc_GroupPwd=071B15CA6E98F1D339D9B25BE350DAAB9A1C5E0B6499850B610E631FCBFB79A91
E4E8FDFF813E064DCECFE6A5233998DC58C9DB8099435DE
EnableISPConnect=0
ISPConnectType=0
ISPConnect=MyWork
.......

When this enc_GroupPwd is entered in OXID, it will reveal the actual password as shown below
pictorially.

VNC Password Decoder


vncpasswd allows to set the password used to access VNC desktops. Its default behavior is to
prompt for a VNC password and then store an obfuscated version of this password to passwd-file (or
to $HOME/.vnc/passwd if no password file is specified.) The vncserver script runs vncpasswd the
first time start a VNC desktop, and it invokes Xvnc with the appropriate -rfbauth option. vncviewer
can also be given a password file to use via the -passwd option.
The password must be at least six characters long (unless the -f command-line option is
used), and only the first eight characters are significant. Note that the stored password is not
encrypted securely - anyone who has access to this file can trivially find out the plain-text password,
so vncpasswd always sets appropriate permissions (read and write only by the owner.) However,
when accessing a VNC desktop, a challenge-response mechanism is used over the wire making it
hard for anyone to crack the password simply by snooping on the network.
Example:A screen shot of VNC decrypted password in hex is given below. The encrypted password was
obtained from Hash Calculator provided by OXID and re-entered into VNC Password decoder to
verify the results.

Hash Calculator
A cryptographic hash function is a hash function which is considered practically impossible to invert,
that is, to recreate the input data from its hash value alone. These one-way hash functions have
been called "the workhorses of modern cryptography".
One of the applications of Cryptographic Hash Function is to verify the integrity of files or messages.
Determining whether any changes have been made to a message (or a file), for example, can be
accomplished by comparing message digests calculated before, and after, transmission (or any other
event). MD5, SHA1, or SHA2 hashes are sometimes posted along with files on websites or forums to
allow verification of integrity.
MDF5
The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128-bit
(16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5 has
been utilized in a wide variety of cryptographic applications, and is also commonly used to verify
data integrity.
SHA1
In cryptography, SHA-1 (SHA stands for "secure hash algorithm") is a cryptographic hash function
designed by the United States National Security Agency and is a U.S. Federal Information Processing
Standard published by the United States NIST.
SHA-1 produces a 160-bit (20-byte) hash value. A SHA-1 hash value is typically rendered as a
hexadecimal number, 40 digits long.
Application Example:The Hash calculator of OXID provides encrypted data in different formats (MD2, MD4, MD5, SHA-2,
etc). The following table shows the encrypted password 'Crypto123' encrypted using various
algorithms (described above and more).

RSA SecurID Token Calculator


SecurID, now known as RSA SecurID, is a mechanism developed by Security Dynamics (later RSA
Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a
user to a network resource.
The RSA SecurID authentication mechanism consists of a "token" either hardware (e.g. a USB
dongle) or software (a soft token) which is assigned to a computer user and which generates an
authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's
factory-encoded random key (known as the "seed"). The seed is different for each token, and is
loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly
ACE/Server) as the tokens are purchased.

Abel
Abel is the second part of the program. Designed as a Windows NT service it is composed by two
files "Abel.exe" and "Abel.dll"; the first is the main service executable program and the second is a
library that contains some required functions. Although Cain is the main Abel's front-end, it is not
needed to be installed for Abel to work. The service can be installed locally or remotely (using Cain)
and requires Administrator's privileges on the target machine. Once installed, as all other NT
services, it can be managed using the standard Windows tools or the Cain's Service Manager.
Abel communicates with Cain using a the Windows named pipe "\\computername\pipe\abel" and
it can accept connections from multiple hosts at the same time. All data transmitted over this pipe is
encrypted using the RC4 symmetric encryption algorithm and the fixed key "Cain & Abel". This is
done only to scramble the traffic sent on the network and not to hide program's intentions.

References:http://www.oxid.it
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/dpapiusercredentials.asp
(Provide more information about credentials)
http://en.wikipedia.org/wiki/SQL
http://en.wikipedia.org/wiki/Base64
http://en.wikipedia.org/wiki/Microsoft_Access
http://pen-testing.sans.org/resources/papers/gcih/cisco-ios-type-7-password-vulnerability-100566
http://en.wikipedia.org/wiki/MD5
https://www.m00nie.com/type-7-password-tool/
http://en.wikipedia.org/wiki/Cisco_Systems_VPN_Client
http://www.base64online.com/Cisco-vpn-client-password-cracker.php
http://linux.die.net/man/1/vncpasswd
http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/SHA-1
http://en.wikipedia.org/wiki/SecurID

Vous aimerez peut-être aussi