Hack, sniff or recovery various kind of password by Cain&Abel tool
Posted by Tinymouse | Posted in Hack - Mod | Posted on 9:12 PM
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.
Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.
The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
Download Cain & Abel v2.0 for Windows 9x (discontinued and not supported anymore)
MD5 - A14185FAFC1A0A433752A75C0B8CE15D
SHA1 - 8F310D3BECC4D18803AF31575E8035B44FE37418
Download Cain & Abel v4.9.14 for Windows NT/2000/XP
MD5 - 5F4B104ABC446D90637F19D5FA5AB5BF
SHA1 - 8CC66CBF263785331F94F1E13299192909B039AD
WARNING !!! The password list file format is changed between version 4.9.10 and 4.9.14. Old LST files are not compatible anymore so it is strongly suggested to backup your files before upgrade to this new release.
Cain & Abel User Manual is included in the installation package and also available on-line so you can view all the program's features without the need to install the program. The on-line version of the manual requires a JavaScript enabled browser.
View Cain & Abel on-line User Manual
Installation
Cain & Abel is a two part program distributed at http://www.oxid.it as a Self-Installing executable package named "ca_setup.exe".
Cain (Cain.exe) is the main GUI application, Abel is a Windows service composed by two files: Abel.exe and Abel.dll.
Requirements
The actual version requires the following items:
- 10Mb Hard-Disk space
- Microsoft Windows 2000/XP/2003
- Winpcap Packet Driver (v2.3 or above; AirPcap adapter is supported from Winpcap version 4.0). Please check the documentation on their site.
- Airpcap Packet Driver (for passive wireless sniffer / WEP cracker).
Setup
Just run the Self-Installing executable package and follow the installation instructions.
The package will copy all the files needed by the program into the installation directory.
Installation Files
Cain's setup program will install and/or replace these files in your system:
- Cain.exe [the main executable program]
- Cain.exe.sig [author's PGP signature of the file Cain.exe]
- CA_UserManual.chm [this file]
- Abel.exe [the executable of the Windows service named Abel ]
- Abel.exe.sig [author's PGP signature of the file Abel.exe]
- Abel.dll [a DLL file needed by the program]
- Abel.dll.sig [author's PGP signature of the file Abel.dll]
- Uninstal.exe [the uninstallation program]
- Wordlist.txt [a little word list file]
- Install.log [the log file of the installation package, you can check everything modified on your system here]
- Whatsnew.txt [contains differences between versions]
- oui.txt [a list file that contains vendor's information about MAC addresses]
-
-
-
-
All the above files will be installed in the Installation directory and subdirectories.
Abel Installation
Abel is a Windows NT service composed of two files: "Abel.exe" and "Abel.dll". These files are copied by the installation package into the program's directory but the service is NOT automatically installed on the system.
Abel can be installed locally or remotely (using Cain) and requires Administrator's privileges on the target machine.
LOCAL INSTALLATION:
1) Copy the files Abel.exe and Abel.dll into the %WINNT% directory (E.G.: C:\WINNT or C:\Windows)
2) Launch Abel.exe to install the service (it is not automatically started)
3) Start the service using the Windows Service Manager (services.msc)
REMOTE INSTALLATION:
1) Use the "Network TAB" in Cain and choose the target remote computer where you want to install Abel
2) Right click on the computer icon in the left tree and select "Connect As"
3) Provide Administrator's credentials for the remote system
4) Once connected right click on the "Services" icon and select the menu entry "Install Abel"
5) That's it! The two files ‘Abel.exe’ and ‘Abel.dll’ will automatically be copied to the remote machine’s root directory i.e. C:\winnt, C:\Windows); the service will automatically be installed and started.
Registry Modifications
Like any other setup program Cain involves making changes to your registry. Whenever registry changes are made, it is always advisable to backup your registry first.
Cain's settings are all located under the HKEY_CURRENT_USER\Software\Cain registry key.
Dependencies
Cain.exe depends on or requires the following libraries: Abel.dll, Crypt32.dll, Pstorec.dll, Kernel32.dll, Advapi32.dll, Comctl32.dll, Comdlg32.dll, Gdi32.dll, Iphlpapi.dll, Mpr.dll, NetApi32.dll, Odbc32.dll, Ole32.dll, Oleaut32.dll, Packet.dll (Winpcap), Rasapi32.dll, Rpcrt4.dll, Shell32.dll, User32.dll, Wpcap.dll (Winpcap), Airpcap.dll (AirPcap), Ws2_32.dll, Wsnmp32.dll.
Abel.exe depends on or requires the following libraries: Abel.dll, Kernel32.dll, Advapi32.dll, Iphlpapi.dll, User32.dll, Ws2_32.dll.
Abel.dll depends on or requires the following libraries: Lsasrv.dll, Kernel32.dll, Advapi32.dll, User32.dll, samsrv.dll.
Post installation generated files
Cain will create the following files (comma separated list files) in the program's installation directory:
Cracker
- APOP-MD5.LST [contains a list of credentials of type APOP-MD5]
- CRAM-MD5.LST [contains a list of credentials of type CRAM-MD5]
- PIX-MD5.LST [contains a list of credentials of type Cisco PIX]
- IOS-MD5.LST [contains a list of credentials of type Cisco IOS]
- PWLS.LST [contains a list of PWL files and relative credentials]
- NTLMv2.LST [contains a list of credentials of type NTLMv2]
- LMNT.LST [contains a list of credentials of type LM & NTLMv1]
- CACHE.LST [contains a list of credentials of type MS-CACHE]
- OSPF-MD5.LST [contains a list of credentials of type OSPF-MD5]
- RIP-MD5.LST [contains a list of credentials of type RIPv2-MD5]
- VRRP-HMAC.LST [contains a list of credentials of type VRRP-HMAC]
- VNC-3DES.LST [contains a list of credentials of type VNC Triple DES]
- MD2.LST [contains a list of hashes of type MD2]
- MD4.LST [contains a list of hashes of type MD4]
- MD5.LST [contains a list of hashes of type MD5]
- SHA-1.LST [contains a list of hashes of type SHA-1]
- SHA-2.LST [contains a list of hashes of type SHA-2]
- RIPEMD-160.LST [contains a list of hashes of type RIPEMD-160]
- K5.LST [contains a list of credentials of type Ms-Kerberos PreAuth]
- RADIUS_SHARED_HASHES.LST [contains a list of credentials of type RADIUS PreShared Key]
- IKEPSKHashes.LST [contains a list of credentials of type IKE-PSK]
- MSSQLHashes.LST [contains a list of credentials of type Microsoft SQL]
- MySQL.LST [contains a list of credentials of type MySQL]
- ORACLE.LST [contains a list of credentials of type ORACLE]
- 80211.LST [contains a list of 802.11 capture files]
- SIPHASHES.LST [contains a list of hashes used in SIP protocol]
- TOKENS.LST [contains a list of RSA token serial numbers and seeds]
- WPAPSK.LST [contains a list of hashes of type WPA-PSK]
Sniffer
- HOSTS.LST [contains a list of host's information such as MAC address, IP address, Hostnames]
- APR.LST [contains a list of hosts to be used in APR]
- DRR.LST [contains a list of host names and IP addresses to be used by APR-DNS]
- SSH-1.LST [contains references to files generated by SSH-1 sniffer filter]
- CERT.LST [contains references to certificate files to be used by APR-HTTPS]
- HTTPS.LST [contains references to files generated by APR-HTTPS sniffer filter]
- FTPS.LST [contains references to files generated by APR-FTPS sniffer filter]
- IMAPS.LST [contains references to files generated by APR-IMAPS sniffer filter]
- LDAPS.LST [contains references to files generated by APR-LDAPS sniffer filter]
- POP3S.LST [contains references to files generated by APR-POP3S sniffer filter]
- RDP.LST [contains references to files generated by APR-RDP sniffer filter]
- FTP.LST [contains a list of credentials captured by FTP sniffer filter]
- HTTP.LST [contains a list of credentials captured by HTTP sniffer filter]
- IMAP.LST [contains a list of credentials captured by IMAP sniffer filter]
- POP3.LST [contains a list of credentials captured by POP3 sniffer filter]
- SMB.LST [contains a list of credentials captured by Server Message Block sniffer filter]
- TELNET.LST [contains references to files generated by Telnet sniffer filter]
- VNC.LST [contains a list of credentials captured by VNC sniffer filter]
- TDS.LST [contains a list of credentials captured by TDS (Tabular Data Stream) sniffer filter]
- SMTP.LST [contains a list of credentials captured by SMTP sniffer filter]
- NNTP.LST [contains a list of credentials captured by NNTP sniffer filter]
- KRB5.LST [contains a list of credentials captured by MS-Kerberos5 sniffer filter]
- DCERPC.LST [contains a list of credentials captured by DCE/RPC sniffer filter]
- RADIUS.LST [contains a list of pre shared keys captured by RADIUS sniffer filter]
- RADIUS_USERS.LST [contains a list of user's credentials captured by RADIUS sniffer filter]
- ICQ.LST [contains a list of credentials captured by ICQ sniffer filter]
- IKE-PSK.LST [contains a list of pre shared keys captured by IKE sniffer filter]
- MySQL.LST [contains a list of credentials captured by MySQL sniffer filter]
- SNMP.LST [contains a list of community strings captured by SNMP sniffer filter]
- VoIP.LST [contains a list of VoIP conversations captured by SIP/RTP sniffer filter]
- WPAPSKAUTH.LST [contains a list of credentials captured by WPAPSK sniffer filter]
Other files
- RT.LST [contains the list of Rainbow Tables to use during Cryptanalysis attacks]
- QLIST.LST [contains hosts of the quick list in the Network Tab]
- CCDU.LST [contains information about Cisco Config Downloader/Uploader View]
- HTTP_USER_FIELDS.LST [contains a list of user name fields to be used by the HTTP-FORM and HTTP-COOKIE sniffer filter]
- HTTP_PASS_FIELDS.LST [contains a list of password fields to be used by the HTTP-FORM and HTTP-COOKIE sniffer filter]
- DUMP.IVS [contains a list of WEP IVs in aircrack-ng's compatible format]
Subdirectories
-
-
-
-
-
-
-
-
-
-
Uninstallation
You can uninstall Cain from the Add/Remove Programs tool in the Control Panel or by directly executing the unistallation program. The uninstall program will not remove the Abel service.
Abel Uninstallation
You can remove the Abel Service using Cain's Service Manager; first stop the service and then remove it.
Configuration
Cain & Abel requires the configuration of some parameters; everything can be set from the main configuration dialog.
Sniffer Tab
Here you can set the network card to be used by Cain's sniffer and APR features. The last two check boxes enable/disables these functions at the program's startup.
The sniffer is compatible with Winpcap drivers of version 2.3 or later and in this version only Ethernet adapters are supported by the program.
APR Tab
This is where you can configure APR (Arp Poison Routing). Cain uses a separate thread that sends ARP Poison packets to victim hosts every 30 seconds by default. This is necessary because entries present in the ARP cache of remote machines can be flushed out in case of no traffic. From this dialog you can set the time between each ARP Poison storm: setting this parameter to few seconds will cause a lot of ARP network traffic while setting it for long delays could not produce the desired traffic hijacking.
The spoofing options define the addresses that Cain writes into the Ethernet, ARP headers of ARP Poison Packets and re-routed packets. In this case the ARP Poison attack will be completely anonymous because the attacker's real MAC an IP addresses are never sent on the network.
If you want to enable this option you must consider that:
Ethernet address spoofing can be used only if the attacker's workstation is connected to a HUB or to a network switch that does not use the "Port Security" feature. If "Port Security" is enabled on the switch, the source MAC address contained in every ethernet frame is checked against a list of allowed MAC addresses set on the switch. If the spoofing MAC address is not in this list the switch will disable the port and you will loose connectivity.
The spoofing IP address must be a free address of your subnet. The ARP protocol does not cross routers or VLANs so if you set a spoofing IP that is out of your subnet the remote host will reply to it's default gateway and you will not see its responses. Also if you use a spoofing IP address that is already used in your subnet there will be an "IP address conflict" and the attack will be easily noticed. Here are some examples of valid spoofing addresses:
| Real IP address | Subnet Mask | Valid range for the spoofing IP address |
| 192.168.0.1 | 255.255.255.0 | Must be an unused address in the range 192.168.0.2 - 192.168.0.254 |
| 10.0.0.1 | 255.255.0.0 | Must be an unused address in the range 10.0.0.2 - 10.0.255.254 |
| 172.16.0.1 | 255.255.255.240 | Must be an unused address in the range 172.16.0.2 - 172.16.0.14 |
| 200.200.200.1 | 255.255.255.252 | Must be an unused address in the range 200.200.200.2 - 200.200.200.3 |
The spoofing IP address is automatically checked by the program when you press the "Apply" button, if the address is already in use in the subnet a message box will report the problem.
The spoofing MAC address must not be present in your subnet. The presence of two identical MAC addresses on the same Layer-2 LAN can cause switches convergence problems; for this reason I decided to not let you easily set the spoofing MAC of your choice from the configuration dialog. The default value is set to 001122334455 which is an invalid address not supposed to exist in your network and that at the same time can be easily identified for troubleshooting. IMPORTANT ! You cannot have, on the same Layer-2 network, two or more Cain machines using APR's MAC spoofing and the same Spoofed MAC address. The spoofing MAC address can be changed modifying the registry value "SpoofMAC" at this location: "HKEY_CURRENT_USER\Software\Cain\Settings".
Filters and Ports Tab
Here you can enable/disable Cain's sniffer filters and application protocol TCP/UDP ports. Cain captures only authentication information not the entire content of each packet, however you can use the Telnet filter to dump, into a file, all the data present in a TCP session, modifying the relative filter port.
Cain's sniffer filters are internally designed to survive in an unreliable world such as a network under ARP Poison attack; Cain uses different state machines to extract from network packets all the information needed to recover the plaintext form of a transmitted password. Some authentication protocols uses a challenge-response mechanism so it needs to collect parameters from Client->Server and Server->Client traffic; traffic interception in both directions is always possible if your Level-2 network is made by HUBs only or if you are connected to a mirror port on the switch but on switched networks in general, it can be achieved only using some kind of traffic hijacking technique such as Arp Poison Routing (APR). If you are sniffing with APR enabled, the sniffer will extract challenge-response authentications only if you reach a Full-Routing state between victim computers.
Under this tab you can also enable/disable the analysis of routing protocols (HSRP, VRRP, EIGRP, OSPF, RIPv1, RIPv2) and the APR-DNS feature that acts as a DNS Reply Rewriter.
HTTP Fields Tab
This tab contains a list of user name and password fields to be used by the HTTP sniffer filter. Cookies and HTML Forms that travel in HTTP packets are examined in this way: for each user name field all the password fields are checked and if these two parameters are found, the credentials will be captured and displayed on the screen.
The following cookie uses the fields "logonusername=" and "userpassword=" for authentication purposes; if you don't include these two fields in the above list the sniffer will not extract relative credentials.
GET /mail/Login?domain=xxxxxx.xx&style=default&plain=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://xxx.xxxxxxx.xx/xxxxx/xxxx
Accept-Language: it
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3); .NET CLR 1.1.4322)
Host: xxx.xxxxxx.xx
Connection: Keep-Alive
Cookie: ss=1; ss=1; srclng=it; srcdmn=it; srctrg=_blank; srcbld=y; srcauto=on; srcclp=on; srcsct=web; ; video=c1; TEMPLATE=default;
Traceroute Tab
This is used to configure Cain's ICMP/UDP/TCP traceroute. You can set to resolve host names, use ICMP Mask discovery and enable/disable WHOIS information extraction for each hop.
Challenge Spoofing Tab
Here you can set the custom challenge value to rewrite into NTLM authentications packets. This feature can be enabled quickly from Cain's toolbar and must be used with APR. A fixed challenge enables the cracking of NTLM hashes sent on the network via RainbowTables.
You can see more detail in www.oxit.it ^^ FUN
Comments (0)
Post a Comment