Cain_and_Abel Tutorial From Chiranjit
description
Transcript of Cain_and_Abel Tutorial From Chiranjit
9/29/2006 Network Security Pros 1
Cain and Abel Cain and Abel
Network Security Pros
Rob Matthew
Ken Siple
9/29/2006 Network Security Pros 2
Presentation of Cain & Abel Presentation of Cain & Abel features. features. � Who uses it and why
– Cain is used by network admins and security auditors to monitor traffic, see where users travel to and to test the robustness of the network security model
– Cain is used by script kiddies the world over. It allows them to recover hidden password ****** , capture common logon passwords and to probe the network plus intercept VOIP Calls .
9/29/2006 Network Security Pros 3
Officially what Cain & Able is Officially what Cain & Able is
� Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
FOR MORE INFO...
www.oxit.it
9/29/2006 Network Security Pros 4
CainCain’’ s Features s Features
Protected Storage Password Manager� Reveals locally stored passwords of Outlook,
Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and MSN Explorer.
Credential Manager Password Decoder� Reveals passwords stored in Enterprise and
Local Credential Sets on Windows XP/2003.LSA Secrets Dumper� Dumps the contents of the Local Security
Authority Secrets.
9/29/2006 Network Security Pros 5
CainCain’’ s Features Cont:s Features Cont:
Dialup Password Decoder� Reveals passwords stored by Windows "Dial-Up
Networking" component.APR (ARP Poison Routing)� Enables sniffing on switched networks and Man-
in-the-Middle attacks.Route Table Manager� Provides the same functionality of the Windows
tool "route.exe" with a GUI front-end.
9/29/2006 Network Security Pros 6
CainCain’’ s Features Cont:s Features Cont:
SID Scanner� Extracts user names associated to Security
Identifiers (SIDs) on a remote system.Network Enumerator� Retrieves, where possible, the user names,
groups, shares, and services running on a machine.
Service Manager� Allows you to stop, start, pause/continue or
remove a service.
9/29/2006 Network Security Pros 7
CainCain’’ s Features Cont:s Features Cont:
Sniffer� Captures passwords, hashes and authentication
information while they are transmitted on the netwo rk. Includes several filters for application specific authentications and routing protocols. The VoIP filter enables the capture of voice conversations transmit ted with the SIP/RTP protocol saved later as WAV files.
Routing Protocol Monitors� Monitors messages from various routing protocols (H SRP,
VRRP, RIPv1, RIPv2, EIGRP, OSPF) to capture authentications and shared route tables.
9/29/2006 Network Security Pros 8
CainCain’’ s Features Cont:s Features Cont:
Full RDP sessions sniffer for APR (APR-RDP)� Allows you to capture all data sent in a Remote Des ktop
Protocol (RDP) session on the network. Provides interception of keystrokes activity client-side.
Full SSH-1 sessions sniffer for APR (APR-SSH-1)� Allows you to capture all data sent in a HTTPS sess ion on
the network.Full HTTPS sessions sniffer for APR (APR-HTTPS)� Allows you to capture all data sent in a HTTPS sess ion on
the network.Certificates Collector� Grab certificates from HTTPS web sites and prepares them
to be used by APR-HTTPS.
9/29/2006 Network Security Pros 9
CainCain’’ s Features Cont:s Features Cont:
MAC Address Scanner with OUI fingerprint� Using OUI fingerprint, this makes an informed guess about
what type of device the MAC address from.Promiscuous-mode Scanner based on ARP packets� Identifies sniffers and network Intrusion Detection systems
present on the LAN.Wireless Scanner� Can scan for wireless networks signal within range, giving
details on its MAC address, when it was last seen, the guessed vendor, signal strength, the name of the network (S SID), whether it has WEP or not (note WPA encrypted netwo rks will show up as WEPed), whether the network is an Ad-Hoc network or Infrastructure, what channel the network is operating at and at what speed the network is opera ting (e.g. 11Mbps).
9/29/2006 Network Security Pros 10
CainCain’’ s Features Cont:s Features Cont:
Access (9x/2000/XP) Database Passwords Decoder� Decodes the stored encrypted passwords for Microsof t
Access Database files.Base64 Password Decoder� Decodes Base64 encoded strings.Cisco Type-7 Password Decoder� Decodes Cisco Type-7 passwords used in router and
switches configuration files.Cisco VPN Client Password Decoder� Decodes Cisco VPN Client passwords stored in connec tion
profiles (*.pcf).VNC Password Decoder� Decodes encrypted VNC passwords from the registry.
9/29/2006 Network Security Pros 11
CainCain’’ s Features Cont:s Features Cont:
Enterprise Manager Password Decoder� Decodes passwords used by Microsoft SQL Server Ente rprise
Manager (SQL 7.0 and 2000 supported).Remote Desktop Password Decoder� Decodes passwords in Remote Desktop Profiles (.RPD files).PWL Cached Password Decoder� Allows you to view all cached resources and relativ e
passwords in clear text either from locked or unloc ked password list files.
Password Crackers� Enables the recovery of clear text passwords scramb led using
several hashing or encryption algorithms. All crack ers support Dictionary and Brute-Force attacks.
9/29/2006 Network Security Pros 12
CainCain’’ s Features Cont:s Features Cont:
Cryptanalysis attacks� Enables password cracking using the ‘ Faster Cryptanalytic time
– memory trade off ’ method introduced by Philippe Oechslin. This cracking technique uses a set of large tables of pre calculated encrypted passwords, called Rainbow Tabl es, to improve the trade-off methods known today and to sp eed up the recovery of clear text passwords.
Rainbowcrack-online client� Enables password cracking by mean of the outstandin g power
of this on-line cracking service based on Rainbow T able technology.
NT Hash Dumper + Password History Hashes (works wit h Syskey enabled)
� Will retrieve the NT password hash from the SAM fil e regardless of whether Syskey in enabled or not.
9/29/2006 Network Security Pros 13
CainCain’’ s Features Cont:s Features Cont:
Syskey Decoder� Will retrieve the Boot Key used by the SYSKEY utili ty from the
local registry or "off-line" SYSTEM files.MSCACHE Hashes Dumper� Will retrieve the MSCACHE password hashes stored in to the local
registry.Wireless Zero Configuration Password Dumper� Will retrieve the wireless keys stored by Windows W ireless
Configuration Service.Microsoft SQL Server 2000 Password Extractor via OD BC� Connects to an SQL server via ODBC and extracts all users and
passwords from the master database.Oracle Password Extractor via ODBC� Connects to an Oracle server via ODBC and extracts all users and
passwords from the database.
9/29/2006 Network Security Pros 14
CainCain’’ s Features Cont:s Features Cont:
MySQL Password Extractor via ODBC� Connects to an MySQL server via ODBC and extracts a ll
users and passwords from the database.Box Revealer� Shows passwords hidden behind asterisks in password
dialog boxes.RSA SecurID Token Calculator� Can calculate the RSA key given the tokens .ASC fil e.Hash Calculator� Produces the hash values of a given text.TCP/UDP Table Viewer� Shows the state of local ports (like netstat).
9/29/2006 Network Security Pros 15
CainCain’’ s Features Cont:s Features Cont:
TCP/UDP/ICMP Traceroute with DNS resolver and WHOIS client
� A improved traceroute that can use TCP, UDP and ICMP protocols and provides whois client capabilities.
Cisco Config Downloader/Uploader (SNMP/TFTP)� Downloads or uploads the configuration file
from/to a specified Cisco device (IP or host name) given the SNMP read/write community string.
9/29/2006 Network Security Pros 16
Cain: MAC Scanner Cain: MAC Scanner
� The MAC address scanner is a very fast IP to MAC ad dress resolver based on ARP Request/Reply packets. It tak es as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s . The scanner includes an OUI database, providing MAC ven dor's information, this feature is useful to quickly iden tify switches, routers, load balancers and firewalls pre sent in the LAN.
� Why would we need a MAC Scanner Hummmmmmm ???
9/29/2006 Network Security Pros 17
Cain: MAC Scanner Cont: Cain: MAC Scanner Cont:
9/29/2006 Network Security Pros 18
Cain: Cain: Password CrackersPassword Crackers
� Cain's Password Crackers support the most common hashing algorithms and several encryption methods b ased on them :
Hash Types:� MD2, MD4, MD5, SHA1, SHA2 (256 bit), SHA2 (384 bit) ,
SHA2 (512 bit), RIPEMD160.Encryption algorithms:� PWL files, Cisco-IOS Type-5 enable passwords, Cisco
PIX enable passwords, APOP-MD5, CRAM-MD5, LM, LM + Challenge, NTLM, NTLM + Challenge, NTLM Session Security, NTLMv2, RIPv2-MD5, OSPF-MD5, VRRP-HMAC-96 , VNC-3DES, MS-Kerberos5 Pre-Auth, RADIUS Shared Secrets, IKE Pre-Shared Keys, Microsoft SQL Server 2000, Oracle, MySQL323, MySQLSHA1.
9/29/2006 Network Security Pros 19
9/29/2006 Network Security Pros 20
Brute Force and Dictionary Brute Force and Dictionary
A Brute-Force attack is method of breaking a cipher (that is, to decrypt a specific encrypted text) by trying every possible key.Feasibility of brute force attack depends on the ke y length of the cipher, and on the amount of computational power av ailable to the attacker. Cain's Brute-Force Password Cracker tests all the possible combinations of characters in a pre-define d or custom character set against the encrypted passwords loade d in the brute-force dialog.
A dictionary attack consists of trying "every word in the dictionary" as a possible key for an encrypted password. A dict ionary of potential passwords is more accurately known as a w ordlist. Thiskind of attack is generally more efficient than a brute-force attack ,
because users typically choose poor passwords.
9/29/2006 Network Security Pros 21
Cryptanalysis and Rainbow tablesCryptanalysis and Rainbow tables
� This feature enables password cracking using the ‘ Faster Cryptanalytic time – memory trade off ’ method introduced by Philippe Oechslin. This cracking technique uses a s et of large tables of pre-calculated encrypted passwords, called Rainbow Tables, to improve the trade-off met hods known today and to speed up the recovery of clear t ext passwords.
� It is fully compatible with the well known software RainbowCrack by Zhu Shuanglei, the first software implementation of the above algorithm, and supports Rainbow Tables for the following hashing/encryption algorithms: LM, FastLM, NTLM, CiscoPIX, MD2, MD4, M D5, SHA-1, SHA-2 (256), SHA-2 (384), SHA-2 (512), MySQL (323), MySQL (SHA1) and RIPEMD160.
http://www.rainbowcrack-online.com/?x=faq#hash_tables
9/29/2006 Network Security Pros 22
Cain: Network EnumeratorCain: Network Enumerator
� The Network Enumerator uses the native Windows netw ork management functions (Net*) to discover what is pre sent on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote A ccess Dial-In Servers, Novell Servers, Apple File Servers , Terminal Servers and so on. It can also display when possibl e the version of their operating system.
� When enumerating users, Cain also extracts their Se curity Identifier (SID) and has the ability to identify th e name of theAdministrator account even if it was renamed. This is done by looking at the account RID which is the last par t of a SID. The RID of the Administrator account is always equa l to 500.
9/29/2006 Network Security Pros 23
Cain: Network Enumerator Cont:Cain: Network Enumerator Cont:
� Windows NT and later has a security feature that ca n restrict the ability for anonymous logon users (also known as NU LL session connections) to list account names and enumerate sh are names. This is done setting to 1 the parameter "RestrictAn onymous" under the registry key:
�
� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \LSA
9/29/2006 Network Security Pros 24
Cain: Network Enumerator Cont:Cain: Network Enumerator Cont:
9/29/2006 Network Security Pros 25
� It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the "Hosts" list with an * in the relative column.
� Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:
9/29/2006 Network Security Pros 26
Scanning for Promiscuous modeScanning for Promiscuous mode
� Network card not in promiscuous-mode (not sniffing)�
� Network card into promiscuous-mode (sniffing)�
�
� As you can see Windows machines, that are not sniff ing the network, normally respond to ARP Test (Broadcast 16 -bit) and ARP Test (Multicast group1) only. On the contra ry when a sniffer is activated, and the network card i s put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.
� Why is this important ??
9/29/2006 Network Security Pros 27
Service ManagerService Manager
Allows you to start, stop, pause/continue or remove Services.
9/29/2006 Network Security Pros 28
CainCain’’ s Sniffer s Sniffer
� Cain's sniffer is principally focused on the captur e of passwords and authentication information traveling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike an y other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing) , another feature included in the program.
� There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for e xample, are not processed.
� The sniffer includes several password filters that can be enabled/disabled from the main configuration dialog ;
9/29/2006 Network Security Pros 29
CainCain’’ s APR (s APR (ARP Poison Routing)ARP Poison Routing)
� APR Vs ARP� APR (ARP Poison Routing) is a main feature of the p rogram. It
enables sniffing on switched networks and the hijac king of IP traffic between hosts. The name "ARP Poison Routing " derives from the two steps needed to perform such unusual n etwork sniffing: an ARP Poison Attack and routing packets to the correct destination.
� This kind of attack is based on the manipulation of host's ARP caches. On an Ethernet/IP network when two hosts wa nt to communicate to each other they must know each other s MAC addresses.
� Host ARP Poisoning� Switch / router Poisoning
9/29/2006 Network Security Pros 30
CainCain’’ s APR Poisonings APR Poisoning
9/29/2006 Network Security Pros 31
CainCain’’ s APR Poisoning s APR Poisoning
9/29/2006 Network Security Pros 32
CainCain’’ s ARPs ARP--DNSDNS
� This feature allows you to perform DNS spoofing att acks
modifying DNS-Reply packets on the fly.
9/29/2006 Network Security Pros 33
CainCain’’ s APRs APR--HTTPS HTTPS
� APR-HTTPS enables the capture and the decryption of HTTPS traffic between hosts. It works in conjunctio n with Cain's Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what s o called Man-in-the-Middle attack.
�
� Be warned that clients will notice this kind of att ack because the server's certificate file injected into the SSL session is a fake one and although it is very simil ar to the real one it is not signed by a trusted certificatio n authority. When the victim client starts a new HTTPS session, his browser shows a pop-up dialog warning about the pro blem.
9/29/2006 Network Security Pros 34
CainCain’’ s APRs APR--HTTPS Cont:HTTPS Cont:
9/29/2006 Network Security Pros 35
CainCain’’ s APRs APR--HTTPS Cont:HTTPS Cont:
9/29/2006 Network Security Pros 36
CainCain’’ s VOIP Sniffer s VOIP Sniffer
� The VoIP (Voice over IP) sniffer captures conversations from the network and records them to your hard disk. If seen by the sniffer, voice data is captured in each direction (caller<->responder) and then saved accordingly as mono or stereo WAV files.
� Although not required, if used with APR, this feature enables to silently intercept VoIP communications between victim hosts.
9/29/2006 Network Security Pros 37
Cain's VOIP Cont:Cain's VOIP Cont:
9/29/2006 Network Security Pros 38
Cain's Wireless ScannerCain's Wireless Scanner
� Cain's Wireless Scanner detects Wireless Local Area Networks (WLANs) using 802.11x. (A/B/G, I & N)– Does Not Crack WEP or WPA YET !!!!!
�
� Unlike other wireless applications it does not use the Windows NDIS User Mode I/O Protocol (NDISUIO) but t he Winpcap Packet Driver to control the wireless netwo rk card. Access points and ah-hoc networks are enumerated using 802.11 OIDs from Windows DDK at intervals of five seconds and WLANs parameters (MAC address, SSID, Vendor, WEP Encryption, Channels.... ) are displaye d in the scanner list.
9/29/2006 Network Security Pros 39
Cain's Wireless Scanner Cont:Cain's Wireless Scanner Cont:
9/29/2006 Network Security Pros 40
Abel's Features: Abel's Features:
Remote Console� Provides a remote system shell on the remote machin e.Remote Route Table Manager� Enable to manage the route table of the remote syst em.Remote TCP/UDP Table Viewer� Shows the state of local ports (like netstat) on th e remote system.Remote NT Hash Dumper + Password History Hashes (wo rks with
Syskey enabled)� Will retrieve the NT password hash from the SAM fil e
regardless of whether Syskey in enabled or not; wor ks on the Abel-side.
Remote LSA Secrets Dumper� Dumps the contents of the Local Security Authority Secrets
present on the remote system.
9/29/2006 Network Security Pros 41
What is the Abel's main purpose ?What is the Abel's main purpose ?
Abel provides a remote console on the target machin e, it can dump user hashes from the remote SAM database even if it was encrypted using the "Syskey" utility and ships other features like the LSA Secrets dumper, the Route Tab le Manager and the TCP/UDP Table Viewer.
All data transmitted across the Abel's pipe is encr ypted using the RC4 symmetric encryption algorithm and the fixe d key "Cain & Abel". The console communication is not encrypted.
*** Hint On your IDS IPS set a rule for encrypted packets with a RC4 hashed key of “Cain & Abel” “”play at home””
9/29/2006 Network Security Pros 42
What is Abel ? How can I install it ?What is Abel ? How can I install it ?
Abel is an NT service composed by two files: "Abel.exe" and "Abel.dll". These files are copied by the installat ion package into the program's directory but the service is NOT auto matically installed. Abel can be installed locally or remotel y (using Cain), anyway you need Administrator privileges to do that .
� REMOTE INSTALLATION: (who cares about local Install )� 1) Use the "Network TAB" in Cain and choose the rem ote computer where
Abel will be installed� 2) Right click on the computer icon in the tree and select "Connect As"� 3) Provide Administrator credentials for the remote machine� 4) Once connected right click on the "Services" ico n and select "Install
Abel"� 5) That's all, the two files "Abel.exe" and "Abel.d ll" will be copied into the
remote machine, the service will be installed and s tarted automatically.
9/29/2006 Network Security Pros 43
Key Tools, Abel:Key Tools, Abel:
� CCDU (Cisco Config Downloader/Uploader ) is a feature of the program. Cain can Download/Upload configuration files from/to Cisco devices via SNMP/TFTP. This feature provides a simple way to re-configure Cisco devices .
� CCDU works on Cisco Routers and Switches that suppo rts the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB, Via the Read / Write community string. PIX Firewall does not support those MIBs.
� CDU works by downloading / uploading the “running configuration" of the device.
� The download/upload request is made by Cain via SNM P; then the device will request a TFTP file transfer t o Cain.
� Cain handles the file transfer.
9/29/2006 Network Security Pros 44
Can I reset/modify an enable password Can I reset/modify an enable password using CCDU ?using CCDU ?
� Yes, you can ! Simply download the configuration fi le, change it as you wish and then upload the file to the devi ce
� - Download the configuration file from the router� - Open the file and go to the line where the passwor d is written
"enable secret 5 $1$hrA9$lvlAzWeHLEQcDxx/OxuWA/" (i n this case this password is "test"; you can check it with Cain's Cisco IOS-MD5 Cracker)
� - To set the new password to "mao" change the line i n this way: "enable secret mao"
� - Save the file and than upload it to the device (Ri ght click -> Upload)
� - Check if the new password has been modified downlo ading the configuration file again.
9/29/2006 Network Security Pros 45
Abel's Remote ConsoleAbel's Remote Console
� Abel's remote console provides a system shell on th e remote machine. The Abel service runs on the remote machine in the security context of it's Local Syste m Account; every command sent to the console is execu ted with the same access privileges of that account.
9/29/2006 Network Security Pros 46
Abel's Remote Console Cont:Abel's Remote Console Cont:
9/29/2006 Network Security Pros 47
AbelAbel’’ s LSA Secrets dumpers LSA Secrets dumper
� LSA Secrets are used to store information such as t he passwords for service accounts used to start servic es under an account other than local System. Dial-Up credentials and other application defined passwords also
reside here.
9/29/2006 Network Security Pros 48
AbelAbel’’ s LSA Secrets dumper Cont:s LSA Secrets dumper Cont:
9/29/2006 Network Security Pros 49
AbelAbel’’ s NT Hashes Dumpers NT Hashes Dumper
� is an application which dumps the password hashes (OWFs) from NT's SAM (Security Account Manager) database, whether or not SYSKEY is enabled on the system, and allows you to import password hashes di rectly into the relative "LM & NTLM Hashes" password crack er tab.
� Also the ability to dump password history hashes. Windows can be instructed to remember a number of previous user's passwords using the Password Securi ty Policy "Enforce Password History".
� Guess the Next couple of Passwords Muahahahahaaa !
9/29/2006 Network Security Pros 50
AbelAbel’’ s Route Table managers Route Table manager
� same functionality offered by "route.exe". WHY us e it?
9/29/2006 Network Security Pros 51
Supporting Docs, Files Programs Supporting Docs, Files Programs
� Cain How to guide (Install and Run)– http://www.datastronghold.com/content/
view/136/29/
� Cain Student Manual – www.nwcet.org/downloads/cainAbel.pdf
FOR MORE INFO...
Cain’s User Manual http://www.oxid.it/ca_um/