Cain_and_Abel Tutorial From Chiranjit

9/29/2006 Network Security Pros 1

Cain and Abel Cain and Abel

Network Security Pros

Rob Matthew

Ken Siple


Presentation of Cain & Abel Presentation of Cain & Abel features. features. � Who uses it and why

– Cain is used by network admins and security auditors to monitor traffic, see where users travel to and to test the robustness of the network security model

– Cain is used by script kiddies the world over. It allows them to recover hidden password ****** , capture common logon passwords and to probe the network plus intercept VOIP Calls .


Officially what Cain & Able is Officially what Cain & Able is

� Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

FOR MORE INFO...

www.oxit.it


CainCain’’ s Features s Features

Protected Storage Password Manager� Reveals locally stored passwords of Outlook,

Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and MSN Explorer.

Credential Manager Password Decoder� Reveals passwords stored in Enterprise and

Local Credential Sets on Windows XP/2003.LSA Secrets Dumper� Dumps the contents of the Local Security

Authority Secrets.


CainCain’’ s Features Cont:s Features Cont:

Dialup Password Decoder� Reveals passwords stored by Windows "Dial-Up

Networking" component.APR (ARP Poison Routing)� Enables sniffing on switched networks and Man-

in-the-Middle attacks.Route Table Manager� Provides the same functionality of the Windows

tool "route.exe" with a GUI front-end.



SID Scanner� Extracts user names associated to Security

Identifiers (SIDs) on a remote system.Network Enumerator� Retrieves, where possible, the user names,

groups, shares, and services running on a machine.

Service Manager� Allows you to stop, start, pause/continue or

remove a service.



Sniffer� Captures passwords, hashes and authentication

information while they are transmitted on the netwo rk. Includes several filters for application specific authentications and routing protocols. The VoIP filter enables the capture of voice conversations transmit ted with the SIP/RTP protocol saved later as WAV files.

Routing Protocol Monitors� Monitors messages from various routing protocols (H SRP,

VRRP, RIPv1, RIPv2, EIGRP, OSPF) to capture authentications and shared route tables.



Full RDP sessions sniffer for APR (APR-RDP)� Allows you to capture all data sent in a Remote Des ktop

Protocol (RDP) session on the network. Provides interception of keystrokes activity client-side.

Full SSH-1 sessions sniffer for APR (APR-SSH-1)� Allows you to capture all data sent in a HTTPS sess ion on

the network.Full HTTPS sessions sniffer for APR (APR-HTTPS)� Allows you to capture all data sent in a HTTPS sess ion on

the network.Certificates Collector� Grab certificates from HTTPS web sites and prepares them

to be used by APR-HTTPS.



MAC Address Scanner with OUI fingerprint� Using OUI fingerprint, this makes an informed guess about

what type of device the MAC address from.Promiscuous-mode Scanner based on ARP packets� Identifies sniffers and network Intrusion Detection systems

present on the LAN.Wireless Scanner� Can scan for wireless networks signal within range, giving

details on its MAC address, when it was last seen, the guessed vendor, signal strength, the name of the network (S SID), whether it has WEP or not (note WPA encrypted netwo rks will show up as WEPed), whether the network is an Ad-Hoc network or Infrastructure, what channel the network is operating at and at what speed the network is opera ting (e.g. 11Mbps).



Access (9x/2000/XP) Database Passwords Decoder� Decodes the stored encrypted passwords for Microsof t

Access Database files.Base64 Password Decoder� Decodes Base64 encoded strings.Cisco Type-7 Password Decoder� Decodes Cisco Type-7 passwords used in router and

switches configuration files.Cisco VPN Client Password Decoder� Decodes Cisco VPN Client passwords stored in connec tion

profiles (*.pcf).VNC Password Decoder� Decodes encrypted VNC passwords from the registry.



Enterprise Manager Password Decoder� Decodes passwords used by Microsoft SQL Server Ente rprise

Manager (SQL 7.0 and 2000 supported).Remote Desktop Password Decoder� Decodes passwords in Remote Desktop Profiles (.RPD files).PWL Cached Password Decoder� Allows you to view all cached resources and relativ e

passwords in clear text either from locked or unloc ked password list files.

Password Crackers� Enables the recovery of clear text passwords scramb led using

several hashing or encryption algorithms. All crack ers support Dictionary and Brute-Force attacks.



Cryptanalysis attacks� Enables password cracking using the ‘ Faster Cryptanalytic time

– memory trade off ’ method introduced by Philippe Oechslin. This cracking technique uses a set of large tables of pre calculated encrypted passwords, called Rainbow Tabl es, to improve the trade-off methods known today and to sp eed up the recovery of clear text passwords.

Rainbowcrack-online client� Enables password cracking by mean of the outstandin g power

of this on-line cracking service based on Rainbow T able technology.

NT Hash Dumper + Password History Hashes (works wit h Syskey enabled)

� Will retrieve the NT password hash from the SAM fil e regardless of whether Syskey in enabled or not.



Syskey Decoder� Will retrieve the Boot Key used by the SYSKEY utili ty from the

local registry or "off-line" SYSTEM files.MSCACHE Hashes Dumper� Will retrieve the MSCACHE password hashes stored in to the local

registry.Wireless Zero Configuration Password Dumper� Will retrieve the wireless keys stored by Windows W ireless

Configuration Service.Microsoft SQL Server 2000 Password Extractor via OD BC� Connects to an SQL server via ODBC and extracts all users and

passwords from the master database.Oracle Password Extractor via ODBC� Connects to an Oracle server via ODBC and extracts all users and

passwords from the database.



MySQL Password Extractor via ODBC� Connects to an MySQL server via ODBC and extracts a ll

users and passwords from the database.Box Revealer� Shows passwords hidden behind asterisks in password

dialog boxes.RSA SecurID Token Calculator� Can calculate the RSA key given the tokens .ASC fil e.Hash Calculator� Produces the hash values of a given text.TCP/UDP Table Viewer� Shows the state of local ports (like netstat).



TCP/UDP/ICMP Traceroute with DNS resolver and WHOIS client

� A improved traceroute that can use TCP, UDP and ICMP protocols and provides whois client capabilities.

Cisco Config Downloader/Uploader (SNMP/TFTP)� Downloads or uploads the configuration file

from/to a specified Cisco device (IP or host name) given the SNMP read/write community string.


Cain: MAC Scanner Cain: MAC Scanner

� The MAC address scanner is a very fast IP to MAC ad dress resolver based on ARP Request/Reply packets. It tak es as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s . The scanner includes an OUI database, providing MAC ven dor's information, this feature is useful to quickly iden tify switches, routers, load balancers and firewalls pre sent in the LAN.

� Why would we need a MAC Scanner Hummmmmmm ???


Cain: MAC Scanner Cont: Cain: MAC Scanner Cont:


Cain: Cain: Password CrackersPassword Crackers

� Cain's Password Crackers support the most common hashing algorithms and several encryption methods b ased on them :

Hash Types:� MD2, MD4, MD5, SHA1, SHA2 (256 bit), SHA2 (384 bit) ,

SHA2 (512 bit), RIPEMD160.Encryption algorithms:� PWL files, Cisco-IOS Type-5 enable passwords, Cisco

PIX enable passwords, APOP-MD5, CRAM-MD5, LM, LM + Challenge, NTLM, NTLM + Challenge, NTLM Session Security, NTLMv2, RIPv2-MD5, OSPF-MD5, VRRP-HMAC-96 , VNC-3DES, MS-Kerberos5 Pre-Auth, RADIUS Shared Secrets, IKE Pre-Shared Keys, Microsoft SQL Server 2000, Oracle, MySQL323, MySQLSHA1.


Brute Force and Dictionary Brute Force and Dictionary

A Brute-Force attack is method of breaking a cipher (that is, to decrypt a specific encrypted text) by trying every possible key.Feasibility of brute force attack depends on the ke y length of the cipher, and on the amount of computational power av ailable to the attacker. Cain's Brute-Force Password Cracker tests all the possible combinations of characters in a pre-define d or custom character set against the encrypted passwords loade d in the brute-force dialog.

A dictionary attack consists of trying "every word in the dictionary" as a possible key for an encrypted password. A dict ionary of potential passwords is more accurately known as a w ordlist. Thiskind of attack is generally more efficient than a brute-force attack ,

because users typically choose poor passwords.


Cryptanalysis and Rainbow tablesCryptanalysis and Rainbow tables

� This feature enables password cracking using the ‘ Faster Cryptanalytic time – memory trade off ’ method introduced by Philippe Oechslin. This cracking technique uses a s et of large tables of pre-calculated encrypted passwords, called Rainbow Tables, to improve the trade-off met hods known today and to speed up the recovery of clear t ext passwords.

� It is fully compatible with the well known software RainbowCrack by Zhu Shuanglei, the first software implementation of the above algorithm, and supports Rainbow Tables for the following hashing/encryption algorithms: LM, FastLM, NTLM, CiscoPIX, MD2, MD4, M D5, SHA-1, SHA-2 (256), SHA-2 (384), SHA-2 (512), MySQL (323), MySQL (SHA1) and RIPEMD160.

http://www.rainbowcrack-online.com/?x=faq#hash_tables


Cain: Network EnumeratorCain: Network Enumerator

� The Network Enumerator uses the native Windows netw ork management functions (Net*) to discover what is pre sent on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote A ccess Dial-In Servers, Novell Servers, Apple File Servers , Terminal Servers and so on. It can also display when possibl e the version of their operating system.

� When enumerating users, Cain also extracts their Se curity Identifier (SID) and has the ability to identify th e name of theAdministrator account even if it was renamed. This is done by looking at the account RID which is the last par t of a SID. The RID of the Administrator account is always equa l to 500.


Cain: Network Enumerator Cont:Cain: Network Enumerator Cont:

� Windows NT and later has a security feature that ca n restrict the ability for anonymous logon users (also known as NU LL session connections) to list account names and enumerate sh are names. This is done setting to 1 the parameter "RestrictAn onymous" under the registry key:

�

� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \LSA


Cain: Network Enumerator Cont:Cain: Network Enumerator Cont:


� It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the "Hosts" list with an * in the relative column.

� Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:


Scanning for Promiscuous modeScanning for Promiscuous mode

� Network card not in promiscuous-mode (not sniffing)�

� Network card into promiscuous-mode (sniffing)�

�

� As you can see Windows machines, that are not sniff ing the network, normally respond to ARP Test (Broadcast 16 -bit) and ARP Test (Multicast group1) only. On the contra ry when a sniffer is activated, and the network card i s put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.

� Why is this important ??


Service ManagerService Manager

Allows you to start, stop, pause/continue or remove Services.


CainCain’’ s Sniffer s Sniffer

� Cain's sniffer is principally focused on the captur e of passwords and authentication information traveling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike an y other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing) , another feature included in the program.

� There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for e xample, are not processed.

� The sniffer includes several password filters that can be enabled/disabled from the main configuration dialog ;


CainCain’’ s APR (s APR (ARP Poison Routing)ARP Poison Routing)

� APR Vs ARP� APR (ARP Poison Routing) is a main feature of the p rogram. It

enables sniffing on switched networks and the hijac king of IP traffic between hosts. The name "ARP Poison Routing " derives from the two steps needed to perform such unusual n etwork sniffing: an ARP Poison Attack and routing packets to the correct destination.

� This kind of attack is based on the manipulation of host's ARP caches. On an Ethernet/IP network when two hosts wa nt to communicate to each other they must know each other s MAC addresses.

� Host ARP Poisoning� Switch / router Poisoning


CainCain’’ s APR Poisonings APR Poisoning


CainCain’’ s APR Poisoning s APR Poisoning


CainCain’’ s ARPs ARP--DNSDNS

� This feature allows you to perform DNS spoofing att acks

modifying DNS-Reply packets on the fly.


CainCain’’ s APRs APR--HTTPS HTTPS

� APR-HTTPS enables the capture and the decryption of HTTPS traffic between hosts. It works in conjunctio n with Cain's Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what s o called Man-in-the-Middle attack.

�

� Be warned that clients will notice this kind of att ack because the server's certificate file injected into the SSL session is a fake one and although it is very simil ar to the real one it is not signed by a trusted certificatio n authority. When the victim client starts a new HTTPS session, his browser shows a pop-up dialog warning about the pro blem.


CainCain’’ s APRs APR--HTTPS Cont:HTTPS Cont:


CainCain’’ s VOIP Sniffer s VOIP Sniffer

� The VoIP (Voice over IP) sniffer captures conversations from the network and records them to your hard disk. If seen by the sniffer, voice data is captured in each direction (caller<->responder) and then saved accordingly as mono or stereo WAV files.

� Although not required, if used with APR, this feature enables to silently intercept VoIP communications between victim hosts.


Cain's VOIP Cont:Cain's VOIP Cont:


Cain's Wireless ScannerCain's Wireless Scanner

� Cain's Wireless Scanner detects Wireless Local Area Networks (WLANs) using 802.11x. (A/B/G, I & N)– Does Not Crack WEP or WPA YET !!!!!

�

� Unlike other wireless applications it does not use the Windows NDIS User Mode I/O Protocol (NDISUIO) but t he Winpcap Packet Driver to control the wireless netwo rk card. Access points and ah-hoc networks are enumerated using 802.11 OIDs from Windows DDK at intervals of five seconds and WLANs parameters (MAC address, SSID, Vendor, WEP Encryption, Channels.... ) are displaye d in the scanner list.


Cain's Wireless Scanner Cont:Cain's Wireless Scanner Cont:


Abel's Features: Abel's Features:

Remote Console� Provides a remote system shell on the remote machin e.Remote Route Table Manager� Enable to manage the route table of the remote syst em.Remote TCP/UDP Table Viewer� Shows the state of local ports (like netstat) on th e remote system.Remote NT Hash Dumper + Password History Hashes (wo rks with

Syskey enabled)� Will retrieve the NT password hash from the SAM fil e

regardless of whether Syskey in enabled or not; wor ks on the Abel-side.

Remote LSA Secrets Dumper� Dumps the contents of the Local Security Authority Secrets

present on the remote system.


What is the Abel's main purpose ?What is the Abel's main purpose ?

Abel provides a remote console on the target machin e, it can dump user hashes from the remote SAM database even if it was encrypted using the "Syskey" utility and ships other features like the LSA Secrets dumper, the Route Tab le Manager and the TCP/UDP Table Viewer.

All data transmitted across the Abel's pipe is encr ypted using the RC4 symmetric encryption algorithm and the fixe d key "Cain & Abel". The console communication is not encrypted.

*** Hint On your IDS IPS set a rule for encrypted packets with a RC4 hashed key of “Cain & Abel” “”play at home””


What is Abel ? How can I install it ?What is Abel ? How can I install it ?

Abel is an NT service composed by two files: "Abel.exe" and "Abel.dll". These files are copied by the installat ion package into the program's directory but the service is NOT auto matically installed. Abel can be installed locally or remotel y (using Cain), anyway you need Administrator privileges to do that .

� REMOTE INSTALLATION: (who cares about local Install )� 1) Use the "Network TAB" in Cain and choose the rem ote computer where

Abel will be installed� 2) Right click on the computer icon in the tree and select "Connect As"� 3) Provide Administrator credentials for the remote machine� 4) Once connected right click on the "Services" ico n and select "Install

Abel"� 5) That's all, the two files "Abel.exe" and "Abel.d ll" will be copied into the

remote machine, the service will be installed and s tarted automatically.


Key Tools, Abel:Key Tools, Abel:

� CCDU (Cisco Config Downloader/Uploader ) is a feature of the program. Cain can Download/Upload configuration files from/to Cisco devices via SNMP/TFTP. This feature provides a simple way to re-configure Cisco devices .

� CCDU works on Cisco Routers and Switches that suppo rts the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB, Via the Read / Write community string. PIX Firewall does not support those MIBs.

� CDU works by downloading / uploading the “running configuration" of the device.

� The download/upload request is made by Cain via SNM P; then the device will request a TFTP file transfer t o Cain.

� Cain handles the file transfer.


Can I reset/modify an enable password Can I reset/modify an enable password using CCDU ?using CCDU ?

� Yes, you can ! Simply download the configuration fi le, change it as you wish and then upload the file to the devi ce

� - Download the configuration file from the router� - Open the file and go to the line where the passwor d is written

"enable secret 5 $1$hrA9$lvlAzWeHLEQcDxx/OxuWA/" (i n this case this password is "test"; you can check it with Cain's Cisco IOS-MD5 Cracker)

� - To set the new password to "mao" change the line i n this way: "enable secret mao"

� - Save the file and than upload it to the device (Ri ght click -> Upload)

� - Check if the new password has been modified downlo ading the configuration file again.


Abel's Remote ConsoleAbel's Remote Console

� Abel's remote console provides a system shell on th e remote machine. The Abel service runs on the remote machine in the security context of it's Local Syste m Account; every command sent to the console is execu ted with the same access privileges of that account.


Abel's Remote Console Cont:Abel's Remote Console Cont:


AbelAbel’’ s LSA Secrets dumpers LSA Secrets dumper

� LSA Secrets are used to store information such as t he passwords for service accounts used to start servic es under an account other than local System. Dial-Up credentials and other application defined passwords also

reside here.


AbelAbel’’ s LSA Secrets dumper Cont:s LSA Secrets dumper Cont:


AbelAbel’’ s NT Hashes Dumpers NT Hashes Dumper

� is an application which dumps the password hashes (OWFs) from NT's SAM (Security Account Manager) database, whether or not SYSKEY is enabled on the system, and allows you to import password hashes di rectly into the relative "LM & NTLM Hashes" password crack er tab.

� Also the ability to dump password history hashes. Windows can be instructed to remember a number of previous user's passwords using the Password Securi ty Policy "Enforce Password History".

� Guess the Next couple of Passwords Muahahahahaaa !


AbelAbel’’ s Route Table managers Route Table manager

� same functionality offered by "route.exe". WHY us e it?


Supporting Docs, Files Programs Supporting Docs, Files Programs

� Cain How to guide (Install and Run)– http://www.datastronghold.com/content/

view/136/29/

� Cain Student Manual – www.nwcet.org/downloads/cainAbel.pdf

FOR MORE INFO...

Cain’s User Manual http://www.oxid.it/ca_um/

Cain_and_Abel Tutorial From Chiranjit

Documents

Transcript of Cain_and_Abel Tutorial From Chiranjit