Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel
Status with virus scanners
Some virus scanners detect Cain and Abel as 'malware'. Avast! detects it as "Win32:Cain-B [Tool]" and classifies it as "Other potentially dangerous program", while Microsoft Security Essentials detects it as "Win32/Cain!4_9_14" and classifies it as "Tool: This program has potentially unwanted behavior." Even if Cain's install directory, as well as the word "Cain", are added to Avast's exclude list, the real-time scanner has been known to stop Cain from functioning. However, the latest ver- sion of Avast no longer blocks Cain.
* WEP cracking
* Speeding up packet capture speed by wireless packet injection
* Ability to record VoIP conversations
* Decoding scrambled passwords
* Calculating hashes
* Revealing password boxes
* Uncovering cached passwords
* Dumping protected storage passwords
* ARP spoofing
* IP to MAC Address resolver
* Network Password Sniffer
* LSA secret dumper
* Ability to crack:
LM & NTLM hashes NTLMv2 hashes
Microsoft Cache hashes
Microsoft Windows PWL files
Cisco IOS - MD5 hashes
Cisco PIX - MD5 hashes APOP - MD5 hashes
CRAM-MD5 MD5 hashes
OSPF - MD5 hashes
RIPv2 MD5 hashes
VRRP - HMAC hashes
Virtual Network Computing (VNC) Triple DES
Kerberos 5 hashes
RADIUS shared key hashes
IKE PSK hashes
Oracle and SIP hashes
Configure Cain and Abel Installation Before you do anything with Cain and Abel, you're going to need to configure it. Be sure to install all the drivers and libraries that come with Cain and Abel.
With the Cain application open, select the Configure menu option on the main menu bar at the top of the application. The Configuration Dialog box will appear. From the list select the device with the MAC Address of Ethernet or Wireless network card that you will be using for hacking. Here is a description of each tab and its configuration:
Allows the user to specify the Ethernet interface and the start up options for the sniffer and ARP features of the application.
Allows the user to in effect to lie to the network and tell all of the other hosts that your IP is actually that of a more important host on the network like a server or router. This feature is use- ful in that you can impersonate the other device and have all traffic for that device "routed" to you workstation. Keep in mind that servers and routers and designed for multiple high capacity connections. If the device that you are operating from can not keep up with traffic generated by this configuration, the target network will slow down and even come to a halt. This will surly lead to your detection and eventual demise as a hacker as the event is easily detected and tracked with the right equipment.
Filters and Ports
Most standard services on a network operate on predefined ports. These ports are defined under this tab. If you right click on one of the services you will be able to change both the TCP and UDP ports. But this will not be necessary for this tutorial, but will be useful future tutorials.
Several features of the application such as the LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or stored information from web pages viewed. The more fields that you add to the HTTP and passwords field, the more likely you are to capture a relevant string from an HTTP or HTTPS transaction.
Trace route or the ability to determine the path that your data will take from point A to point B. Cain adds some functionality to the GUI by allowing for hostname resolution, Net mask resolution, and Whois information gathering. This feature is key in determining the proper or available devices to spoof or siphon on your LAN or internetwork.
This is the command prompt on the remote machine. Anything that you can do on your pc from the CMD prompt can be done from here. Examples include mapping a drive back to your pc and copying all the files from the target or adding local users to the local security groups or anything really. With windows, everything is possible from the command prompt.
Allows for the enumeration of user accounts and their associated hashes with further ability to send all harvested information to the cracker.
Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key: HKEY_LOCAL_MAC- HINE SECURITYPolicySecrets.
From this object, you can determine all of the networks that this device is aware of. This can be powerful if the device is multihommed on two different networks.
A simple listing of all of the processes and ports that are running and their TCP session status.
A simple listing of all of the processes and ports that are running and their UDP session status.
Select all of the hashes and select Dictionary Attack (LM). You could select the NTLM but the process is slower and with few exceptions the NTLM and NT passwords are the same and NT cracks (Guesses) faster. In the Dictionary window, you will need to populate the File window with each of you dictionary files.you have to download the tables.and copy them to cain installation directory, Check the following boxes: As is Password, Reverse, Lowercase, uppercase, and two numbers.)
Dictionary Cracking process
Click start and watch Cain work. The more lists and words that you have, the longer it will take. When Cain is finished, click exit and then look at the NT password column. All of the passwords cracked will show up next to the now owned accounts. Take a second to look carefully at the accounts and passwords in the list. Look for patterns like the use of letters and characters in sequence. Many administrators use reoccurring patterns to help users remember their passwords. Example: Ramius password reset in November would have a user account of RAMNOV. If you can identify patterns like this you can use word generators to create all possible combinations and shorten the window.
Resort your hashes so single out the accounts that you have left to crack. Now select all of the uncracked or guessed accounts and right click on the accounts again and select Cryptanalysis (LM). Add the tables that you downloaded from the net to the Cain LM hashes Cryptanalysis Sorted rainbow tables window. Click start. This should go pretty quick. Take a second to review your progress and look for additional patterns.
At this point, use program like sam grab that has the ability to determine which accounts are members of the domain administrators group to see if you have gotten any admin level accounts. Once you move to the next step, which is bruting, most of what you have left are long passwords that are going to be difficult and time consuming. Any time saver applications that you can find will be helpful.
Brute Force attack
Repeat the same process for selecting the accounts. Look closely at all of the passwords that you have cracked and look for patterns. First do you see any special characters in any of the passwords cracked. How about numbers? A lot of all upper case of all lower case? Use what you see to help you determine what parameters to include when you are bruting. As you will see, the addition of a single character or symbol can take you from hours to days or even years to crack a password. The goal is to use the least amount of characters and symbols to get the account that you need. So lets finish it off. Select all of the un cracked accounts and follow the previous steps and select Brute Force (LM). The default for LM is A-Z and 0-9. Based on the other passwords and those accounts with an "*" in the 8 field on how many characters to specify in the password length pull down box. Make your selection and have at it. 123749997 years to completion. If you see this, then you should rethink the need for this account. Working with the application, rainbow tables and password generators can help your narrow down to reasonable time frames to get the job done.
Password cracking using Cain and Abel
- Install Cain and Abel using the default settings
- Start Cain and Abel
- Click on the Cracker tab
- Click somewhere inside the table
- Click on File, Add to list
- Select Import hashes from local system and click next
- Right click on the account you want the password for and select Brute-force attack
- Chose the option you want to use (for windows passwords either LM hashes or NTLM hashes)
- Select the character set you want to use, set the minimum and/or maximum password length if you know it to decrease the amount of cracking time needed
- Click on Start and wait
|Cain and Abel|