Cain & Able 4.9.8 ca_setup.exe - 5.97mb
>It Works!<
I had another laptop connected as a peer-to-peer network, I was able to browse the remote computer via Cain.
Right click on icon "run as administrator"
ignore compulsory Win Defender Warning
It is easy to find local shares on the computer you have physcial access to:
I was able to enumerate the other computer on the network:==================================================================
= Cain's Users Enumerator Local =
==================================================================
User: Administrator
Fullname:
Comment: Built-in account for administering the computer/domain
SID: S-1-5-21-1086135955-1589329085-4061641171-500
Req. Pass. Change: No
Pass Never Expire: Yes
User: Guest
Fullname:
Comment: Built-in account for guest access to the computer/domain
SID: S-1-5-21-1086135955-1589329085-4061641171-501
Req. Pass. Change: Yes
Pass Never Expire: Yes
User: Owner
Fullname: DNR
Comment:
SID: S-1-5-21-1086135955-1589329085-4061641171-1000
Req. Pass. Change: No
Pass Never Expire: Yes
a WinXP 5.1 named "Master"
==================================================================
= Cain's Users Enumerator Remote computer - =
==================================================================
User: Administrator
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-500
Req. Pass. Change:
Pass Never Expire:
User: Guest
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-501
Req. Pass. Change:
Pass Never Expire:
User: None
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-513
Req. Pass. Change:
Pass Never Expire:
User: HelpAssistant
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-1000
Req. Pass. Change:
Pass Never Expire:
User: HelpServicesGroup
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-1001
Req. Pass. Change:
Pass Never Expire:
User: SUPPORT_388945a0
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-1002
Req. Pass. Change:
Pass Never Expire:
User: User
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-1004
Req. Pass. Change:
Pass Never Expire:
User: ASPNET
Fullname:
Comment:
SID: S-1-5-21-1708537768-1035525444-725345543-1005
Req. Pass. Change:
Pass Never Expire:
It got the MAC of the remote computer, the hostname and ID'ed the wifi card! I did a ARP scan to find out what mode it used.
This is a scan of Local shares:==================================================================
= Cain's MAC Scanner/Promiscuous-mode Detector =
==================================================================
IP Address: 192.168.0.1
MAC Address: 00904BF1F975
OUI Fingerprint: GemTek Technology Co., Ltd.
Hostname: NOMAD_1.mshome.net
ARP Test (Broadcast 31-bit):
ARP Test (Broadcast 16-bit):
ARP Test (Broadcast 8-bit):
ARP Test (Group bit):
ARP Test (Multicast group 0):
ARP Test (Multicast group 1): *
ARP Test (Multicast group 3):
It got my Local LM Hash and cracked it!==================================================================
= Cain's Shares Enumerator Local =
==================================================================
Share: ADMIN$
Desc: Remote Admin
Path: C:\Windows
Current: 0
Max: Unlimited
Share: C$
Desc: Default share
Path: C:\
Current: 0
Max: Unlimited
Share: D$
Desc: Default share
Path: D:\
Current: 0
Max: Unlimited
Share: IPC$
Desc: Remote IPC
Path:
Current: 1
Max: Unlimited
Share: Lexmark 1400 Series
Desc: Lexmark 1400 Series
Path: Lexmark 1400 Series,LocalsplOnly
Current: 0
Max: Unlimited
Share: print$
Desc: Printer Drivers
Path: C:\Windows\system32\spool\drivers
Current: 0
Max: Unlimited
Share: Public
Desc:
Path: C:\Users\Public
Current: 0
Max: Unlimited
"1 hashes of type NTLMv2 loaded..
Press the start button to begin dictionary attack"
You can load a list (txt) or try the brute force attack - for fun - I did both. The dictionary list contained my password, and it worked a 1mb list in 50 seconds! Found it. I also changed the login for testing the brute forcer, I got to specify where to start, and it got the five digit password in 2 minutes!
You can right click on the remote computer and select "connect as.." from the menu. Since there was no password set on the remote computer I just left both user and pass blank - it connected me as anonymous to display users, but
Remote shares enumeration on the local network was denied.
I did have the firewall off on the remote computer, perhaps it might be file and sharing disabled?
The wireless tab was messed up, the graphics leaked out of their boxes. Also since I did not have a promiscuious wifi card, the sniff for IVs didn't work (yet?)
All the other tabs worked. I did not have hashes to try the other decoders.==================================================================
= Cain's Wireless Scanner =
==================================================================
BSSID: FA0D3B926DD2
Last seen: 13/08/2009 - 22:44:47
Vendor:
Signal: -5 dBm
SSID: digital_nomad
Enc: Yes
Mode: Peer
Channel: 11 (2462000 Hz)
Rates (Mbps): 1, 2, 5, 11,
Packets:
Unique WEP IVs:
BSSID: 001B11725678
Last seen: 13/08/2009 - 22:44:47
Vendor:
Signal: -96 dBm
SSID: dlink
Enc: Yes
Mode: Infrastructure
Channel: 11 (2462000 Hz)
Rates (Mbps): 1, 2, 5, 11, 6, 12, 24, 36,
Packets:
Unique WEP IVs:
BSSID: 0018F8348AD4
Last seen: 13/08/2009 - 23:09:58
Vendor: Cisco-Linksys LLC
Signal: -100 dBm
SSID: home
Enc: Yes
Mode: Infrastructure
Channel: 6 (2437000 Hz)
Rates (Mbps): 1, 2, 5, 11, 6, 9, 12, 18,
Packets:
Unique WEP IVs:
But it provided a Syskey decode for the local system boot key
e6a7a23c71cf883c38928d25431a1763
I will try this on a wardrive and let you know how it goes..
DNR