CAIN AND ABEL

An Overview

BY

SYEDA AMBREEN ZAFAR (57337)

PAF Karachi Institute of Economics & Technology

DECEMBER, 2014

ACKNOWLEDGMENT

I found out this course quite interesting, informative and knowledgeable. During the

course of study, I enhanced knowledge and information about the subject through internet

and the study material provided as a reference from our course teacher.

I would like to thank our course teacher Respected Waqar Ahmed who not only shared his

practical experiences related to the subject with us but also extended his utmost

guidance/support during the course and at the same time keeping a very close look at our

performances in this whole session. I feel it is his guidance that i am able to complete this

study in due course of time. During the study of, i consider Internet to be the best source of

information and were very helpful.

ABSTRACT

This study briefly provides an overview of the tool CAIN & ABEL. It covers its various

techniques and features that would be helpful for a security professional. Cain & Abel tool

has been developed in the hope that it will be useful for network administrators, teachers,

security consultants/professionals, forensic staff, security software vendors, professional

penetration testers and everyone else that plans to use it for ethical reasons.

CONTENTS

INTRODUCTION PROGRAM FEATURES

DECODERS Protected Storage LSA Secrets Wireless Password Dumper Dialup Password Enterprise Manager Password Decoder Credential Manager Password Decoder Window Vault NETWORK SNIFFERS ARP Poison Routing CRACKER WIRELESS SCANNERS TRACEROUTE QUERY CCDU TOOLS Route & TCP/UDP tables Base64 Password Decoder Access Database Password Decoder Cisco Type -7 Password Decoder Cisco VPN Client Password Decoder VNC Password Decoder Hash Calculator RSA SecureID Token Calculator Abel REFERENCES

CAIN & ABEL

INTRODUCTION

Cain & Abel offers wide variety of capabilities. It is a password recovery tool for Microsoft

Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. It another main feature is ARP poisoning also known as man in middle attack.

Cain is the first part of the program. Developed with a simple Windows graphical user interface, its main purpose is to concentrate several hacking techniques and proof of concepts providing a simplified tool focused on the recovery of passwords and authentication credentials from various sources. Abel is the second part of the program. Designed as a Windows NT service it is composed by two files "Abel.exe" and "Abel.dll"; the first is the main service executable program and the second is a library that contains some required functions.

The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness intrinsic of protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified the recovery of passwords and credentials from various sources, however it also ships some "nonstandard" utilities for Microsoft Windows users.

PROGRAM FEATURES

DECODERS

A decoder is a device which does the reverse operation of an encoder, undoing the encoding

so that the original information can be retrieved. In simple words, it is used to simple decrypt the

information. Cain and Abel provide various ways of decoding cached passwords.

Protected Storage

The Protected Store is a storage facility provided as part of Microsoft CryptoAPI. It's primarily use is to securely store private keys that have been issued to a user. All of the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tightly regulated so that only the owner of the material can access it.

Credentials are stored in the registry under the key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\ Many Windows applications use this feature; Internet Explorer, Outlook and Outlook Express for example store user names and passwords using this service. This feature enumerates those entries and decodes the following type of credentials: - MS Outlook 2002's passwords (POP3, SMTP, IMAP, HTTP)

- Outlook Express's passwords (POP3, NNTP, SMTP, IMAP, HTTP, LDAP, HTTP-Mail) - Outlook Express Identities - MS Outlook's passwords (POP3, NNTP, SMTP, IMAP, LDAP, HTTP-Mail) - MSN Explorer's Sign In passwords - MSN Explorer's Auto Complete passwords - Internet Explorer's protected sites passwords - Internet Explorer's Auto complete passwords

LSA Secrets

LSA Secrets are used to store information such as the passwords for service accounts used to start services under an account other than local System. Dial-Up credentials and other application defined passwords also reside here:-

Wireless Password Dumper

This feature enables the recovery of wireless keys stored by Windows's Wireless Configuration Service. WEP keys are automatically decoded. WPA-PSK keys are displayed in their hexadecimal format because of the usage of the SHA1 one-way hashing function.

Dial-Up Password

The Dial-Up Password Decoder reveals passwords stored by Windows "Dial-Up Networking" component. RAS credentials are usually stored in LSA Secrets "L$_RasDefaultCredentials" while all other connection parameters (phone number, ip

address....) reside into Phonebook files (.pbk).

Enterprise Manager Password Decoder Enterprise Manager is a Windows application used to manage Microsoft SQL Server 7.0 and 2000. When configured to use SQL Server authentication, Enterprise Manager stores the connection credentials in the registry under the key QL2000: HKEY_CURRENT_USER\\Software\\Microsoft\\MicrosoftSQLServer\\80\\Tools\\SQLEW\\RegisteredServers X\\

and SQL 7.0: HKEY_CURRENT_USER\\Software\\Microsoft\\MSSQLServer\\SQLEW\\Registered Servers X\\

Credential Manager Password Decoder

Credential Manager is a new solution that Microsoft offers in Windows Server 2003 and Windows XP to provide a secured store for credential information. It allows user names and passwords as inputs for various network resources and applications once, and then the system automatically supply that information for subsequent visits to those resources without any involvement.

Credential Manager stores the supplied password in the so called "Enterprise Credential Set" of the local machine. This set of credentials is stored in the file and is encrypted. \DocumentsandSettings\%Username%\ApplicationData\Microsoft\Credentials\%UserSID%\ Credentials

There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file: \DocumentsandSettings\%Username%\Localsettings\ApplicationData\Microsoft\Credentials\ %UserSID % \Credentials

Accordingly with the MSDN documentation, Credential Manager can store different types of credentials under the form of passwords, security or certificate files.

Value Description

CRED_TYPE_GENERIC The credential is a generic credential. The credential will not be used by any particular authentication package. The credential will be stored securely but has no other significant characteristics.

CRED_TYPE_DOMAIN_PASSWORD

The credential is a password credential and is specific to Microsoft's authentication packages. The NTLM, Kerberos, and Negotiate authentication packages will automatically use this credential when connecting to the named target.

CRED_TYPE_DOMAIN_CERTIFICATE The credential is a certificate credential and is specific to Microsoft's authentication packages.

CRED_TYPE_DOMAIN_VISIBLE_PASSWORD The credential is a password credential and is specific to Microsoft's authentication packages. The Passport authentication package will automatically use this credential when connecting to the named target.

* Non-developer users can interact with Credential Manager using the application "Stored User Names and Passwords" that can be found under: Start-> Settings-> Control Panel-> User Accounts-> %Account% -> Manage my network passwords.

Window Vault

This feature provides the stored user name and password of resources that is used on the particular system:-

NETWORK

The Network Enumerator uses the native Windows network management functions (Net*) to discover what is present on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers, Terminal Servers and so on. It can also display when possible the version of their operating system.

The left tree is used to browse the entire network and quick list to connect to remote machines; once connected to a server one can also enumerate user names, groups, services and shares present on it. By default the program connects to remote IPC$ shares using the current local logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible to specify the credentials to be used for the connection. The Quick List can be used to insert IP addresses of hosts that are seen browsing the network.

SNIFFER

Cain's sniffer is principally focused on the capture of passwords and authentication

information travelling on the network. It has been developed to work on switched networks by

mean of APR (Arp Poison Routing).

Protocol Filters There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; Password Filters The sniffer includes several password filters that can be enabled/ disabled from the main configuration dialog; they are used to capture credentials from the following protocols many different types of protocols like FTP, HTTP, POP3, MySQL, etc). Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.

When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren't seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks. APR's main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.

Passwords and hashes are stored in .LST files in the program's directory. These files are TAB separated files so can be viewed or import with preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol). For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files. Routing Protocols Analysis Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.

ARP (ARP Poison Routing) is a main feature of the program, this type of attack is based on

the manipulation of the hosts ARP cache. When two host want to communicate with each other,

they must know their MAC addresses, here the ARP table of source host look for MAC address of

destination to broadcast an ARP request. Although this ARP request reach to every host in the

network but the host, whose MAC is specified in the request will reply. In this way it can also be the

victim of communicating with the in correct MAC address also known as Man in the Middle Attack.

CRACKER

Enables the recovery of clear text passwords scrambled using several hashing or encryption algorithms. All crackers support Dictionary and Brute-Force attacks.

Password Crackers can be found in the program under the "Cracker" sub tab. The tree on the left allows you to select the list containing desired encrypted passwords or hashes to crack. Those selected are then loaded into the Dictionary / Brute-Force dialog using the relative function within the list pop up menu.

In a brute force attack, the computer tries all the possible combinations in a hope that at least one will work. This method of breaking password is very time consuming and the success factor remains very low, especially for strong passwords. For example, even if a password length is known precisely to be 9 characters, the brute force attack may take up to 8 days to break.

The dictionary attack could be faster than brute force but it again depends upon the size of the dictionary. In this case, a dictionary file containing one word per line is provided as an input file to the Cain & Abel software. The software then tries each word as the password and stops as soon as the password is matched. This type of attack is used to break computer login passwords.

WIRELESS SCANNER

Cain's wireless scanner scans the wireless networks that are in range of the computer. Cain's Wireless Scanner detects Wireless Local Area Networks (WLANs) using 802.11x.

How Active Scanner works

The active scanner opens the wireless network adapter using the Winpcap protocol driver then it uses the "Packet Request" function of the same driver to communicate with the wireless network card. This API can be used from the Windows User Mode to perform a query/set operation on an internal variable of the network card driver.

Passive Scanner

The passive scanner recognize wireless Access Points (upper list) and clients (lower list) decoding 802.11b/g packets that travels on the air in a completely passive way. The "Channel Hopping" feature changes the frequency of the adapter every second and let you discover wireless networks on different channels. Cain also supports automatic ARP Requests injection (to speed up the collection of unique WEP IVs) and the capture of WPA-PSK authentication hashes.

Requirements

This feature requires a Windows compatible wireless network interface and the Winpcap protocol driver. The Passive Scan feature requires the AirPcap adapter and drivers from CACE Technologies.

QUERY

The query feature allows a user to open Excel files, dBase or MS Access database and search the records using commands of Structured Query Language.

The scope of SQL includes data insert, query, update and delete, schema creation and modification, and data access control. Although SQL is often described as, and to a great extent is, a declarative language (4GL), it also includes procedural elements. The most common operation in SQL is the query, which is performed with the declarative SELECT statement. SELECT retrieves data from one or more tables, or expressions. Standard SELECT statements have no persistent effects on the database. A query includes a list of columns to include in the final result, immediately following the SELECT keyword. An asterisk ("*") can also be used to specify that the query should return all columns of the queried tables. SELECT is the most complex statement in SQL, with optional keywords and clauses that include:

The FROM clause, which indicates the table(s) to retrieve data from. The FROM clause can include optional JOIN sub clauses to specify the rules for joining tables.

The WHERE clause includes a comparison predicate, which restricts the rows returned by the query. The WHERE clause eliminates all rows from the result set where the comparison predicate does not evaluate to True.

The following example shows a result of simple SQL query "SELECT * FROM [Table1]" which is used to select and display all records of table named Table1. Table1 has two fields, namely "Tools" and "Projects".

The contents of each these tables can also be viewed through OXID by right clicking on Table1 and clicking on "Return All Rows". An example is shown below:

Queries may be entered either in the Query statement box or run by clicking on the VIEW

drop down list and selecting the query. For example, if we want to select "Tools" of Electronics

"Project", i may execute the query shown below:

CCDU

CISCO Configuration Downloader/Uploader use to upload and download configuration files

for the CISCO devices via SNMP. Its a hardware feature.

TOOLS The tools that are defined in Cain and Abel are:-

Route Table & TCP/IP Tables:-

These tables can be viewed through Alt+R and Alt+P commands or from the tool bar

in tools Manu.

Base64 Password Decoder

Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME content transfer encoding.

Base64 encoding schemes are commonly used when there is a need to encode binary data that needs to be stored and transferred over media that are designed to deal with textual data. This is to ensure that the data remains intact without modification during transport. Base64 is commonly used in a number of applications including email via MIME, and storing complex data in XML.

ALT+6 shortcut is used to access Base64 password decoder. Alternatively, one can click on

Tools menu and then on Base64 Password Decoder option. A button to access this feature is also

available on the OXID toolbar. A screenshot of decrypted password (password = XenShi) is shown

below:-

ACCESS Database Password Decoder

Introduction

Microsoft Access, also known as Microsoft Office Access, is a database management system from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software-development tools. It is a member of the Microsoft Office suite of applications, included in the Professional and higher editions or sold separately.

Microsoft Access stores data in its own format based on the Access Jet Database Engine. It can also import or link directly to data stored in other applications and databases.

Breaking Into Access Passwords

Due to the fact that OXID is designed for Windows XP or earlier version of Microsoft

operating systems, it can only be used to break passwords of MS Access 2003 or earlier versions

(.mdb format not .accdb format).

In order to break MS Access database passwords, one can either press CTRL+A or choose

Access Database Password Decoder from the Tools menu. In the popup form that appears on the

screen, one can choose the MS Access database filename and OXID can instantly provide the

password of that database. A screen shot of the example is shown below in which the decrypted

password ('sony') can be seen.

CISCO Type 7 Password Decoder

CISCO IOS stands for Cisco Internetworking Operating System. IOS can be thought of as Cisco

router's operating system. There are three different types of CISCO IOS passwords:

1. Cisco IOS Type 0 Passwords

Type 0 passwords use no encryption. Only digit 0 is added before the passwords in this type.

2. Cisco IOS Type 7 Passwords

Cisco IOS Type 7 passwords are encrypted. The encryption algorithm is weaker than that of

Type 5 passwords. An example of Cisco Type-7 password decryption is shown below.

Password used was 'Xenshi' and was encrypted through an online encryption and decryption

tool available at m00nie.com and entered in OXID for decryption.

3. Cisco IOS Type 5 Passwords

This type of passwords are encrypted using MD5 hashing algorithm and is used by the Cisco

IOS to encrypt enable secret password. The MD5 message-digest algorithm is a widely used

cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in

text format as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of

cryptographic applications, and is also commonly used to verify data integrity.

*This feature is not supported in OXID application.

CISCO VPN Client Password Decoder

The Cisco Systems VPN Client was a software application for connecting to a virtual private network. The client makes remote resources of another network available in a secure way as if the user was connected directly to that "private" network. The client uses profile files (.pcf) that store VPN passwords either hashed with type 7, or stored as cleartext. A vulnerability has been identified, and those passwords can easily be decoded using software or online services. To work around these issues, network administrators are advised to use the Mutual Group Authentication feature, or use unique passwords (that aren't related to other important network passwords). Example Say for example, the password is MySecretpass200. enc_GroupPwd en enc_User Password

contains encrypted passwords. One .pcf file looks like this:

[main] UserPassword= enc_UserPassword= Description= Host=vpn.mywork.com AuthType=1 GroupName=Sales GroupPwd= enc_GroupPwd=071B15CA6E98F1D339D9B25BE350DAAB9A1C5E0B6499850B610E631FCBFB79A91E4E8FDFF813E064DCECFE6A5233998DC58C9DB8099435DE EnableISPConnect=0 ISPConnectType=0 ISPConnect=MyWork .......

When this enc_GroupPwd is entered in OXID, it will reveal the actual password as shown below

pictorially.

VNC Password Decoder

vncpasswd allows to set the password used to access VNC desktops. Its default behavior is to prompt for a VNC password and then store an obfuscated version of this password to passwd-file (or to $HOME/.vnc/passwd if no password file is specified.) The vncserver script runs vncpasswd the first time start a VNC desktop, and it invokes Xvnc with the appropriate -rfbauth option. vncviewer can also be given a password file to use via the -passwd option.

The password must be at least six characters long (unless the -f command-line option is used), and only the first eight characters are significant. Note that the stored password is not encrypted securely - anyone who has access to this file can trivially find out the plain-text password, so vncpasswd always sets appropriate permissions (read and write only by the owner.) However, when accessing a VNC desktop, a challenge-response mechanism is used over the wire making it hard for anyone to crack the password simply by snooping on the network.

Example:-

A screen shot of VNC decrypted password in hex is given below. The encrypted password was obtained from Hash Calculator provided by OXID and re-entered into VNC Password decoder to verify the results.

Hash Calculator

A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. These one-way hash functions have been called "the workhorses of modern cryptography". One of the applications of Cryptographic Hash Function is to verify the integrity of files or messages. Determining whether any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event). MD5, SHA1, or SHA2 hashes are sometimes posted along with files on websites or forums to allow verification of integrity.

MDF5

The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity.

SHA1 In cryptography, SHA-1 (SHA stands for "secure hash algorithm") is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. Application Example:- The Hash calculator of OXID provides encrypted data in different formats (MD2, MD4, MD5, SHA-2, etc). The following table shows the encrypted password 'Crypto123' encrypted using various algorithms (described above and more).

RSA SecurID Token Calculator

SecurID, now known as RSA SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. The RSA SecurID authentication mechanism consists of a "token" either hardware (e.g. a USB dongle) or software (a soft token) which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.

Abel

Abel is the second part of the program. Designed as a Windows NT service it is composed by two files "Abel.exe" and "Abel.dll"; the first is the main service executable program and the second is a library that contains some required functions. Although Cain is the main Abel's front-end, it is not needed to be installed for Abel to work. The service can be installed locally or remotely (using Cain) and requires Administrator's privileges on the target machine. Once installed, as all other NT services, it can be managed using the standard Windows tools or the Cain's Service Manager.

Abel communicates with Cain using a the Windows named pipe "\\computername\pipe\abel" and it can accept connections from multiple hosts at the same time. All data transmitted over this pipe is encrypted using the RC4 symmetric encryption algorithm and the fixed key "Cain & Abel". This is done only to scramble the traffic sent on the network and not to hide program's intentions.

References:- http://www.oxid.it

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/dpapiusercredentials.asp

(Provide more information about credentials)

http://en.wikipedia.org/wiki/SQL

http://en.wikipedia.org/wiki/Base64

http://en.wikipedia.org/wiki/Microsoft_Access

http://pen-testing.sans.org/resources/papers/gcih/cisco-ios-type-7-password-vulnerability-100566 http://en.wikipedia.org/wiki/MD5 https://www.m00nie.com/type-7-password-tool/ http://en.wikipedia.org/wiki/Cisco_Systems_VPN_Client http://www.base64online.com/Cisco-vpn-client-password-cracker.php http://linux.die.net/man/1/vncpasswd http://en.wikipedia.org/wiki/Cryptographic_hash_function http://en.wikipedia.org/wiki/MD5 http://en.wikipedia.org/wiki/SHA-1 http://en.wikipedia.org/wiki/SecurID

http://www.oxid.it/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/dpapiusercredentials.asphttp://en.wikipedia.org/wiki/SQLhttp://en.wikipedia.org/wiki/Base64http://en.wikipedia.org/wiki/Microsoft_Accesshttp://pen-testing.sans.org/resources/papers/gcih/cisco-ios-type-7-password-vulnerability-100566http://en.wikipedia.org/wiki/MD5https://www.m00nie.com/type-7-password-tool/http://en.wikipedia.org/wiki/Cisco_Systems_VPN_Clienthttp://www.base64online.com/Cisco-vpn-client-password-cracker.phphttp://linux.die.net/man/1/vncpasswdhttp://en.wikipedia.org/wiki/Cryptographic_hash_functionhttp://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA-1http://en.wikipedia.org/wiki/SecurID