CAIN and ABEL Tutorial 3

This part of the tutorial will contain

Certificates Collector

Cisco Config Downloader/Uploader

Mac Scanner

Certificates Collector

Cain’s Certificates Collector grabs server certificates from HTTPS web sites and prepares them for APR-HTTPS. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Why fake ? because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way the APR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR’s hosts.

A fake certificate is self-signed by Cain so the client’s browser is supposed to pop up a dialog to notify that it comes from an untrusted certification authority; however because all other parameters within the certificate remain the same as the real ones a lot of users simply does not care about this warning.

Fake certificates are stored in the “Certs” subdirectory of the program’s installation path and the list of those currently available to APR-HTTPS is maintained in the file CERT.LST in the program’s directory. You can manually modify this list file to instruct Cain’s APR-HTTPS to inject the certificate of your choice into connections from APR’s victims computers to a given HTTPS server address.

Usage

The feature is used automatically by the HTTPS sniffer filter. You can use the + button on the toolbar to manually grab and prepare a list of fake certificates; non standard ports can be specified using the syntax “hostname:port” or “ip address:port”.

Cisco Config Downloader/Uploader

This feature allows you to download or upload the configuration file of Cisco devices via SNMP/TFTP. It supports routers and switches that uses the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB; for more information about those MIBs please refer to Cisco web site.

How it works

1) Cain requests the configuration file transfer to the Cisco device using the SNMP protocol. Request packets are constructed using some proprietary Cisco OIDs that the vendor provides for this functionality; they also contains other parameters like the protocol type, the server IP address and filenames to instruct the device on where to send or to take its configuration file.

2) At this point the device starts the file transfer using the protocol specified in the request (set to TFTP for simplicity).

3) Cain opens a TFTP socket in listening mode and handles the file transfer. A TFTP server is NOT required, when uploading the program sends the configuration file to the device, when downloading it receives it.

Usage

To download a configuration from a device press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar, provide the IP address of the SNMP enabled device and the right Read/Write Community string. To upload a configuration use the relative function within the list pop up menu.

Limitations

This feature will not work if network restrictions, like ACLs or firewall rules, for interested protocols (SNMP/TFTP) are set. The TFTP file transfer is initiated by the device itself so dynamic NAT between you and the device is a problem as well.

Requirements

- CCDU works on Cisco Routers and Switches that supports the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB. PIX Firewalls does not support those MIBs.

- You also need the right Read/Write SNMP community string (e.g.: “private”), the Read-Only one is not enough.

MAC Scanner

The MAC address scanner is a very fast IP to MAC address resolver based on ARP Request/Reply packets. It takes as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s. The scanner includes an OUI database, providing MAC vendor’s information, this feature is useful to quickly identify switches, routers, load balancers and firewalls present in the LAN.

Because of the use of ARP packets that cannot cross routers or VLANs, this feature can resolve MAC addresses in the local broadcast domain only. The OUI database is a normalized version of the IEEE OUI list available at this link: http://standards.ieee.org/regauth/oui/index.shtml.

Once active hosts are found, you can also resolve their host names with the “Resolve Host Name” function within the list pop up menu.

Tip

The scanner cannot resolve MAC addresses if the network card is not correctly configured. You also have to check the APR’s spoofing options in the configuration dialog before initiating a scan.

Prerequisites

The sniffer must be activated.

Usage

The scanner’s configuration dialog is activated pressing the “Insert” button on the keyboard or click the icon with the blue + on the toolbar; then you have to select the range of IP addresses to resolve.

CREDITS-CAIN and ABEL ITSELF

Popularity: 29% [?]