CAIN and ABEL Tutorial 4

This will contain

Network Enumerator

Promiscuous-mode scanner

Sniffer

SQL Server 2000 Password Extractor

Traceroute

Network Enumerator

The Network Enumerator uses the native Windows network management functions (Net*) to discover what is present on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers, Terminal Servers and so on. It can also display when possible the version of their operating system.

The left tree is used to browse the network and to connect to remote machines; once connected to a server you can also enumerate user names, groups, services and shares present on it. By default the program connects to remote IPC$ shares using the current local logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible to specify the credentials to be used for the connection. The Quick List can be used to insert IP addresses of hosts that aren’t seen browsing the network.

When enumerating users, Cain also extracts their Security Identifier (SID) and has the ability to identify the name of the Administrator account even if it was renamed. This is done by looking at the account RID which is the last part of a SID. The RID of the Administrator account is always equal to 500.

Windows NT and later has a security feature that can restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. This is done setting to 1 the parameter “RestrictAnonymous” under the registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA

If the program cannot enumerate users, because of this restriction, it will start automatically the SID Scanner and will proceed with an extraction of them using the same methodology used by the well known tool sid2user by Evgenii B. Rudnyi.

Tip

To perform an Anonymous connection (NULL Session) to the target host, leave the user name and password fields empty in the credentials dialog.

Usage

Enumerations are launched browsing the tree on the left into the Network tab. To specify credentials for a network connection you can right click on the target machine and use the “Connect As” function within the pop up menu.

Promiscuous-mode Scanner

The Promiscuous-mode scanner allows you to identify sniffers and network Intrusion Detection systems present on the LAN.This feature is included in the MAC Scanner and relies on responses received from various tests based on ARP packets.

It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the “Hosts” list with an * in the relative column.

Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:

Network card not in promiscuous-mode (not sniffing)

Network card into promiscuous-mode (sniffing)

As you can see Windows machines, that are not sniffing the network, normally respond to ARP Test (Broadcast 16-bit) and ARP Test (Multicast group1) only. On the contrary when a sniffer is activated, and the network card is put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.

Prerequisites

The sniffer must be activated.

Limitations

Because of the use of ARP packets, that cannot cross routers or VLANs, this feature works only inside your broadcast domain.

Usage

The promiscuous-mode scanner is activated using the MAC Scanner dialog.

Sniffer

Cain’s sniffer is principally focused on the capture of passwords and authentication information travelling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike any other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing), another feature included in the program.

Protocol Filters

There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for example, are not processed.

Password Filters

The sniffer includes several password filters that can be enabled/disabled from the main configuration dialog; they are used to capture credentials from the following protocols:

(*) = requires APR (Arp Poison Routing) to be enabled

Cain’s sniffer filters are internally designed to survive into an unreliable world such as a network under ARP Poison attack; Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism, for this reason the sniffer needs parameters from each Client->Server and Server->Client traffic. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.

When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren’t seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks so be careful. APR’s main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.

Passwords and hashes are stored in .LST files in the program’s directory. These files are comma separated files so you can view or import them with your preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).

For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files using this naming convention:

<Protocol name>-<Year><Month><Day><Hour><Minute><Second><Milliseconds>-<client port>.txt

(e.g.: Telnet-20041116135246796-1141.txt)

Off-line capture file processing

The sniffer can also process file captures (from Ethereal, Tcpdump and Winpcap) in off-line mode. The captures can be imported using the “open file” button of the sniffer’s toolbar; when processing network traffic off-line all APR‘s functions are automatically disabled.

Routing Protocols Analysis

Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.

For EIGRP and RIP protocols, the “Routes Extractor” feature will also dump the actual routing table shared between routers. The feature is only supported if these protocols don’t require authentication.

Usage

The sniffer is activated/deactivated using the relative toolbar button and its parameters can be configured from the main configuration dialog.

Requirements

- Supported Ethernet network adapter

- Winpcap Packet Driver (v2.3 or above) from Politecnico di Torino.

SQL Server 2000 Password Extractor

Microsoft SQL Server 2000 stores the credentials of its accounts in the “master” database. User’s passwords are encrypted under the form of salted SHA-1 hashes into the table “sysxlogins”. This feature connects to the server using ODBC and dumps all SQL user’s hashes into the MSSQL Hashes Cracker list.

How it works

It connects to the server via ODBC and performs the following SQL command:

select name, password from master..sysxlogins

Usage

To dump the hashes go to the MSSQL Hashes Cracker and press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar. Choose the Data Source Name (DSN) for the target server and provide system administrator (SA) credentials.

Requirements

This feature requires SQL Administrator’s privileges on the target database server

Traceroute

Cain’s traceroute is an improved version of the Windows tool “tracert.exe”.

The widespread usage of perimeter defences on the modern Internet makes sometimes impossible to reach the desired destination using the above utility; firewalls can drop ICMP packets without sending back ICMP responses, for this reason the entire path to the target host could not be completely traced. UDP or TCP protocol can be used to bypass common firewall restrictions so Cain’s traceroute supports all of them.

Consider for example the following ICMP trace to www.somesite.com:

The ICMP traceroute stops at hop 18; probably there is something over there that drops ICMP packets. The same trace but this time using TCP packets will cross that firewall entering in their Network.

As you can see the TCP traceroute reached the destination host (www.somesite.com) discovering some routers inside their organisation.

Usage

Choose the protocol type, select the target and press start.

CREDITS-CAIN AND ABEL ITSELF

Popularity: 36% [?]