Friday, November 23, 2012

Actively sniffing and spoofing using Cain and Abel

In Part 1 (link) active sniffing and performing a man-in-the-middle attack were introduced. It allows you to intercept between the communication of two clients and thus able to read all their conversation. In this part tools will be demonstrated with which such an attack can be performed.

We will begin with one of the most easy to use and robust tools called Cain and Abel. It is composed of two components, first being Cain which is can perform a host of features such as:

a) Sniffing
b) Man-in-the-middle attack
c) Bruteforce and dictionary based hash cracking
d)Windows logon password cracking

The lesser known component, Abel can be also be pretty useful. The two utilities compliment each other in the sense that Cain is used to remotely execute attacks whereas Abel has to be installed on the victim machine as a service after which Cain's frontend can be used to remotely control the machine.

Brief Overview:


This post will cover the first two aspects of Cain only. Please note that this tool is available for Windows only. It uses the Winpcap (a port of libpcap) library to inject and monitor packets at link layer.

1. Install Cain (link)and run a quick Arp scan to find out all the local machines within your network.

2. Now start a man in the middle attack between two victim nodes. Obviously the best strategy is to attack a victim PC and your gateway router. This will allow you to read or sniff all the data between your victim PC and the outside world which is the requirement in most of the cases.

Options and Basic Configuration:


To configure which protocols/ports to sniff and route through your machine, go to configure->filter and ports and then tick all the protocols. Nowadays modern browser display a warning when the connection is under MitM. I would suggest that you uncheck port 443 which denotes ssl/https traffic. There are other interesting ways to decipher ssl traffic.

The other important tab to go is the HTTP Fields tab. It defines which keywords to grab and display the corresponding values. So if you are not able to capture username and/or password of a particular webpage, chances are that they use different value and name pair variables.

Finally the option which makes Cain and Abel worth using is the "Spoofed ip and mac option". It basically allows you to do all the above using some other IP from your subnet. So even if there is a MitM or sniffing detector, it will catch that imaginary IP that you have chosen. Simply go to ARP tab and choose a spoofed IP and MAC address. Make sure it is not in use by any other machine in your subnet.

Initiating the Attack:


Now that we are all set, click on the sniffer button as illustrated below. Click on the + button to ennumerate all the devices. Click on the button next to it and you will start poisoning the victims ARP table and thus perform the MitM attack. Once the whole process has started, the tabs at the bottom come in handy. According to me, the most important ones to look at is the APR tab and Passwords tab. They will in all likelihood contain all the details that you wanted to know, for which you started this whole process! Passwords found in all the major protocols- HTTP,HTTPS, FTP,RADIUS,SMB,SSH-1,Telnet to name a few!

Cain can process protocol specific traffic





Cain And Abel is one of the best sniffing tools around for several years now. It is easy to configure and quite stable. The only drawback is that it is Windows based tool.

Here is a short video exhibiting how powerful yet easy this tool is to use.




In the next part of this tutorial I will be describing how we can use open source tools to achieve the same. I will also explain how we can thwart such techniques. Till then, happy packet sniffing!

Important Links:


1.Cain and Abel homepage
2. Uses of Abel
3. Promiscuous mode