Cain and Abel

Contents

  1. Introduction
  2. Features
  1. Main Features
  2. Other Features
  1. Local Passwords
  1. LSA Secret
  2. Wireless password
  3. IE 7-9 Auto Forms Passwords
  4. LM(Lan Manager hash) and NTLM
  1. Cracking with Cain
  1. Bruteforce
  2. Dictionary
  3. Rainbow tables
  1. Address Resolution Protocol
  2. ARP Poisoning Routing
  1. Overview
  2. Sniffing the network
  3. Bypassing HTTPS
  4. Result
  1. Defenses
  1. Against Cracker
  2. Against ARP poisoning
  1. Disadvantages of Cain
  2. Demo
  1. Decoder
  2. Cracker
  3. ARP
  1. Sources

1. Introduction

Cain and Abel is a password recovery tool. It is very broad, that is it does not get passwords in only one way but utilizes many possible attacks to get the password of a system. It is exclusive to Windows and can’t be ran on Linux and OSX. It is typically used by attackers who wish to gain unauthorized access to a system, but can be used by a defender when an attacker locks them out of their system or to test the strengths of their defenses.

2. Features

2.1 Main Features

These are the features that we chose to talk about in the presentation. These are the features that Cain and Abel is typically used for.

2.2 Other Features

There are many other features that Cain and Abel have, some of which are outdated (like the Dialup password cracker) or ones that are not as widely used as the main features. To see the full list of features that it offers you can visit this site: http://resources.infosecinstitute.com/password-cracking-using-cain-abel/

3. Local Passwords

3.1 LSA Secret

3.2 Wireless password

3.3 IE 7-9 Auto Forms Passwords

3.4 LM(Lan Manager hash) and NTLM

4. Cracking with Cain

4.1 Bruteforce

4.2 Dictionary Attack

4.2 Rainbow Table Attack

5. Address Resolution Protocol (ARP)

6. ARP Poisoning Routing

6.1 Overview

6.1 Sniffing the network

6.2 Bypassing HTTPS

7. Defenses

7.1 Password Protection

  1. Not be a dictionary word, or a combination of them making it protected against dictionary attacks.
  2. Be long, so it would take a bruteforce attack many years to crack. A good length is generally 10+ characters, but it depends on what character set you are using. A 10 length numerical PIN can be cracked in around 2 seconds by a standard PC. A 10 length alphanumeric password with capitals and special symbols will take around 60 years to crack for a standard PC.
  3. Use a large character set. As demonstrated above, the characters comprising your password matter. Try to avoid common number and special symbols insertions however. Most people tend to increase the character set by capitalizing the first letter, replacing letters with similar looking numbers (like s to 5) and putting an exclamation sign at the end. Try to avoid doing this as most attackers will account for this (by modifying their mangling rules in a dictionary attack).
  4. Make the password memorable. If you make your password an impossible to remember 20 character assortment of gibberish, it is likely you will forget it or store it in an insecure way. Some people will do things like write their password down, or store it in a text file or e-mail, which defeats the purpose of having a strong password.
  5. Don’t reuse passwords. If it turns out a website was storing your password in plaintext and was hacked, it shouldn’t mean that all your other passwords like e-mail are compromised. Make sure to have different password for every service which needs a password.

This seems like a lot to keep track of. One recommendation is to use a password manager app like KeepPass. It automatically generates and securely stores passwords for all the services that you use. This can be dangerous however, as if an attacker can break into KeepPass they will have every single one of your passwords. So make sure to do research that determines whether your password manager is secure.

  1. Hash your passwords with a strong hashing algorithm. That means if the database of user credentials is stolen, the attackers won’t necessarily be able to access the accounts. Since weak hashes like MD5 are very easy to crack use a strong algorithm like SHA-512.
  2. Salt your passwords. Salting is essentially appending some sequence of characters to the password sent by the user before hashing it. By salting your passwords you are making bruteforcing harder, but also defeating rainbow tables. It defeats rainbow tables because even if the rainbow table finds a collision, it will be unable to input that as the password, due to the salt.
  3. Don’t use obvious names for fields. Avoid names like “password”,”id”, or “pass”. By making it difficult to discern what field contains the relevant information you are slowing down the attacker, as Cain and Abel will not be able to catch passwords from your website by default. This is however, security through obscurity so make sure it is not the only defense that you employ.
  4. Use and force HTTPS. As we’ve seen earlier HTTPS helps warn victims that they are possibly being ARP poisoned. If your website provides HTTPS make sure to force it, that is do not allow an HTTP connection even if it is requested and instead only allow HTTPS connection

7.2 Protection against ARP spoofing

  1. Use HTTPS whenever possible. It is not safe to pass sensitive information over plain HTTP. Do not trust sensitive information to websites that do not use HTTPS. Also, make sure that their certificate is valid and don’t ignore warnings that come up.
  2. Protect your network. ARP Spoofing does not work unless the attacker is connected to the network. So make sure that your network is not easily accessible, and don’t connect to networks with weak encryption. For example, don’t connect to networks that use WEP to secure it. In a similar vein, don’t connect to open networks as that would make ARP Poisoning easy for the attacker.
  3. Use APR Spoofing detection tools. One of the example of such tools is XArp. It detects when it is likely that you are under an ARP spoofing attack, and notifies you.
  4. Use a VPN. A VPN encrypts your connection and makes ARP Spoofing much harder, as the attacker has to decrypt your connection. Be warned however that this introduces the problem of which VPN to trust, as some have weak encryption and some can even sniff your connection maliciously.
  1. Use Static ARP entries. The way this works is every single computer on the network has a table of ARP entries they use and which cannot be updated by a simple ARP request, as the computers simply ignore them. This means that ARP Spoofing are mitigated as there’s no signal the attacker can send that could update the tables. The big problem with this is that it’s completely unscaleable. It does not work on any networks but the tiniest ones, and even then allowing a new user to connect is a hassle. This is because every time there is a change to be made (like a new computer connecting to the network) all the ARP tables have to be manually changed.
  2. Custom monitoring software. This is slightly similar to the static ARP entries, but more scaleable. A central server maintains a list of important ARP entries, like the file server, authentication server and so on. Otherwise ARP works exactly as it normally does. However, on a regular basis the computer’s ARP table is compared against the one maintained by a central server. If it does not match the system warns of an ARP spoofing attack and disregards the computers ARP table. This means that while ARP Poisoning can still happen between some hosts, the most important connections are maintained and monitored.
  3. Detection and blockade of ARP Spoofing attacks. Software like ARPWALL or even Wireshark can analyze packets to check for some signs of an ARP Poisoning attack. If it detects it, it notifies the user and blocks the offending connection.

8. Disadvantages of Cain and Abel.

9. Demo

7.2 Decoder

7.2 Cracker

7.2 ARP

10. Sources 

Password Algorithms: Internet Explorer 10 (Windows Vault)

http://en.wikipedia.org/wiki/Rainbow_table

Address Resolution Protocol (arp)

ARP Cache Poisoning

http://resources.infosecinstitute.com/password-cracking-using-cain-abel/

Introduction to ARP Poisoning Routing