Use Cain and Abel for unsecured password sniffing [Published]
RemadE
Global Moderator
A guide to using Cain & Abel to sniff unsecured passwords on a network. For scriptkiddies and people who can't use Linux or Ethereal, basically.
Slightly incomplete. Need to add a couple more pictures.
Before you download Cain and ABel, however, please disable your Anti Spyware and Antivirus. Rightly so, this program is detected as a threat, as more advanced users can use it to root someone's box. We won't be discussing it in this guide, but bear in mind, this program can be used in really nasty ways. There is no threat to your machine, but don't freak out about your AV or AS going spastic. It's supposed to, so turn it off. Don't believe this program is legit? Then Google it for yourself.
Slightly incomplete. Need to add a couple more pictures.
Before you download Cain and ABel, however, please disable your Anti Spyware and Antivirus. Rightly so, this program is detected as a threat, as more advanced users can use it to root someone's box. We won't be discussing it in this guide, but bear in mind, this program can be used in really nasty ways. There is no threat to your machine, but don't freak out about your AV or AS going spastic. It's supposed to, so turn it off. Don't believe this program is legit? Then Google it for yourself.
You will need:-
- PC or Laptop on a Wired or Wireless network
- Cain and Abel (Download link)
- SMAC (Torrent link)
0) Definitions:
What's a MAC address?
Contrary to what most twats in the UK think, a MAC address is the following, not the home of Steve Jobs or whatever you may have been imagining:
I see you've said 'MITM' in this guide. The fuck is that?
Once you have installed both SMac and Cain & Abel, you will see these screens. We will get working on SMac first as this program spoofs your PCs MAC address (the physical address that defined it on the Network) meaning you will have less chance of being caught and punished.
The main screen of Smac 2.7
Contrary to what most twats in the UK think, a MAC address is the following, not the home of Steve Jobs or whatever you may have been imagining:
What's ARP and ARP Poisoning?MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card's read-only memory, or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address.
he Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's Link Layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37.
Consider a LAN where machines using IPv4 over Ethernet wish to communicate. In order for communication to succeed, the sending machine first needs to discover the Ethernet MAC address of the intended recipient network interface. Before sending an IPv4 packet, the sender sends a broadcast message onto the LAN using ARP in order to discover the Ethernet MAC address of an interface that is listening for that desired target IPv4 address. If operational, an appropriate unit will reply that it has a network interface with a certain MAC address that is associated with the IPv4 address in question. The original sender now has the information needed and can send its IPv4 packet to the destination, inserting it into an Ethernet frame with the correct destination MAC address for the appropriate recipient.
The sender's operating system also stores the newly discovered MAC address in a table (it caches the result). This table of mappings from IPv4 addresses to MAC addresses is retained and consulted so that the ARP process may be avoided for future communication. A timer is set when an entry is added to the ARP cache. When the timer expires, the entry is discarded as it may no longer be applicable; before sending another IPv4 packet to the destination, a new ARP request would be sent.
Address Resolution Protocol (ARP) spoofing, also known as ARP flooding, ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution.
The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.
I see you've said 'MITM' in this guide. The fuck is that?
Abbreviated as MITM, a man-in-the-middle attack is an active Internet attack where the person attacking attempts to intercept, read or alter information moving between two computers. MITM attacks are associated with 802.11 security, as well as with wired communication systems.
Once you have installed both SMac and Cain & Abel, you will see these screens. We will get working on SMac first as this program spoofs your PCs MAC address (the physical address that defined it on the Network) meaning you will have less chance of being caught and punished.
The main screen of Smac 2.7
In order to spoof your MAC address, click on your Network Interface Card (wired or wireless). It is the one with your internal IP address on. To check yours if you aren't sure, go into Command Prompt and type this
ipconfig /all
then press enter. This is your interal IP:
Oh, and disable your firewall or make an exception for Cain and Abel. No point trying to intercept traffic then, is there?
Fire up Cain and Abel!
Upon starting this program you will be greeted with this screen. I have annotated it for ease of use and reference later on.
Right, so click on "Configure" on the top bar and you will be greeted with this screen:-
Select your NIC (check the IP, remember?) your MAC address will be spoofed anyway. If you wish to spoof your IP, then click on the ARP tab and adjust accordingly. Note that to spoof your IP, you mist enter in one on the same subnet as you. Eg if you are actually PC 192.168.1.2 and you wanted to pretend to be another one to spoof the router into thinking you're another person, you can't choose an IP like 172.29.1.1 as it's a different start of numbers altogether. Ya get me?
Once all that is taken care of, go onto the main screen and exit the dialogue box with the ARP spoofing you just did in. Press OK basically. Sorry, baked.
Click the "Sniffer" tab. After that, click the "Sniffer" button and then the little "+" button alongside from it (it's blue..can't miss it along the top row). When you do that, you will a screen with a list of Computers (I can't get mine to work as I have fucked up my IP spoofing, but I will put a pic up later).
Click on "All hosts in my subnet" if you want to scan for all the PC's (this WILL slow down your system and yu will more than likely get found out), or go for a particular taget(s) by setting the IP range(s) in the appropriate boxes there. Then click "All ARP tests" to check for suitability for sniffing.
Once that is done, they are added to the list of hosts. Always remember to add the IP ending in 1, as it is more than likely the Router, and you need that to intercept data to/from. It won't work otherwise.
Once that has been taken care of, you will see some hosts appear in the Hosts area. These are avaliable computers/targets/fun times. Click on the bottom tab labelled "ARP", as seen here:-
If there are no hosts already in there, then click the blue "+" button to add some. On the left are the computers and on the right you select the Router (usually something like 192.168.1.1 or 172.29.30.1 - but is almost always ends in 1. There are ways to find out, like using "ipconfig /all"
)So, select the hosts you want to sniff, just click and hold select to select a small group or however many. After that, click "Ok" and they will be added to the "Hosts" list.
Now look back at your top toolbar and click the Nuclear symbol (Yellow and Black, derp) I have pointed out anyway. The hosts will turn red, and ARP poisoning will start.
Select your "Passwords" tab and select HTTP as it is almost always the fastest to fill up. Some POP3 ones may come throuhgh, or even FTP!
Tadaa! You L337haxX0r!
Go get laid..
I have taken the liberty of uploading the updated password forms for you to update Cain and Abel with. Just put them into the Program Files folder of Cain and Abel. Simple. More help, updates and guides can be found on the oxid.it forums (linked at the bottom under 'Further reading'.
Further reading:
Official Cain and Abel website (discontinued)
Official Cain and Abel forums
SMAC official site and help
[ame="
info on MITM/ARP attacks[/ame]
Comments
Really good job on this one :thumbsup:
One thing that confused me (hopes this helps for others using this guide) is when you click the 'ARP' tab to add and poison a host,the blue plus sign button isn't active and colored UNTIL you click inside the top white space where the host will go. Once you do that you can add your hosts.
I'm a complete nood to all of this and I was wondering, would SSL keep packets from being sniffed or just encrypt the packets?? I poisoned my laptop's ip last night to try this out and checked my email on it to see if it could sniff my email addy and password but it wouldn't even show that I was visiting the site. (gmail)
Also, It's sniffing my desktop and showing my visited links as well. Is that just because I'm on the same network??
SSL requires a little more effort. Funnily enough, I'm writing a guide on sniffing HTTPS traffic right now
Sorry for the stupid questions.. is there any way to tell if you or your network is being sniffed?
I don't think there is, but a tell-tale sign might be your connection slowing down to shit after all the traffic is being routed through another machine before being sent along it's way. Keep an eye on who's using your network, use SSL where ever possible.
CMS Status:
Using SSL encryption wherever you can will help you secure your passwords. Install the HTTPS anywhere addon for a good level of SSL protection, as it forces the use of HTTPS on a large number of websites.
+4 Stars