web stats

Use Cain and Abel for Unsecured Password Sniffing

A guide to using Cain & Abel to sniff unsecured passwords on a network. For scriptkiddies and people who can’t use Linux or Ethereal, basically.
Slightly incomplete. Need to add a couple more pictures.

Before you download Cain and ABel, however, please disable your Anti Spyware and Antivirus. Rightly so, this program is detected as a threat, as more advanced users can use it to root someone’s box. We won’t be discussing it in this guide, but bear in mind, this program can be used in really nasty ways. There is no threat to your machine, but don’t freak out about your AV or AS going spastic. It’s supposed to, so turn it off. Don’t believe this program is legit? Then Google it for yourself.

You will need:-

0) Definitions:

What’s a MAC address?

Contrary to what most twats in the UK think, a MAC address is the following, not the home of Steve Jobs or whatever you may have been imagining:

Originally Posted by https://secure.wikimedia.org/wikipedia/en/wiki/MAC_address
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card’s read-only memory, or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address.

What’s ARP and ARP Poisoning?

Originally Posted by https://secure.wikimedia.org/wikipedia/en/wiki/Address_Resolution_Protocol
he Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host’s Link Layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37.

Consider a LAN where machines using IPv4 over Ethernet wish to communicate. In order for communication to succeed, the sending machine first needs to discover the Ethernet MAC address of the intended recipient network interface. Before sending an IPv4 packet, the sender sends a broadcast message onto the LAN using ARP in order to discover the Ethernet MAC address of an interface that is listening for that desired target IPv4 address. If operational, an appropriate unit will reply that it has a network interface with a certain MAC address that is associated with the IPv4 address in question. The original sender now has the information needed and can send its IPv4 packet to the destination, inserting it into an Ethernet frame with the correct destination MAC address for the appropriate recipient.

The sender’s operating system also stores the newly discovered MAC address in a table (it caches the result). This table of mappings from IPv4 addresses to MAC addresses is retained and consulted so that the ARP process may be avoided for future communication. A timer is set when an entry is added to the ARP cache. When the timer expires, the entry is discarded as it may no longer be applicable; before sending another IPv4 packet to the destination, a new ARP request would be sent.

Originally Posted by https://secure.wikimedia.org/wikipedia/en/wiki/ARP_spoofing
Address Resolution Protocol (ARP) spoofing, also known as ARP flooding, ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution.

The principle of ARP spoofing is to send fake, or “spoofed”, ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway.

I see you’ve said ‘MITM’ in this guide. The fuck is that?

Originally Posted by http://www.webopedia.com/TERM/M/man_in_the_middle_attack.html
Abbreviated as MITM, a man-in-the-middle attack is an active Internet attack where the person attacking attempts to intercept, read or alter information moving between two computers. MITM attacks are associated with 802.11 security, as well as with wired communication systems.

Once you have installed both SMac and Cain & Abel, you will see these screens. We will get working on SMac first as this program spoofs your PCs MAC address (the physical address that defined it on the Network) meaning you will have less chance of being caught and punished.


SMAC 2.7 Screenshot
The main screen of Smac 2.7

In order to spoof your MAC address, click on your Network Interface Card (wired or wireless). It is the one with your internal IP address on. To check yours if you aren’t sure, go into Command Prompt and type this

ipconfig /all

then press enter. This is your interal IP:


ipconfig all - Internal IP address

So now you know which one your Network Interface Card (NIC from now on) is, select it and then select a MAC address from teh drop-down box as can be seen on the annotated picture above. After that, click “Update MAC” and give it a few seconds. It will logout of the network, close your Network connections for a second, spoof your MAC address to that of the selected one and return you (if possible) to the network as you were. You now look like another machine to the server/router. Your IP is still the same for now but can be changed in Cain and Abel.
Oh, and disable your firewall or make an exception for Cain and Abel. No point trying to intercept traffic then, is there?

Fire up Cain and Abel!
Upon starting this program you will be greeted with this screen. I have annotated it for ease of use and reference later on.


Cain and Abel With Annotations

Right, so click on “Configure” on the top bar and you will be greeted with this screen:-

Cain And Abel Config Screenshot

Select your NIC (check the IP, remember?) your MAC address will be spoofed anyway. If you wish to spoof your IP, then click on the ARP tab and adjust accordingly. Note that to spoof your IP, you mist enter in one on the same subnet as you. Eg if you are actually PC and you wanted to pretend to be another one to spoof the router into thinking you’re another person, you can’t choose an IP like as it’s a different start of numbers altogether. Ya get me?

Once all that is taken care of, go onto the main screen and exit the dialogue box with the ARP spoofing you just did in. Press OK basically. Sorry, baked.
Click the “Sniffer” tab. After that, click the “Sniffer” button and then the little “+” button alongside from it (it’s blue..can’t miss it along the top row). When you do that, you will a screen with a list of Computers (I can’t get mine to work as I have fucked up my IP spoofing, but I will put a pic up later).

Click on “All hosts in my subnet” if you want to scan for all the PC’s (this WILL slow down your system and yu will more than likely get found out), or go for a particular taget(s) by setting the IP range(s) in the appropriate boxes there. Then click “All ARP tests” to check for suitability for sniffing.

Once that is done, they are added to the list of hosts. Always remember to add the IP ending in 1, as it is more than likely the Router, and you need that to intercept data to/from. It won’t work otherwise.

Once that has been taken care of, you will see some hosts appear in the Hosts area. These are avaliable computers/targets/fun times. Click on the bottom tab labelled “ARP”, as seen here:-

Cain and Abel Toolbar

If there are no hosts already in there, then click the blue “+” button to add some. On the left are the computers and on the right you select the Router (usually something like or – but is almost always ends in 1. There are ways to find out, like using “ipconfig /all” )
So, select the hosts you want to sniff, just click and hold select to select a small group or however many. After that, click “Ok” and they will be added to the “Hosts” list.


Now look back at your top toolbar and click the Nuclear symbol (Yellow and Black, derp) I have pointed out anyway. The hosts will turn red, and ARP poisoning will start.
Select your “Passwords” tab and select HTTP as it is almost always the fastest to fill up. Some POP3 ones may come throuhgh, or even FTP!


Tadaa! You L337haxX0r!
Go get laid..

I have taken the liberty of uploading the updated password forms for you to update Cain and Abel with. Just put them into the Program Files folder of Cain and Abel. Simple. More help, updates and guides can be found on the oxid.it forums (linked at the bottom under ‘Further reading’.

Further reading:
Official Cain and Abel website (discontinued)
Official Cain and Abel forums
SMAC official site and help
More info on MITM/ARP attacks

Discuss http://www.totse.info/bbs/showthread.php?t=10990

Leave a Reply