1 / 16

Cain Abel

celerina
Download Presentation

Cain Abel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Cain & Abel www.oxid.it Athough Cain & Abel is widely considered to be a tool used for hacking. However, it has some remarkable capabilities are worth being aware of both for understanding potential risks on a network, and for uncovering possible problems and as an educational tool. How many people have used Cain?Athough Cain & Abel is widely considered to be a tool used for hacking. However, it has some remarkable capabilities are worth being aware of both for understanding potential risks on a network, and for uncovering possible problems and as an educational tool. How many people have used Cain?

    2. What is Cain & Abel? Windows-based One-stop shopping for numerous security analysis tools MAC address scanner ARP poisoning DNS spoofing Password cracking Wireless scanning Remote component (Abel) Note from OXID website. Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. with that in mind.....Note from OXID website. Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. with that in mind.....

    3. MITM Example - Normal Traffic The core of working with Cain is the Man-in-the-middle concept. Quick overview of this concept. This slide shows what normal traffic should look like on the LAN. The victim is represented on the left with Bad Guy on the right on the same subnet. Traffic from the Victim to the destination server should flow as shown in Blue. All systems on the network including both clients and the router have a table called an ARP table that lists MAC addresses paired with their corresponding IP addresses. ARP stands for Address Resolution Protocol, and is one of the basic protocols that makes the internet function. Its duty is to translate from IP addresses to MAC addresses in order for network communication to occur. Normally you cant see most of the traffic passing between computers on a switched network because a router or switch continually updates a table of MAC addresses and associated physical ports where they appear to be located.The core of working with Cain is the Man-in-the-middle concept. Quick overview of this concept. This slide shows what normal traffic should look like on the LAN. The victim is represented on the left with Bad Guy on the right on the same subnet. Traffic from the Victim to the destination server should flow as shown in Blue. All systems on the network including both clients and the router have a table called an ARP table that lists MAC addresses paired with their corresponding IP addresses. ARP stands for Address Resolution Protocol, and is one of the basic protocols that makes the internet function. Its duty is to translate from IP addresses to MAC addresses in order for network communication to occur. Normally you cant see most of the traffic passing between computers on a switched network because a router or switch continually updates a table of MAC addresses and associated physical ports where they appear to be located.

    4. MITM Example ARP Poisoning Cain allows us to manipulate existing entries in ARP tables on target systems. We can fool systems into redirecting their traffic through a middle man so that traffic can be viewed before it goes out through the router. This is called ARP poisoning. Here we see the Bad Guy using ARP poisoning to hijack the session between the victim and the router. The Bad Guy tells the victim computer that it has the MAC address of the router, and tells the router that it has the MAC address of the victim. But the IP addresses in the ARP table remain the same. Were now poisoning the ARP tables of both the router and the victim, and were able to monitor what goes across the network between the victim and the router.Cain allows us to manipulate existing entries in ARP tables on target systems. We can fool systems into redirecting their traffic through a middle man so that traffic can be viewed before it goes out through the router. This is called ARP poisoning. Here we see the Bad Guy using ARP poisoning to hijack the session between the victim and the router. The Bad Guy tells the victim computer that it has the MAC address of the router, and tells the router that it has the MAC address of the victim. But the IP addresses in the ARP table remain the same. Were now poisoning the ARP tables of both the router and the victim, and were able to monitor what goes across the network between the victim and the router.

    5. MITM Example Session Monitoring While ARP poisoning is taking place, the Bad Guy can monitor the victim and engage in various nefarious activities. While ARP poisoning is taking place, the Bad Guy can monitor the victim and engage in various nefarious activities.

    6. MAC Address Scanning Now well look at actually using Cain in a few scenarios. The MAC address scanner is a fast IP to MAC address resolver based on ARP which allows one to input a range of IP addresses on the current subnet and resolve the MAC addresses associated to those IPs. An OUI (organizationally Unique Identifier) database provides MAC vendor's information which is helpful for identifying nodes on the LAN. Now well look at actually using Cain in a few scenarios. The MAC address scanner is a fast IP to MAC address resolver based on ARP which allows one to input a range of IP addresses on the current subnet and resolve the MAC addresses associated to those IPs. An OUI (organizationally Unique Identifier) database provides MAC vendor's information which is helpful for identifying nodes on the LAN.

    7. Configuring for ARP Poisoning Remind people not to choose entire subnet will DoS network.Remind people not to choose entire subnet will DoS network.

    8. Monitoring a Session Here is what the attacker sees using CAIN. Traffic is monitored showing traffic to and from the victim with destination IPs and MAC addresses. At this point the victim is attempting to connect to uportal.cornell.edu. Here is what the attacker sees using CAIN. Traffic is monitored showing traffic to and from the victim with destination IPs and MAC addresses. At this point the victim is attempting to connect to uportal.cornell.edu.

    9. Faking SSL Certificates Cain's Certificates Collector grabs server certificates from HTTPS web sites. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Fake - because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way the APR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR's hosts. Cain Injects these fake certificates into SSL sessions. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination.Cain's Certificates Collector grabs server certificates from HTTPS web sites. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Fake - because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way the APR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR's hosts. Cain Injects these fake certificates into SSL sessions. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination.

    10. Faking SSL Certificates Scenario= MITM attack / Social Engingeering on a victim attempting to access Uportal.cornell.edu. The victim would see this screen in their browser when connecting. At this point the certificate has been cached on the attacking computer and cannot be verified as being authentic. If the user chooses to accept the certificate and continue the session, their password will be obtained in the clear. **good slide for user education**Scenario= MITM attack / Social Engingeering on a victim attempting to access Uportal.cornell.edu. The victim would see this screen in their browser when connecting. At this point the certificate has been cached on the attacking computer and cannot be verified as being authentic. If the user chooses to accept the certificate and continue the session, their password will be obtained in the clear. **good slide for user education**

    11. Password Obtained After this quickly point out cracker brute force dictionary - rainbow crack rainbow table generator Winrtgen After this quickly point out cracker brute force dictionary - rainbow crack rainbow table generator Winrtgen

    12. The Cracker Winrtgen can be used to create rainbow tables.Winrtgen can be used to create rainbow tables.

    13. DNS Spoofing Attacker DNS spoofing using CAIN allows an Attacker to feed erroneous DNS information to victim. It allows an attacker to router traffic from any given URL or IP to a different address of the attackers choice. In this case we are setting up to router www.cornell.edu somewhere else. Note that we are only poisoning ONE host at this point. The rest of the subnet is unaffected. But an entire subnet COULD be affected.DNS spoofing using CAIN allows an Attacker to feed erroneous DNS information to victim. It allows an attacker to router traffic from any given URL or IP to a different address of the attackers choice. In this case we are setting up to router www.cornell.edu somewhere else. Note that we are only poisoning ONE host at this point. The rest of the subnet is unaffected. But an entire subnet COULD be affected.

    14. DNS Spoofing - Victim Client thinks they are going to www.cornell.edu when they are actually going to www.yale.edu. One potential use for this could be for a hacker to create a page that is identical to an SSL page, but which is NOT SSL. Password is collected and then user is sent back to SSL page. Asks for password again. Maybe user is suspicious that they get asked for a password twice and maybe not.Client thinks they are going to www.cornell.edu when they are actually going to www.yale.edu. One potential use for this could be for a hacker to create a page that is identical to an SSL page, but which is NOT SSL. Password is collected and then user is sent back to SSL page. Asks for password again. Maybe user is suspicious that they get asked for a password twice and maybe not.

    15. Remote Desktop Decryption Another thing that Cain can do is capture and decrypt Remote Desktop sessions. This can be a somewhat lengthy process and in my experience is a bit flaky, but it can work. Here you see the session password has been sniffed, sent to CAINs cracker and decrypted.Another thing that Cain can do is capture and decrypt Remote Desktop sessions. This can be a somewhat lengthy process and in my experience is a bit flaky, but it can work. Here you see the session password has been sniffed, sent to CAINs cracker and decrypted.

    16. Wireless Scanning Enumerates access points and ah-hoc networks using 802.11x in intervals of five seconds. WLANs parameters (MAC address, SSID, Vendor, WEP Encryption, Channels....etc ) are displayed in the scanner list.Enumerates access points and ah-hoc networks using 802.11x in intervals of five seconds. WLANs parameters (MAC address, SSID, Vendor, WEP Encryption, Channels....etc ) are displayed in the scanner list.

    17. Abel Remote component Allows Cain to operate on a remote system

More Related