CAIN and ABEL Part-2

This part of the tutorial will Continue with below mentioned topics

Certificates Collector

Cisco Config Downloader/Uploader

Mac Scanner

Network Enumerator

Promiscuous-mode scanner

Sniffer

SQL Server 2000 Password Extractor

Traceroute

Certificates Collector

Cain’s Certificates Collector grabs server certificates from HTTPS web sites and prepares them for APR-HTTPS. The feature is automatically used by the HTTPS sniffer filter but you can also use it manually to create a list of pre-calculated fake certificate files. Why fake ? because the program will replace asymmetric encryption keys in these files with new ones generated locally. In this way theAPR-HTTPS will be able to encrypt/decrypt HTTPS traffic in a Man-in-the-Middle condition between victim APR’s hosts.

A fake certificate is self-signed by Cain so the client’s browser is supposed to pop up a dialog to notify that it comes from an untrusted certification authority; however because all other parameters within the certificate remain the same as the real ones a lot of users simply does not care about this warning.

Fake certificates are stored in the “Certs” subdirectory of the program’s installation path and the list of those currently available to APR-HTTPS is maintained in the file CERT.LST in the program’s directory. You can manually modify this list file to instruct Cain’s APR-HTTPS to inject the certificate of your choice into connections from APR’s victims computers to a given HTTPS server address.

Usage

The feature is used automatically by the HTTPS sniffer filter. You can use the + button on the toolbar to manually grab and prepare a list of fake certificates; non standard ports can be specified using the syntax “hostname:port” or “ip address:port”.

Cisco Config Downloader/Uploader

This feature allows you to download or upload the configuration file of Cisco devices via SNMP/TFTP. It supports routers and switches that uses the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB; for more information about those MIBs please refer to Cisco web site.

How it works

1) Cain requests the configuration file transfer to the Cisco device using the SNMP protocol. Request packets are constructed using some proprietary Cisco OIDs that the vendor provides for this functionality; they also contains other parameters like the protocol type, the server IP address and filenames to instruct the device on where to send or to take its configuration file.

2) At this point the device starts the file transfer using the protocol specified in the request (set to TFTP for simplicity).

3) Cain opens a TFTP socket in listening mode and handles the file transfer. A TFTP server is NOT required, when uploading the program sends the configuration file to the device, when downloading it receives it.

Usage

To download a configuration from a device press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar, provide the IP address of the SNMP enabled device and the right Read/Write Community string. To upload a configuration use the relative function within the list pop up menu.

Limitations

This feature will not work if network restrictions, like ACLs or firewall rules, for interested protocols (SNMP/TFTP) are set. The TFTP file transfer is initiated by the device itself so dynamic NAT between you and the device is a problem as well.

Requirements

- CCDU works on Cisco Routers and Switches that supports the OLD-CISCO-SYSTEM-MIB or the new CISCO-CONFIG-COPY-MIB. PIX Firewalls does not support those MIBs.

- You also need the right Read/Write SNMP community string (e.g.: “private”), the Read-Only one is not enough.

MAC Scanner

The MAC address scanner is a very fast IP to MAC address resolver based on ARP Request/Reply packets. It takes as input a range of IP addresses on the current subnet and resolves the MAC addresses associated to those IP’s. The scanner includes an OUI database, providing MAC vendor’s information, this feature is useful to quickly identify switches, routers, load balancers and firewalls present in the LAN.

Because of the use of ARP packets that cannot cross routers or VLANs, this feature can resolve MAC addresses in the local broadcast domain only. The OUI database is a normalized version of the IEEE OUI list available at this link: http://standards.ieee.org/regauth/oui/index.shtml.

Once active hosts are found, you can also resolve their host names with the “Resolve Host Name” function within the list pop up menu.

Tip

The scanner cannot resolve MAC addresses if the network card is not correctly configured. You also have to check the APR’s spoofing options in the configuration dialog before initiating a scan.

Prerequisites

The sniffer must be activated.

Usage

The scanner’s configuration dialog is activated pressing the “Insert” button on the keyboard or click the icon with the blue + on the toolbar; then you have to select the range of IP addresses to resolve.

Network Enumerator

The Network Enumerator uses the native Windows network management functions (Net*) to discover what is present on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers, Terminal Servers and so on. It can also display when possible the version of their operating system.

The left tree is used to browse the network and to connect to remote machines; once connected to a server you can also enumerate user names, groups, services and shares present on it. By default the program connects to remote IPC$ shares using the current local logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible to specify the credentials to be used for the connection. The Quick List can be used to insert IP addresses of hosts that aren’t seen browsing the network.

When enumerating users, Cain also extracts their Security Identifier (SID) and has the ability to identify the name of the Administrator account even if it was renamed. This is done by looking at the account RID which is the last part of a SID. The RID of the Administrator account is always equal to 500.

Windows NT and later has a security feature that can restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. This is done setting to 1 the parameter “RestrictAnonymous” under the registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA

If the program cannot enumerate users, because of this restriction, it will start automatically theSID Scanner and will proceed with an extraction of them using the same methodology used by the well known tool sid2user by Evgenii B. Rudnyi.

Tip

To perform an Anonymous connection (NULL Session) to the target host, leave the user name and password fields empty in the credentials dialog.

Usage

Enumerations are launched browsing the tree on the left into the Network tab. To specify credentials for a network connection you can right click on the target machine and use the “Connect As” function within the pop up menu.

Promiscuous-mode Scanner

The Promiscuous-mode scanner allows you to identify sniffers and network Intrusion Detection systems present on the LAN.This feature is included in the MAC Scanner and relies on responses received from various tests based on ARP packets.

It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the “Hosts” list with an * in the relative column.

Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:

Network card not in promiscuous-mode (not sniffing)

Network card into promiscuous-mode (sniffing)

As you can see Windows machines, that are not sniffing the network, normally respond to ARP Test (Broadcast 16-bit) and ARP Test (Multicast group1) only. On the contrary when a sniffer is activated, and the network card is put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.

Prerequisites

The sniffer must be activated.

Limitations

Because of the use of ARP packets, that cannot cross routers or VLANs, this feature works only inside your broadcast domain.

Usage

The promiscuous-mode scanner is activated using the MAC Scanner dialog.

Sniffer

Cain’s sniffer is principally focused on the capture of passwords and authentication information travelling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike any other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing), another feature included in the program.

Protocol Filters

There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for example, are not processed.

Password Filters

The sniffer includes several password filters that can be enabled/disabled from the mainconfiguration dialog; they are used to capture credentials from the following protocols:

(*) = requires APR (Arp Poison Routing) to be enabled

Cain’s sniffer filters are internally designed to survive into an unreliable world such as a network under ARP Poison attack; Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism, for this reason the sniffer needs parameters from each Client->Server and Server->Client traffic. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.

When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren’t seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks so be careful. APR’s main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.

Passwords and hashes are stored in .LST files in the program’s directory. These files are comma separated files so you can view or import them with your preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).

For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files using this naming convention:

--.txt

(e.g.: Telnet-20041116135246796-1141.txt)

Off-line capture file processing

The sniffer can also process file captures (from Ethereal, Tcpdump and Winpcap) in off-line mode. The captures can be imported using the “open file” button of the sniffer’s toolbar; when processing network traffic off-line all APR’s functions are automatically disabled.

Routing Protocols Analysis

Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.

For EIGRP and RIP protocols, the “Routes Extractor” feature will also dump the actual routing table shared between routers. The feature is only supported if these protocols don’t require authentication.

Usage

The sniffer is activated/deactivated using the relative toolbar button and its parameters can be configured from the main configuration dialog.

Requirements

- Supported Ethernet network adapter

- Winpcap Packet Driver (v2.3 or above) from Politecnico di Torino.

SQL Server 2000 Password Extractor

Microsoft SQL Server 2000 stores the credentials of its accounts in the “master” database. User’s passwords are encrypted under the form of salted SHA-1 hashes into the table “sysxlogins”. This feature connects to the server using ODBC and dumps all SQL user’s hashes into the MSSQL Hashes Cracker list.

How it works

It connects to the server via ODBC and performs the following SQL command:

select name, password from master..sysxlogins

Usage

To dump the hashes go to the MSSQL Hashes Cracker and press the “Insert” button on the keyboard or click the icon with the blue + on the toolbar. Choose the Data Source Name (DSN) for the target server and provide system administrator (SA) credentials.

Requirements

This feature requires SQL Administrator’s privileges on the target database server

Traceroute

Cain’s traceroute is an improved version of the Windows tool “tracert.exe”.

The widespread usage of perimeter defences on the modern Internet makes sometimes impossible to reach the desired destination using the above utility; firewalls can drop ICMP packets without sending back ICMP responses, for this reason the entire path to the target host could not be completely traced. UDP or TCP protocol can be used to bypass common firewall restrictions so Cain’s traceroute supports all of them.

Consider for example the following ICMP trace to www.somesite.com:

The ICMP traceroute stops at hop 18; probably there is something over there that drops ICMP packets. The same trace but this time using TCP packets will cross that firewall entering in their Network.

As you can see the TCP traceroute reached the destination host (www.somesite.com) discovering some routers inside their organisation.

Usage

Choose the protocol type, select the target and press start.

CAIN and ABEL Part-1

INTRODUCTION

Cain is an easy application to install and configure. However, there are several powerful tools that should only be configured after you fully understand both the capabilities and consequences to the application and the target network. After all, you can’t very well hack a network if you take it down. Proceed with caution.

We need to accomplish the following steps to get the admin account:

1. Enumerate the computers on the network

2. connect to a computer and install the Abel remote app

3. Harvest user account information

4. Crack user account information passwords to get the admin account

5. Login to the target machine with the admin account

6. Install the Abel service on the target server

7. Harvest all of the hashes from a server and sent to the cracker

Once we have the admin account on the server, the rest is up to you.

First things first, after you launch the application you will need configure the Sniffer to use the appropriate network card. If you have multiple network cards, it might be useful to know what your MAC address is for your primary connection or the one that you will be using for Cain network access. You can determine your MAC address by performing the following steps:

1. Go to “Start”

2. Run

3. enter the “CMD”

4. A black window will appear

5. Enter the following information into the window without the quotes

“Ipconfig /all” and then Enter

6. Determine which one of the Ethernet adapters you are using and copy the MAC address to notepad. You use this to help determine which NIC to select in the Cain application

With the Cain application open, select the Configure menu option on the main menu bar at the top of the application. The Configuration Dialog box will appear. From the list select the device with the MAC Address of Ethernet or Wireless network card that you will be using for hacking. While we are here, let’s review some of the other tabs and information in the Configuration Dialog Box. Here is a brief description of each tab and its configuration:

Sniffer Tab: allows the user to specify the Ethernet interface and the start up options for the sniffer and ARP features of the application.

ARP Tab: Allows the user to in effect to lie to the network and tell all of the other hosts that your IP is actually that of a more important host on the network like a server or router. This feature is useful in that you can impersonate the other device and have all traffic for that device “routed” to you workstation. Keep in mind that servers and routers and designed for multiple high capacity connections. If the device that you are operating from can not keep up with traffic generated by this configuration, the target network will slow down and even come to a halt. This will surly lead to your detection and eventual demise as a hacker as the event is easily detected and tracked with the right equipment.

Filters and Ports: Most standard services on a network operate on predefined ports. These ports are defined under this tab. If you right click on one of the services you will be able to change both the TCP and UDP ports. But this will not be necessary for this tutorial, but will be useful future tutorials.

HTTP Fields: Several features of the application such as the LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or stored information from web pages viewed. Simply put, the more fields that you add to the HTTP and passwords field, the more likely you are to capture a relevant string from an HTTP or HTTPS transaction.

Traceroute: trace route or the ability to determine the path that your data will take from point A to point B. Cain adds some functionality to the GUI by allowing for hostname resolution, Net mask resolution, and Whois information gathering. This feature is key in determining the proper or available devices to spoof or siphon on your LAN or internetwork.

Console: This is the command prompt on the remote machine. Anything that you can do on your pc from the CMD prompt can be done from here. Examples include mapping a drive back to your pc and copying all the files from the target or adding local users to the local security groups or anything really. With windows, everything is possible from the command prompt.

Hashes: Allows for the enumeration of user accounts and their associated hashes with further ability to send all harvested information to the cracker.

LSA Secrets: Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key: HKEY_LOCAL_MACHINE SECURITYPolicySecrets

Routes: From this object, you can determine all of the networks that this device is aware of. This can be powerful if the device is multihommed on two different networks.

TCP Table: A simple listing of all of the processes and ports that are running and their TCP session status.

UDP Table: A simple listing of all of the processes and ports that are running and their UDP session status.

Dictionary Cracking – Select all of the hashes and select Dictionary Attack (LM). You could select the NTLM but the process is slower and with few exceptions the NTLM and NT passwords are the same and NT cracks (Guesses) faster. In the Dictionary window, you will need to populate the File window with each of you dictionary files.you have to download the tables.and copy them to cain installation directory, Check the following boxes: As is Password, Reverse, Lowercase, uppercase, and two numbers.)

Dictionary Cracking process

Click start and watch Cain work. The more lists and words that you have, the longer it will take. When Cain is finished, click exit and then look at the NT password column. All of the passwords cracked will show up next to the now owned accounts.
Take a second to look carefully at the accounts and passwords in the list. Look for patterns like the use of letters and characters in sequence. Many administrators use reoccurring patterns to help users remember their passwords. Example: Ramius password reset in November would have a user account of RAMNOV. If you can identify patterns like this you can use word generators to create all possible combinations and shorten the window.

Cryptanalysis attacking

Alright then… Resort your hashes so single out the accounts that you have left to crack. Now select all of the un-cracked or guessed accounts and right click on the accounts again and select Cryptanalysis (LM). Add the tables that you downloaded from the net to the Cain LM hashes Cryptanalysis Sorted rainbow tables window. Click start. This should go pretty quick. Take a second to review your progress and look for additional patterns.

At this point, use program like sam grab that has the ability to determine which accounts are members of the domain administrators group to see if you have gotten any admin level accounts. Once you move to the next step, which is bruting, most of what you have left are long passwords that are going to be difficult and time consuming. Any time saver applications that you can find will be helpful.

Bruting

Repeat the same process for selecting the accounts. Here is the first time that you will actually have to use your brain Bruting can be extremely time consuming. Look closely at all of the passwords that you have cracked and look for patterns. First do you see any special characters in any of the passwords cracked. How about numbers? A lot of all upper case of all lower case? Use what you see to help you determine what parameters to include when you are bruting. As you will see, the addition of a single character or symbol can take you from hours to days or even years to crack a password. The goal is to use the least amount of characters and symbols to get the account that you need. So lets finish it off. Select all of the un cracked accounts and follow the previous steps and select Brute Force (LM). The default for LM is A-Z and 0-9. This is because that is due nature of LM hashes and the way that they are stored. Another note is that sometimes you will see a “?” or several “????” and then some numbers or letters. This is also due to the nature of NT versus NTLM and the method that NT used to store passwords. If not see if you can find a repeating structure that is based on the number 7. Anyway, based on the other passwords and those accounts with an “*” in the <8 field on how many characters to specify in the password length pull down box. Make your selection and have at it. 123749997 years to completion. If you see this, then you should rethink the need for this account. However, working with the application, rainbow tables and password generators can help your narrow down to reasonable time frames to get the job done.

Some definition

MAC: Media Access Control – In computer networking a media access control address (MAC address) is a code on most forms of networking equipment that allows for that device to be uniquely identified. Each manufacturer for Network Cards has been assigned a predefined range or block of numbers.

Sniffing: Sniffing is the act or process of “Listening” to some or all of the information that is being transmitted on the same network segment that a device is on. On an OSI Model Layer 1 network, even the most basic Sniffers are capable of “hearing” all of the traffic that is sent across a LAN. Moving to a Layer 2 network complicates the process somewhat, however tools like Cain allow for the spanning of all ports to allow the exploitation of layer 2 switched networks.

ARP: Address Resolution Protocol – Address Resolution Protocol; a TCP/IP function for associating an IP address with a link-level address. Understanding ARP and its functions and capabilities are key skills for hackers and security professionals alike. A basic understanding of ARP is necessary to properly utilize all of the functions that Cain is capable of.

ARP Poison Routing
APR-HTTPS

APR

APR (ARP Poison Routing) is a main feature of the program. It enables sniffing on switched networks and the hijacking of IP traffic between hosts. The name “ARP Poison Routing” derives from the two steps needed to perform such unusual network sniffing: an ARP Poison Attack and routing packets to the correct destination.

ARP Poison Attack
This kind of attack is based on the manipulation of host’s ARP caches. On an Ethernet/IP network when two hosts want to communicate to each other they must know each others MAC addresses. The source host looks at its ARP table to see if there is a MAC address corresponding to the destination host IP address. If not, it broadcasts an ARP Request to the entire network asking the MAC of the destination host. Because this packet is sent in broadcast it will reach every host in a subnet however only the host with the IP address specified in the request will reply its MAC to the source host. On the contrary if the ARP-IP entry for the destination host is already present in the ARP cache of the source host, that entry will be used without generating ARP traffic.
Manipulating ARP caches of two hosts, it is possible to change the normal direction of traffic between them. This kind of traffic hijacking is the result of an ARP Poison attack and also a prerequisite to achieve a “Man-in-the-Middle” condition between victim hosts. The term Main-in-the-Middle refers to the fact that the traffic between hosts follows an obligated path through something before reaching the desired destination.

Re-Routing Packets
Now suppose that you successfully setup an ARP Poison attack between two hosts to intercept their network traffic. To do so you had specified the sniffer MAC address in ARP Poison packets and now you are forcing the two hosts to communicate through your computer.

In this situation the sniffer receives packets that are directed to its MAC address but not to its IP address so the protocol stack discards these packets causing a Denial of Service between the hosts. To avoid such problems the sniffer must be able to re-route poisoned packets to the correct destination. (You can’t capture any password if hosts cannot communicate)

Prerequisites
In order to re-route poisoned packets to the correct destination, the program must know each IP-MAC association of victim hosts. This is why the user is asked to scan for MAC addresses first.

Configuration
This feature needs the configuration of some parameters that can be set from the configuration dialog. It is possible to specify a spoofed MAC and IP addresses to be used in ARP Poison packets; this makes it very difficult to trace back to the origin of the attack because attacker’s real addresses are never sent across the network. On switched networks, the attack is also a stealth one from a central point of view because Cain’s APR uses Unicast Ethernet destination addresses in ARP Poison packets; these packets will be routed by switches accordingly to their CAM tables and never sent in broadcast.

Victim hosts can be selected from the APR Tab using the + button in the toolbar:

The meaning of this selection is: “I want to hijack all IP traffic that flows from host 192.168.0.1 and host 192.168.0.10 in each direction so that my workstation will be in a Man-in-the-Middle condition between them”. In this way the program is configured to perform an ARP Poison attack directed to the selected hosts and at the same time the association needed to re-route poisoned packets is created. Cain’s APR has been developed to handle attacks on multiple hosts at the same time so you can choose in the right list a pool of addresses.

The attack can now be enabled/disabled using the relative toolbar button;

APR Views
You can monitor the traffic activity from the two views under the APR sub TAB. The upper view (LAN View) shows the number of re-routed packets between poisoned hosts and also the routing direction of the packets. It can happen that for some reason (static ARP entries for example) the attack is successful for one host only; in this case you will see the number of re-routed packets rising for one direction only meaning that the sniffer is processing half of the traffic expected.

The lower view (WAN View) shows the number of re-routed packets directed to or coming from an IP address which is external to the current subnet. If one of the two hosts is a router it is possible that Cain’s APR will process WAN traffic too; in this case the lower list will be automatically populated with associations for WAN traffic.

When poisoning a router the following considerations arise:

- If you setup APR to hijack IP traffic between an internal host and its default gateway you will automatically intercept traffic from that host and all other hosts present in external networks connected by that gateway.

- When APR receives a packet originated from an internal host and directed to an IP address which is external to the current subnet it must re-route that packet to the correct gateway which is unknown.
The destination IP address present in the packet is the one of an external host and the destination Ethernet address is our sniffer MAC address….. the question arises as to where to re-route this packet if there are multiple exit point (gateways) in our LAN ? The packet could be sent in broadcast but this works only with routers, I checked that Checkpoint Firewalls for example discards packets directed to Unicast IP addresses encapsulated in frames with broadcast MAC addresses. when APR does not know where to re-route packets it will use the best route found in the local operating system’s route table.
If your LAN uses asymmetric routing you can modify the local route table using the Route Table Manager to avoid the above problem.

- Poisoning the subnet’s default gateway with all other hosts in the LAN can cause traffic bottlenecks because APR does not have the same performance of an high speed router.

- Default gateways addresses are usually virtual addresses generated by HSRP or VRRP routing protocols. Consider if you are poisoning a normal host and the default gateway virtual address…
In this case a packet originated outside the local network and directed to an internal host will reach the sniffer but this packet could contain the real MAC address of the active HSRP / VRRP host as Ethernet source address. Because this source MAC address is not the one you setup in the APR list, the packet will not be re-routed by APR causing DoS. When you want to poison HSRP / VRRP virtual addresses you have to poison also real addresses of HSRP/ VRRP members.
APR WAN Status

Each entry present in the WAN list can reach the following status:

- Broadcasting: This state means that APR received a packet from a host that resides on a different network and directed to an IP address of your broadcast domain. That packet must be routed by APR but the correct destination MAC address is not present in the host list. In this situation APR will broadcast that packet to all hosts in your LAN.

- Half-Routing: This state means that APR is routing the traffic correctly but only in one direction (ex: Client->Server or Server->Client). This can happen if one of the two hosts cannot be poisoned or if asymmetric routing is used on the LAN. In this state the sniffer looses all packets in an entire direction so it cannot grab authentications that use a challenge-response mechanism.

- Full-Routing: This state means that the IP traffic between two hosts has been completely hijacked and APR is working in FULL-DUPLEX. (e.g.: ServerClient). The sniffer will grab authentication information accordingly to the filters set.

APR-HTTPS enables the capture and the decryption of HTTPS traffic between hosts. It works in conjunction with Cain’s Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what so called Man-in-the-Middle attack.

Be warned that clients will notice this kind of attack because the server’s certificate file injected into the SSL session is a fake one and although it is very similar to the real one it is not signed by a trusted certification authority. When the victim client starts a new HTTPS session, his browser shows a pop-up dialog warning about the problem

APR-HTTPS uses the certificate files manipulated by the Certificate Collector. They contains the same parameters of the real ones except for asymmetric encryption keys; this deceives a lot of users to accept the server certificate and continue with the session.

The lower list in the APR-HTTPS tab contains all the session files that have been captured during the Man-in-the-Middle attack; decrypted data is saved in these text files located under the “HTTPS” subdirectory of the main installation folder

How it works
Cain’s HTTPS sniffer works in FULL-DUPLEX CLIENT-SIDE STEALTH mode; both server and client traffic is decrypted and if spoofing is enabled the attacker’s IP and MAC addresses are never exposed to the victim client. Connections are accepted by a local “acceptor” socket listening on HTTPS port defined in the configuration dialog; this socket handle hijacked client connections but only when APR is enabled. OpenSSL libraries are used to manage SSL communications over two more sockets, one used for the traffic between the client Cain and the other used for the traffic between Cain server.

This is how all works step by step:

1) The HTTPS filter is enabled by the user in the configuration dialog
2) APR is enabled by the user using the button on the toolbar -> the Man-in-the-Middle attack is ready
3) The victim client starts a new session to an HTTPS enabled server (e.g. https://xyz.com)
4) Packets from the client are hijacked by APR and captured by Cain’s sniffer by mean of Winpcap driver
5) APR-HTTPS search for a fake certificate associated to the requested server in the Certificate Collector; if present the certificate will be used if not it will be automatically downloaded, properly modified and stored locally for future usage .
6) Packets from the victim are modified so that they are re-directed to the local acceptor socket; modifications are made on MAC addresses, IP addresses and TCP source ports (Port Address Translation “PAT” is used to handle multiple connections). The data captured is then sent again into the network using Winpcap but it is this time addressed to the local socket that will accept the Client-side connection.
7) The Server-side socket is created and connected to the real server requested by the victim.
 OpenSSL libraries are used to manage encryption on both sockets using the fake certificate victim-side and the real certificate sever-side.
9) Packets sent by the Client-side socket are modified again to reach the victim’s host.
10) Data coming from the server is decrypted, saved to session files, re-encrypted and sent to the victim host by mean of the Client-side socket.
11) Data coming from the client is decrypted, saved to session files, re-encrypted and sent to the server by mean of the Server-side socket.

Although it can be noticed from the fake certificate file used, this kind of attack is STEALTH from a client point of view because the victim thinks to be connected to the real server; try a “netstat -an” on the client to check yourself.

Once decrypted, traffic from the client is also sent to the HTTP sniffer filter for a further analysis on credentials. You can take a look at the data saved in session files by APR-HTTPS here.
Prerequisites
This feature needs APR to be enabled and a Man-in-the-Middle condition between the HTTPS server and the victim host.

Limitations
This feature does not work like a PROXY server; because of the usage of the Winpcap driver it cannot decrypt HTTPS sessions initiated from the local host.

Usage
After you successfully set up APR and enabled the HTTPS sniffer filter, sessions are automatically saved in the HTTPS subdirectory and can be viewed using the relative function within the list pop up menu.