Cain and Abel: The Black Art of ARP Poisoning

Overview
Cain and Abel is windows based password recovery tool available as a freeware and maintained by Massimiliano Montoro. It supports wide features to recover passwords varying from Local Area Network to various routing protocols as well as provides intelligent capability to recover cached passwords and encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks.

It is a two part program where Cain is the GUI of the program, and Abel is windows service that provides a remote console on the target machine.

An interesting feature of Cain & Abel is APR (ARP Poison Routing) which allows sniffing packets of various protocols on switched LAN’s by hijacking IP traffic of multiple hosts concurrently. It can also analyze encrypted protocols such as SSH-1and HTTPS.

Basics of Address Resolution Protocol
Assume two computers, Computer A and Computer B are in a local area network connected by Ethernet cables and network switches. Computer A wants to send a packet to Computer B. Computer A determines that Computer B's IP address is 192.168.0.5.

In order to send the message, it also needs to know Computer B's MAC address. First, Computer A uses a cached ARP table to look up 192.168.0.5 for any existing records of Computer B's MAC address (00:24:56:e2:ac:05). If the MAC address is found, it sends the IP packet on the link layer to address (00:24:56:e2:ac:05).If the cache did not produce a result for 192.168.0.5, Computer A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for 192.168.0.5. Computer B responds with its MAC address (00:24:56:e2:ac:05).Computer B may insert an entry for Computer A into its own ARP table for future use. The response information is cached in Computer A's ARP table and the message can now be sent.

How ARP Poisoning Works
The attacker machine makes use of the stored ARP cache table to re-route or re-direct packets from a target, to an attacker machine, and then forward to the host, thus the attacker machine “sees” all traffic between target and host. First the target MAC address is established, and then the ARP Poison Routing feature “poisons” the cache of the target by forcing a cache update with the path re-routed so that the attacker machine forwards traffic to and from host and target. The attacker machine can also observe packets with a sniffer such as Wireshark.

Now, I will discuss the steps to sniff password of remote computers in a Local Area Network.

Requirements:

  1. Download and install Cain & Abel from http://www.oxid.it/cain.html
  2. Make sure WinPcap packet capture driver is installed properly.
  3. Download and install Wireshark from http://www.wireshark.org/download.html.
  4. At least 3 hosts must be present in a network to place an attack.

Working Steps:

1. To start ARP Spoofing, you need to activate the sniffing daemon and the APR daemon. You can do this by clicking on both the "Sniff" and "APR" buttons at the top of the window.

2. Next go to the sniffer tab and right click anywhere inside the tab. You should see a "Scan MAC addresses" option. Click it.

 

3. Select the IP range accordingly to your local area network and click on “OK”.

4. The Progress bar scans and list all the MAC address present on the subnet.

 

5. After the scan, click on the APR sub-tab at the bottom of the window. Then click on the  + icon on the top of the window to add host to attack.

 

6. A following dialog box appears on the screen. Select the host you wish to attack.
 

7.    Wait for the victim host to enter his credentials. Click on the passwords sub-tab at the bottom of the window. There you can see all the captured passwords arranged in the group.

This was a basic tutorial on how you can use Cain and Abel for ARP Poisoning.

Happy Hacking :-)
 

 
Himanshu Kumar Das
[email protected]

Himanshu Kumar Das is a passionate security admirer. Himanshu, a do-it-yourself guy, is an electronic freak and imagines open source.