What you will need:
1. current version of Cain from www.oxid.it
2. Windows 2000 or Windows XPSP1 configured workstation
Cain is an easy application to install and configure. However, there are
several powerful tools that should only be configured after you fully
understand both the capabilities and consequences to the application and
the target network. After all, you can’t very well hack a network if you
take it down. Proceed with caution.
Referring back to chapter two, you will need to know what you are trying
to hack. This appendix assumes that you are trying to get the
administrator’s username and password for the network. The focus of this
appendix is on obtaining that information. The other appendices in this
chapter deal with other capabilities of the application to gain access to
a network. To this end we need to accomplish the following steps to get
the admin account:
1. Enumerate the computers on the network
2. connect to a computer and install the Abel remote app
3. Harvest user account information
4. Crack user account information passwords to get the admin account
5. Login to the target machine with the admin account
6. Install the Abel service on the target server
7. Harvest all of the hashes from a server and sent to the cracker
Once we have the admin account on the server, the rest is up to you.
First things first, after you launch the application you will need
configure the Sniffer to use the appropriate network card. If you have
multiple network cards, it might be useful to know what your MAC address
is for your primary connection or the one that you will be using for Cain
network access. You can determine your MAC address by performing the
1. Go to “Start”
3. enter the “CMD”
4. A black window will appear
5. Enter the following information into the window without the quotes
“Ipconfig /all” and then Enter
6. Determine which one of the Ethernet adapters you are using and copy
the MAC address to notepad. You use this to help determine which NIC to
select in the Cain application
With the Cain application open, select the Configure menu option on the
main menu bar at the top of the application. The Configuration Dialog box
will appear. From the list select the device with the MAC Address of
Ethernet or Wireless network card that you will be using for hacking.
While we are here, let’s review some of the other tabs and information in
the Configuration Dialog Box. Here is a brief description of each tab and
1. Sniffer Tab: allows the user to specify the Ethernet interface and the
start up options for the sniffer and ARP features of the application.
2. ARP Tab: Allows the user to in effect to lie to the network and tell
all of the other hosts that your IP is actually that of a more important
host on the network like a server or router. This feature is useful in
that you can impersonate the other device and have all traffic for that
device “routed” to you workstation. Keep in mind that servers and routers
and designed for multiple high capacity connections. If the device that
you are operating from can not keep up with traffic generated by this
configuration, the target network will slow down and even come to a halt.
This will surly lead to your detection and eventual demise as a hacker as
the event is easily detected and tracked with the right equipment.
3. Filters and Ports: Most standard services on a network operate on
predefined ports. These ports are defined under this tab. If you right
click on one of the services you will be able to change both the TCP and
UDP ports. But this will not be necessary for this tutorial, but will be
useful future tutorials.
4. HTTP Fields: Several features of the application such as the LSA
Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or
stored information from web pages viewed. Simply put, the more fields
that you add to the HTTP and passwords field, the more likely you are to
capture a relevant string from an HTTP or HTTPS transaction.
5. Traceroute: It is what it is, trace route or the ability to determine
the path that your data will take from point A to point B. Cain adds some
functionality to the GUI by allowing for hostname resolution, Net mask
resolution, and Whois information gathering. This feature is key in
determining the proper or available devices to spoof or siphon on your
LAN or internetwork.
Ok, So now you have everything all set and you are ready to rumble, as it
were. Now, after I select the adapter on the sniffer tab, I generally set
the sniffer to start on start up and then select apply. Do not enable the
arp poisioning at this point, you will not need it and if this is your
first exposure to Cain and or hacking, you will just get yourself caught
with the ARP stuff. I generally stop and start the application at this
point to get a clean start and reload the application with my intended
So, launch the app and make sure that the first icon on the Left that
looks like a miniature Ethernet card appears depressed. This indicates
that the sniffer is activated. At this point, it is time to get a cup of
coffee and let the app just sit. Yep, that is right, just leave it
running and don’t touch anything. The reason for this is that not every
device is talking all of the time and some protocols only talk on
specific intervals. You will need to wait at least 300 seconds to ensure
that the Cain sniffer has heard from each protocol at least once. This is
most germane to routing protocols, but I have seen it take this long or
longer to see all of the hosts on a LAN.
NOTE: The next section makes the assumption that you have properly
configured your Ethernet interface with an IP address that is correct for
your network and that you have logical connectivity to the target hosts.
At this point you are asking your self “Are we ever going to start
Let’s hack then. Go to the network tab and double click on the Microsoft
windows network under the Entire Network navigation tree. After a few
moments, the tree will expand and show each of the workgroups and domains
that are accessible to your network card. From here select your target
network and click the “+” symbol to the Left to open the tree.
Understanding that servers generally, or are supposed to, have more
security than the other devices on the network, it is generally better to
go for a workstation over a server out of the gate. Also, some servers
will have monitoring agents on then that could detect what is going to
Double click on the All Computers object in the tree under the target
network section of the tree. Now look at the names of the all of the
devices listed. Many times the administrator will name the servers with
some naming convention that will single them out in not time flat. Try to
use the naming convention to your advantage and look for a pc that
potentially is used by multiple persons. Key giveaways are names like
scanner1, or receptionist, or lab. These machines will have several
accounts on them and one of them is likely to have an admin account on
it. These machines are key targets for two reasons. One, they are
generally set up in a hurry when the company first sets up the network
during a time when security is an afterthought, and as such they are
likely to have default configurations for the local admin. Secondly, they
generally have several apps on then and lots of people use them. With
multiple applications, excessive rights are often granted to all users to
ensure that every one can use the app that they need. Anyway, back to the
When you click on your target, you will see 4 new objects in the tree
under your target. These will be Groups, Services, Shares, and users.
“Users” is what you want first. Double click on the users object icon and
select yes to start the user enumeration. Caution! – Do not go for the
history information at this time, we will get to that later. After all of
the user accounts are enumerated they will be listed in alphabetical
order and the local administrator will have a large red A in front of it.
Ok, here we go. Go back to the computer object of the computer that you
just enumerated and right click on the object. Select the connect as
option. Just for fun, if the administrator account has not been renamed,
it is likely that it will have a blank password or be something fairly
simple. Try to log in with the user account administrator and a blank
password. In about 70% of my experience at this point, the hack is over
for the local machine and you are in and can start playing. If it did
work, then right click on the “Services” object for the device that you
have just logged into and select Install Abel. Cain will install Abel.exe
and Abel.dll into the %systemroot% on the local machine. Collapse the
computer object and then re-expand it by double clicking on the computer
object icon and you should see a Black square with a Blue A in the middle
directly under the computer object in the tree. (I get excited just
thinking about it). At this point you have the keys to the castle, you
just need to see which key goes where. First lets get the hashes and get
the ready to crack. Double click on the users object in the tree. Say no
to the history pop up for now. Select all of your users by right clicking
on an account and selecting “Send all to cracker.” Leave them for now, we
will come back to them. What you have just done is load a portion of the
application with all of the NT and NTLM hashes for every account on the
Now, if you have been following the book, you will remember the endless
posts on hackerthreads that talked about using the command line to get at
certain directories on a target machine, well here is where they will
come into play. (If you are not too familiar with the cmd line, please
refer to the Glossary of this book and review the command line hacking
section. There are many useful tools like adding users and computers to
domain security groups.
Let’s go over our options:
Console: This is the command prompt on the remote machine. Anything that
you can do on your pc from the CMD prompt can be done from here. Examples
include mapping a drive back to your pc and copying all the files from
the target or its mapped drives to your machine for later data mining,
adding local users to the local security groups or anything really. With
windows, everything is possible from the command prompt.
Hashes: Allows for the enumeration of user accounts and their associated
hashes with further ability to send all harvested information to the
LSA Secrets: Windows NT and Windows 2000 support cached logon accounts.
The operating system default is to cache (store locally), the last 10
passwords. There are registry settings to turn this feature off or
restrict the number of accounts cached. RAS DUN account names and
passwords are stored in the registry. Service account passwords are
stored in the registry. The password for the computers secret account
used to communicate in domain access is stored in the registry. FTP
passwords are stored in the registry. All these secrets are stored in the
following registry key: HKEY_LOCAL_MACHINE \SECURITY\Policy\Secrets
Routes: From this object, you can determine all of the networks that this
device is aware of. This can be powerful if the device is multihommed on
two different networks, but you read about all of that in chapter 5 –
Heard, but Not Seen, Right?
TCP Table: A simple listing of all of the processes and ports that are
running and their TCP session status.
UDP Table: A simple listing of all of the processes and ports that are
running and their UDP session status.
Ok, back to the hack, for those of you that did not get in with the admin
account with no password, another trick is to try to login to each
account in the list with the same password as the username. For example,
right click on the computer object in the tree and try to login with on
of the user account names and use the username as the password. If that
does not work then try each one with no password. I have only run into
one network where these two things did not work. Also, the LSA Secrets
tree object will dump the following user accounts in plain text for you
if they are present:
L$******************** (this is the currently logged on user with the
L$******************** (this will be every user that has logged in up to
the total number of cached logons.
RASDAILPARAMERTERS (these are present if RAS is configured and has been
Backup user accounts
Misc other accounts
Note: when you see the account in plain text, it will have separators.
When you type the password into a logon, omit the extra “.”. ie. The
password Ramius!@# will show up as R.a.m.i.u.s.!.@.#.... All that you
will type the Ramius!@#.
OK, so far we have accomplished the following goals:
1. Enumerate the computers on the network
2. connect to a computer and install the Abel remote app
3. Harvest user account information
We still need to finish the hack by performing the following steps and
then move the hack to a server or more valuable target.
1. Crack user account information passwords to get the admin account
2. Login to the target machine with the admin account
3. Install the Abel service on the target server
4. Harvest all of the hashes from a server and send to the cracker
5. Crack all of the accounts
Well, we learned in chapter 2 that staying focused is the key to hacking,
so lets get back to it. In the Cain application, lets to the “Cracker
Tab” and have a look.
The cracker tab has two basic parts. On the left are all of the hash
types that Cain will crack for you. On the right are all of the
associated hashes with their usernames. What we need to do is determine
the password from the hash.
Note: Now would be a good time to copy the rainbow tables and password
lists from the CD’s found in the back of the book to a directory on your
local machine. The use of the rainbow tables will greatly increase the
speed and efficiency of the cracking process as will the dictionary files
included on the CDs.
Cain provides three options for determining the password from a harvested
hash; these are Dictionary guessing, Bruting and Cryptanalysis. The
preferred method is Cryptanalysis as it is by far the fastest if you have
the tables generated. As stated in chapter 1, it would be a good idea to
have tables generated for all of the possible variants for passwords from
1-7 with all possible combinations of letters and numbers and symbols.
Dictionary cracking is by far the easiest of all configurations and every
hacker should have extensive lists available to use.
In this appendix we are going to explore all three options.
First, let’s look at what we can tell so far from the hashes and the Cain
application. One of the columns heading looks like this <8. This means
that any password with an “*” symbol is less than 8 characters. These
will be the easiest to brute as they can be bruted in about 5.5 hrs with
a marginal processor and memory. You can sort all of the hashes by size
by clicking on the header bar at the top of the column. On the PC that I
am hacking for this tutorial, I have 13 hashes and 7 of them appear to be
less than 8 characters so we will start with cracking first.
Dictionary Cracking – Select all of the hashes and select Dictionary
Attack (LM). You could select the NTLM but the process is slower and with
few exceptions the NTLM and NT passwords are the same and NT cracks
(Guesses) faster. In the Dictionary window, you will need to populate the
File window with each of you dictionary files. (Move files from the CDs
to your hard drive or it will take significantly longer than necessary.
Check the following boxes: As is Password, Reverse, Lowercase, uppercase,
and two numbers.
Click start and watch Cain work. The more lists and words that you have,
the longer it will take. When Cain is finished, click exit and then look
at the NT password column. All of the passwords cracked will show up next
to the now <insert your name here> owned accounts. Voila!
Take a second to look carefully at the accounts and passwords in the
list. Look for patterns like the use of letters and characters in
sequence. Many administrators use reoccurring patterns to help users
remember their passwords. One time I found a network where the passwords
were the first three letters of the first name and the three letter month
abbreviation of the month that the password was set. Example: Ramius
password reset in November would have a user account of RAMNOV. If you
can identify patterns like this you can use word generators to create all
possible combinations and shorten the window.
Alright then… Resort your hashes so single out the accounts that you have
left to crack. Now select all of the un-cracked or guessed accounts and
right click on the accounts again and select Cryptanalysis (LM). Add the
tables that you copied from the CD to the Cain LM hashes Cryptanalysis
Sorted rainbow tables window. Click start. This should go pretty quick.
Voila! Take a second to review your progress and look for additional
At this point, I would grab a program like sam grab that has the ability
to determine which accounts are members of the domain administrators
group to see if you have gotten any admin level accounts. Once you move
to the next step, which is bruting, most of what you have left are long
passwords that are going to be difficult and time consuming. Any time
saver applications that you can find will be helpful.
Repeat the same process for selecting the accounts. Here is the first
time that you will actually have to use your brain in this appendix.
Bruting can be extremely time consuming. Look closely at all of the
passwords that you have cracked and look for patterns. First do you see
any special characters in any of the passwords cracked. How about
numbers? A lot of all upper case of all lower case? Use what you see to
help you determine what parameters to include when you are bruting. As
you will see, the addition of a single character or symbol can take you
from hours to days or even years to crack a password. The goal is to use
the least amount of characters and symbols to get the account that you
need. So lets finish it off. Select all of the un cracked accounts and
follow the previous steps and select Brute Force (LM). The default for LM
is A-Z and 0-9. This is because that is due nature of LM hashes and the
way that they are stored. Another note is that sometimes you will see a
“?” or several “????” and then some numbers or letters. This is also due
to the nature of NT versus NTLM and the method that NT used to store
passwords. If you read chapter 2, you already know why this is. If not
see if you can find a repeating structure that is based on the number 7.
Anyway, based on the other passwords and those accounts with an “*” in
the <8 field on how many characters to specify in the password length
pull down box. Make your selection and have at it. Holy crap Batman …
123749997 years to completion. If you see this, then you should rethink
the need for this account. However, working with the application, rainbow
tables and password generators can help your narrow down to reasonable
time frames to get the job done.
Ok, so now we have our admin account and are ready to finish the hack. Go
back to the network tab in the Cain application and select the Domain
Controllers object under the same domain where the PC was that you
harvested the hashes. Double Click. Now look through the serves in the
domain and select your target. If you find one with PDC or BDC in the
list, pick that one. Right click on the server and select connect as and
enter the “Hacked Credentials.” Now go to the “services” object and right
click again and install the service. Voila! You have admin and likely
every other type of access to the target host!
Now you can repeat the steps to finish the hack
And this concludes our hack as we have accomplished each of out goals.
Some things to consider:
When you exit the Cain application, all of the password hashes and
cracked accounts will be saved and can be hacked later in a remote
location. They can also be used against you in court as evidence.
Also you can export all of the hashes to an .lc or text file and open up
the file in Excel to perform some additional sorting and the like.
All of the devices that you infected with the Abel.exe and Abel.dll will
have the Abel.exe service running and because the list is alphabetical,
it will always be on top of the list. Any admin, even poor ones will
question the presence of a new service. And there are ways to trace the
install time and originating IP and MAC address of the installing machine
back to YOU. Read Chapter 5 – Heard but not seen! Covering your tracks…
It is everything. Here is a hint. Enable the telnet service and connect
to the hacked and from the command prompt you will use the following
Net stop abel.exe
Once this is complete, you will have to reinstall the Abel client app to
reconnect through Cain. Oh, and there is that bit about the event and
security logs…. But that is another tutorial……
( I will update this portion later, it is getting late, but check back
cause there will be a ton of references and additional links)
MAC: Media Access Control - In computer networking a media access control
address (MAC address) is a code on most forms of networking equipment
that allows for that device to be uniquely identified. Each manufacturer
for Network Cards has been assigned a predefined range or block of
numbers. The structure and other uses of the MAC addressing are defined
in the Intro to networking appendix at the end of this book. Information
about manufacturer assignments for MAC addressing block assignments can
also be found at the following site.
Sniffing: Sniffing is the act or process of “Listening” to some or all of
the information that is being transmitted on the same network segment
that a device is on. On an OSI Model Layer 1 network, even the most basic
Sniffers are capable of “hearing” all of the traffic that is sent across
a LAN. Moving to a Layer 2 network complicates the process somewhat,
however tools like Cain allow for the spanning of all ports to allow the
exploitation of layer 2 switched networks.
ARP: Address Resolution Protocol – Address Resolution Protocol; a TCP/IP
function for associating an IP address with a link-level address.
Understanding ARP and its functions and capabilities are key skills for
hackers and security professionals alike. A basic understanding of ARP is
necessary to properly utilize all of the functions that Cain is capable