Cain & Abel Tutorial Man In the Middle MITM Attack [Spoken Video with Transcription]

As most of our loyal readers know, we launched a Cyber Security Pentesting, Hacker Tools Directory last January 2015, and we regularly post updates, new tools, and we’ve started to add more tutorials when possible. We scour the Internet on your behalf finding awesome content for you to learn from. This post is an extension of Cain & Abel, a tool we added under our ‘Packet Sniffers’ category.

In this Cain & Abel tutorial, which we discovered on YouTube (full credit to: somerandomITguy) the presenter shows how to use this useful and popular password cracker.

As far as password crackers go, Cain & Abel (often abbreviated to just ‘Cain’) is by far one of the more popular password cracking tools out there, and, it has been around for ever.



Here’s the transcription of the video

Hello and welcome to the first and what I hope will be a large series of videos I’m making to document some of the more interesting things I’ve learnt in IT and IT security over the years. I’m gonna start this video with a simple disclaimer. This video is provided for educational purposes only. Misuse of the information provided within this video could result in some jail time, so please use your common sense with regards to this information. Basically don’t do anything you’re about to see on any network or system that is not your own personal private property. Now then, today I’m gonna be looking at a simple example of an MITM or it is more commonly known a “Man in The Middle Attack”.

Before we begin though we have to talk a little bit about the set up I’ve created here to form this attack in. I’ll be using a couple of different virtualization products starting with the one on screen right now which is VM More Work Station 7.1.3. Within VM More Work Station right now I’m hosting a Windows XP Professional Virtual Machine and within my Windows XPVM I am running Cain and Abel from oxid.it.

Cain is a freeware hacking application that’s been around for a long time; certainly one of the better windows hacking applications out there. Next, my victim machine is going to be hosted in Citrix XenServer 5.6 and it is a Windows server 2003 are two client system that is member of a domain; that will be relevant a little later on.

Now then let’s talk about the mechanics and the specifics of a MITM attack. [MITM Is the abbreviation of Man In The Middle Attack]. In this particular attack I’m going to be configuring Cain and Abel in what we call ARP poisoning, which will allow us to get in the middle of connections between desired IP addresses on our network. Let’s talk a bit more about how this works….

The address resolution protocol better known as ARP allows computers to map Mac addresses to IP addresses. We have to remember computers only care about the Mac address, which is the actual hardware address of the network its after; the IP address is just there for human benefit. This systems allows the computer to know who it’s supposed to be sending packets to when an IP address is specified. The man in the middle attack works by tricking ARP or just abusing ARP into updating its mappings and adding our attacker machine’s mac address as the corresponding mac address for any communication task we wish to be in the middle of. Now that we understand what we’re gonna be doing, let’s go ahead and do it.

Here we can see that I’m on the sniffers tab within Cain and Abel, I’m gonna go ahead and start sniffing and I’m gonna go ahead and do the Add To List feature here and run a scan for host on my network. Here in scan box we can see we got a couple of options. I’m gonna simply use the host in my sub-net range, you can also do ranges or some promiscuous modes scans which realistically responds to machines that might otherwise seems unavailable. Let’s go ahead and fire this off… Now the IP addresses we’re going to need to be concerned with today; we have one here which is my router and my connection to the internet. We’re gonna be getting in between the communications on that; 190 which is my domain controller that my victim machine talks to and 191 which is my victim machine.

Now that we have these in our list, we can go ahead and switch to the ARP tab and we can use some Add To List spot here to create some man in the middle roles. So I’m gonna go ahead and say any traffic going from 191 (my victim machine) to 1 (which is my default gateway), I want to get in the middle of and I’m gonna go ahead and say any traffic going from 191 to 190 (my domain controller) I wanna be in the middle of. I can now click the Start/Stop ARP button to go ahead and begin the ARP swooping process.

I can see now my status is changing from idol to poisoning and a number has populated itself in my poisoning itself into my package to and from fields here. Now then, let’s go ahead and hop over to our victim machine and generate some packets. I’m gonna go ahead and just start by logging in just as you normally would to any domain on any computer. I’m gonna be logging in as Bob-the-admin and Bob-the-admin you’ll see frequently within my videos, I’ve used him a lot. Bob has a simple password here that will be seen in a moment. Go ahead and type in password there and we’re in. Bob’s machine is windows server 2003 ARP too, it’s fully patched or at least pretty fully patched. We’re gonna do a little bit of browsing the internet as Bob here. As we can see, we just popped right up to Google.com and we’re going to pretend to check our email here with Bob. Now, what I’m gonna type in here.

As we can see we just pop right up to google.com and we’re going to pretend to check our email here with Bob. What I’m going to type in here, these are fake credentials for our purposes they’ll work, I don’t need to actually log in to a Gmail account to demonstrate what I’m trying to demonstrate here so I’m going to go ahead and type in Bob the Admin which I have pre-populated there and I have a password saved for him to which we’ll be able to take a look at here. Obviously this is a fake Gmail account, there might be a real Bob the Admin but it’s certainly not me, I’m going to go ahead and sign in.

Now we can see here, I’ve gotten an error here from Internet Explorer and this might be Bob’s first, last and only clue that something nefarious is going on. It says here, to help protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors. Click here for more options. Now if we’d actually been trying to log in it would’ve simply prevented us from logging in altogether which if we’re like most users, we’re just simply going to go ahead and click through this to get to our webpage that we want. It pretty much still doesn’t go anywhere but we’ve accomplished our purpose now and I’m gonna go ahead and log out of our victim machine here and we’re gonna go back to our attacker machine and look at some of the stuff that’s happened.

Now we can see here on our attacker machine, we’ve got a whole bunch of packets going from 191 to 190, we’ve even got some packets going from 191 to 1 so we have captured some data. We can see we’ve served some fake certificates which are self signed certificates that Cain generates here and we can see we’ve captured some https sessions as well. We can see that some were closed but it’s a client, some were reset by the client; these session states might be relevant to us for certain things. We didn’t capture any RDP or any of the other stuff that we can actually capture through here. We’ll look at some of this stuff in maybe later videos but not tonight.

Now if we switch over from our ARP tab to our passwords tab down here at the bottom we can see we’ve captured a couple of things. The first thing we’ve captured here is an MS Curb 5 pre-authentication hash which is basically the hash of Bob’s password here, this big, long string of numbers would basically allow us to get Bob’s password. We can do a lot of different things with this string, we can try to crack it manually, we can try to use a brute force attack to crack it, we can try to use rainbow tables to crack it, by the way that’s another video I’m going to look to do here in the near future but tonight we’re just going to do something very, very simple.

I’m going to go ahead and click here and I’m going to go to send to cracker which will send it to Cain and Abel’s built in cracker tab up here at the top and we can see here I’ve now got my MCZlab.local Bob and it’s hash and I can now start either a dictionary or brute force attack or I can simply test passwords. Since I happen to know exactly what Bob’s password is I’ll share it with you guys tonight. Bob’s password is PAfivefive0, hit enter and we can see here, oh that was the correct password so we now know bOb’s hash matches to that particular password. This would allow us to do things like password guessing attacks, a number of simple things there or even just to get a hold of that hash to attempt to break it using a brute force method or something else.

If I go ahead, I’m just going to remove this one and re add it here so that my password isn’t populated in there. We can see we have options to perform dictionary attacks in which we can load dictionary files that we want, we can also do a brute force attack which will simply allow us to try everything until we eventually get to Bob’s password. Lots and lots of characters means this attack would take lots and lots of time.

Let’s switch back to our sniffers tab. Bob’s domain credentials aren’t the only thing we captured in this attack what Bob sent to his Google login which is Bob the Admin with a password, password, again that’s not a real Gmail account, somebody could go out and register it if they wanted to probably have. That just simply shows that we can intercept Bob’s credentials as he attempts to authenticate the sites through this type of attack as well. So pretty cool, pretty simple attack, definitely demonstrates the flexibility of what we can do with ARP Poisoning but now that we’ve seen the attack, what can we do as network admins, as the good guys on our network, what can we do to maybe prevent this attack from occurring on our own networks? Well I’m going to go ahead and grab our client machine here we’re gonna look at one such method.

One thing we can do to go ahead and make this system not vulnerable to this particular attacking more is we’re going to open a command prompt and we’re going to add some static ARP entries. So if for example I wanted to make sure that any time Bob was trying to query the default gateway or my router on this network, he got to the right place, I could do a command like this; arp-s192168.0.1 and then the mac address that corresponds to that particular connection which is 001FBC00E996 in this particular case and doing that will create a static ARP entry in my ARP cache that says okay, I’m not going to accept dynamic entries for this anymore. Accepted reality here is that this IP address maps to this Mac address, this will prevent ARP Poisoning from working very, very effectively, however it can be a bit time consuming to go around and do this on a lot of systems. It may be effective on your network to create some sort of simple script to configure very, very important IP address and Mac combination so as your domain controllers, DNS servers, things like that. That will definitely increase your network security by a little bit, certainly something that will help.

Now another thing that we can do here which unfortunately I can’t show you because I don’t have the equipment to do it or even the simulated equipment to do it is a lot of switches will allow you to set up what’s called port security which we’ll look for if there are multiple mac addresses mapped to a single IP address on that particular switch; so if that particular port is trying to respond to queries for multiple IP addresses, multiple Mac addresses you can probably assume that that’s probably not legitimate, most networks you can shut that feature off by enabling port security so again, something to look into.

That’s the end of this video. Hopefully you guys will join me for more later, I’ll be trying to add more, at least one video a week from now on and I hope to certainly hear whatever comments, questions, concerns, thoughts you guys have in the comments section. I’ll even take suggestions for videos, if there’s a type of attack or type of technology that you would like to see demonstrated I would be happy to look into it so feel free to throw those out there.