Sniffing confidential information with Cain

Cain & Abel is an extremelly useful tool for passwords recovery, Man In The Middle attacks and ARP Poison Routing. This way, you can easily perform a security assesment of you network, as we did in this example.

In addition, it’s really easy to set up and use and it will show hidden vulnerabilities in your network whithin seconds!

1. Setting up Cain

We installed Cain & Abel in a Windows PC following this tutorial.

Once you open it, go to the Sniffer tab, Hosts section (botton part in the picture below) and click on the Start Sniffer (upper part in the pic):

 

Once you have the list of hosts in your network, you can Configure the ARP Poison Routing by selecting the IP of your router and adding the hosts to your list of hosts to spoof (select them all with the mouse pointer and click ‘ok’).

 

 

Once the spoofing starts, you can see, in the left panel, some of the protocols (Certficates, HTTPS and IMAP) start populating…

 

2. Analyzing the information found by Cain & Abel

Maybe one of the most interesting tabs is “Passwords” (botton section of the GUI), where you can probably get some clear text credentials:

 

Actually, that’s what we found in the IMAP (email) protocol!! We found the complete credentials to log in Gmail for one of the vulnerable hosts in our lab network:

Actually, if we go back to the ARP tab and click on the ARP-IMAPS results (on the left panel), you can then select one of the transaction (right click and select open file), you can find something incredible:

In the image above, we have a full Gmail conversation of our vulnerable host which includes:

Clear text credentials

Folders

Content of the emails

In addition, we can see that the compromised platfor is Microsoft Outlook, version 16.0.10228.20134 (which is probably the issue, because today the latest Microsoft Outlook version is 16.0.4483.1000).

Here is an example of a full clear text email conversation that has a link to Google Drive:

We can even access the file using the Google Drive link:

 

We also explored the ARP-HTTPS files for other users and found a gmail account:

 

 

we search that gmail account in google and found this person’s tweets!

 

We could also find websites visited by the hosts:

 

All the logs are stored in your PC in the following folders:

 

For instance, these are the HTTPS logs:

 

 

Conclusion

In this demo you have seen how easy is to find private information in a network. This can be extremelly useful if you want to assest the security of your network. For example, in our demo, we saw one of the hosts needed an upgrade on Microoft Outlook. Actually, some lessons learnt from this experiment are:

 

  • Have your software updated
  • When you browse, make sure you see the https, specially when using your credentials
  • Watch out which ports are open in your local system (your PC)
  • Don’t save your passwords in the browser
  • Use different passwords for different applications
  • You can also use a firewall and an antivirus and use rules to deny/allow some specific services and apps

 

As you may already know, we will be glad to read your comments below or through email 🙂

Add a Comment

Your email address will not be published. Required fields are marked *