Cain & Abel requires the configuration of some parameters; everything can be set from the main configuration dialog.

Sniffer Tab

Here you can set the network card to be used by Cain's sniffer and APR features. The last two check boxes enable/disables these functions at the program's startup.

The sniffer is compatible with Winpcap drivers of version 2.3 or later and in this version only Ethernet adapters are supported by the program.

 

 

 

If enabled, the option "Don't use Promiscuous mode" enables APR Poisoning on wireless networks but please note that in this situation you cannot use the MAC spoofing feature below !

APR Tab

This is where you can configure APR (Arp Poison Routing). Cain uses a separate thread that sends ARP Poison packets to victim hosts every 30 seconds by default. This is necessary because entries present in the ARP cache of remote machines can be flushed out in case of no traffic. From this dialog you can set the time between each ARP Poison storm: setting this parameter to few seconds will cause a lot of ARP network traffic while setting it for long delays could not produce the desired traffic hijacking.

 

 

The spoofing options define the addresses that Cain writes into the Ethernet, ARP headers of ARP Poison Packets and re-routed packets. In this case the ARP Poison attack will be completely anonymous because the attacker's real MAC an IP addresses are never sent on the network.

 

If you want to enable this option you must consider that:

 

 

 

Real IP address

Subnet Mask

Valid range for the spoofing IP address

192.168.0.1

255.255.255.0

Must be an unused address in the range 192.168.0.2 - 192.168.0.254

10.0.0.1

255.255.0.0

Must be an unused address in the range 10.0.0.2 - 10.0.255.254

172.16.0.1

255.255.255.240

Must be an unused address in the range 172.16.0.2 - 172.16.0.14

200.200.200.1

255.255.255.252

Must be an unused address in the range 200.200.200.2 - 200.200.200.3

 

The spoofing IP address is automatically checked by the program when you press the "Apply" button, if the address is already in use in the subnet a message box will report the problem.

 

Filters and Ports Tab

Here you can enable/disable Cain's sniffer filters and application protocol TCP/UDP ports. Cain captures only authentication information not the entire content of each packet, however you can use the Telnet filter to dump, into a file, all the data present in a TCP session, modifying the relative filter port.

 

Cain's sniffer filters are internally designed to survive in an unreliable world such as a network under ARP Poison attack; Cain uses different state machines to extract from network packets all the information needed to recover the plaintext form of a transmitted password. Some authentication protocols uses a challenge-response mechanism so it needs to collect parameters from Client->Server and Server->Client traffic; traffic interception in both directions is always possible if your Level-2 network is made by HUBs only or if you are connected to a mirror port on the switch but on switched networks in general, it can be achieved only using some kind of traffic hijacking technique such as Arp Poison Routing (APR). If you are sniffing with APR enabled, the sniffer will extract challenge-response authentications only if you reach a Full-Routing state between victim computers.

 

 

Under this tab you can also enable/disable the analysis of routing protocols (HSRP, VRRP, EIGRP, OSPF, RIPv1, RIPv2) and the APR-DNS feature that acts as a DNS Reply Rewriter.

HTTP Fields Tab

This tab contains a list of user name and password fields to be used by the HTTP sniffer filter. Cookies and HTML Forms that travel in HTTP packets are examined in this way: for each user name field all the password fields are checked and if these two parameters are found, the credentials will be captured and displayed on the screen.

 

 

The following cookie uses the fields "logonusername=" and "userpassword=" for authentication purposes; if you don't include these two fields in the above list the sniffer will not extract relative credentials.

 

GET /mail/Login?domain=xxxxxx.xx&style=default&plain=0 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*

Referer: http://xxx.xxxxxxx.xx/xxxxx/xxxx

Accept-Language: it

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3); .NET CLR 1.1.4322)

Host: xxx.xxxxxx.xx

Connection: Keep-Alive

Cookie: ss=1; logonusername=user@xxxxxx.xx; ss=1; srclng=it; srcdmn=it; srctrg=_blank; srcbld=y; srcauto=on; srcclp=on; srcsct=web; userpassword=password; video=c1; TEMPLATE=default;

Traceroute Tab

This is used to configure Cain's ICMP/UDP/TCP traceroute. You can set to resolve host names, use ICMP Mask discovery and enable/disable WHOIS information extraction for each hop.

Challenge Spoofing Tab

Here you can set the custom challenge value to rewrite into NTLM authentications packets. This feature can be enabled quickly from Cain's toolbar and must be used with APR. A fixed challenge enables cracking of NTLM hashes captured on the network by mean of RainbowTables.