The Network Enumerator uses the native Windows network management functions (Net*) to discover what is present on the network. It allows a quick identification of Domain Controllers, SQL Servers, Printer Servers, Remote Access Dial-In Servers, Novell Servers, Apple File Servers, Terminal Servers and so on. It can also display when possible the version of their operating system.

 

The left tree is used to browse the network and to connect to remote machines; once connected to a server you can also enumerate user names, groups, services and shares present on it. By default the program connects to remote IPC$ shares using the current local logged on user and if it fails using NULL sessions (Anonymous sessions); however it is also possible to specify the credentials to be used for the connection. The Quick List can be used to insert IP addresses of hosts that aren't seen browsing the network.

 

When enumerating users, Cain also extracts their Security Identifier (SID) and has the ability to identify the name of the Administrator account even if it was renamed. This is done by looking at the account RID which is the last part of a SID. The RID of the Administrator account is always equal to 500.

 

Windows NT and later has a security feature that can restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. This is done setting to 1 the parameter "RestrictAnonymous" under the registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

 

If the program cannot enumerate users, because of this restriction,  it will start automatically the SID Scanner and will proceed with an extraction of them using the same methodology used by the well known tool sid2user by Evgenii B. Rudnyi.

 

Tip

To perform an Anonymous connection (NULL Session) to the target host, leave the user name and password fields empty in the credentials dialog.

 

Usage

Enumerations are launched browsing the tree on the left into the Network tab. To specify credentials for a network connection you can right click on the target machine and use the "Connect As" function within the pop up menu.