Cain's sniffer is principally focused on the capture of passwords and authentication information travelling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike any other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing), another feature included in the program.  

Protocol Filters

There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for example, are not processed.  

Password Filters

The sniffer includes several password filters that can be enabled/disabled from the main configuration dialog; they are used to capture credentials from the following protocols:

 

Protocol

Authentication Types

FTP

Plaintext

HTTP / HTTP Proxy

Basic, Form, Cookie, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

IMAP

Plaintext, LOGIN, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

POP3

Plaintext, APOP-MD5, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

SMTP

Plaintext, LOGIN, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

LDAP

Plaintext

NNTP

Plaintext, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

ICQ

v.7

VNC

3DES

TDS (Sybase / MSSQL)

v4.x, v5.0, v7.0 XOR, v7.0 NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

MySQL

v3.23, SHA-1

DCE/RPC

LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

SMB

Plaintext, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP

MS Kerberos5

PreAuth encrypted timestamps

Radius

PreShared Keys, User's passwords

IKE

Aggressive Mode PreShared Keys (MD5 and SHA-1)

SNMP

Community strings

RIP

Plaintext, hash, RIPv2-MD5

HSRP

Plaintext

EIGRP

MD5

OSPF

Simple, MD5

VRRP

Simple, IP-AH, HMAC_MD5_96

SIP

Authorization and Proxy-Authorization (MD5)

GRE/PPP

PAP, CHAP-MD5, MS-CHAPv1, MS-CHAPv2

PPPoE

PAP, CHAP-MD5, MS-CHAPv1, MS-CHAPv2

Oracle TNS

DES, 3DES, AES-128, AES-192

 

 

Telnet

Entire session is dumped to file starting from a packet containing data to a FIN packet

*HTTPS

Entire session is dumped to file + the same types as HTTP

*LDAPS

Entire session is dumped to file + the same types as LDAP

*IMAPS

Entire session is dumped to file + the same types as IMAP

*POP3S

Entire session is dumped to file + the same types as POP3

*FTPS

Entire session is dumped to file + the same types as FTP

*SSH-1

Entire session dumped to file  (FULL-DUPLEX, stealth, supports DES, 3DES, Blowfish symmetric encryption algorithms, auto-downgrade to SSH-1 if server version is v1.99)

MGCP/RTP

Captures and decode VoIP conversations that travels on RTP protocol and saves them as WAV files.

SIP/RTP

Captures and decode VoIP conversations that travels on RTP protocol and saves them as WAV files.

 

(*) = requires APR (Arp Poison Routing) to be enabled

 

Cain's sniffer filters are internally designed to survive into an unreliable world such as a network under ARP Poison attack; Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism, for this reason the sniffer needs parameters from each Client->Server and Server->Client traffic. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.

 

When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren't seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks so be careful. APR's main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.

 

Passwords and hashes are stored in .LST files in the program's directory. These files are TAB separated files so you can view or import them with your preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).

 

For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files using this naming convention:

 

<Protocol name>-<Year><Month><Day><Hour><Minute><Second><Milliseconds>-<client port>.txt

 

(e.g.: Telnet-20041116135246796-1141.txt)

 

For more information on .LST files please refer to the Installation page.

Off-line capture file processing

The sniffer can also process file captures (from Ethereal, Tcpdump and Winpcap) in off-line mode. The captures can be imported using the "open file" button of the sniffer's toolbar; when processing network traffic off-line all APR's functions are automatically disabled.

Routing Protocols Analysis

Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.

 

 

For EIGRP and RIP protocols, the "Routes Extractor" feature will also dump the actual routing table shared between routers. The feature is only supported if these protocols don't require authentication.

Usage

The sniffer is activated/deactivated using the relative toolbar button and its parameters can be configured from the main configuration dialog.

 Requirements

- Supported Ethernet network adapter

- Winpcap Packet Driver (v2.3 or above) from Politecnico di Torino.