Sniffer
Cain's sniffer is principally focused on the capture of passwords and authentication information travelling on the network. It should not be compared to professional tools like Observer, SnifferPro or Ethereal but unlike any other commercial protocol analyzer it has been developed to work on switched networks by mean of APR (Arp Poison Routing), another feature included in the program.
There is a BPF (Berkeley Packet Filter) hard-coded into the protocol driver that performs some initial traffic screening. The filter instructs the protocol driver to process only ARP and IP traffic; other protocols, like NetBEUI for example, are not processed.
The sniffer includes several password filters that can be enabled/disabled from the main configuration dialog; they are used to capture credentials from the following protocols:
|
Protocol |
Authentication Types |
|
FTP |
Plaintext |
|
HTTP / HTTP Proxy |
Basic, Form, Cookie, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
IMAP |
Plaintext, LOGIN, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
POP3 |
Plaintext, APOP-MD5, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
SMTP |
Plaintext, LOGIN, CRAM-MD5, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
LDAP |
Plaintext |
|
NNTP |
Plaintext, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
ICQ |
v.7 |
|
VNC |
3DES |
|
TDS (Sybase / MSSQL) |
v4.x, v5.0, v7.0 XOR, v7.0 NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
MySQL |
v3.23, SHA-1 |
|
DCE/RPC |
LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
SMB |
Plaintext, LM, NTLMv1, NTLMv2, NTLM Session Security, NTLMSSP |
|
MS Kerberos5 |
PreAuth encrypted timestamps |
|
Radius |
PreShared Keys, User's passwords |
|
IKE |
Aggressive Mode PreShared Keys (MD5 and SHA-1) |
|
SNMP |
Community strings |
|
RIP |
Plaintext, hash, RIPv2-MD5 |
|
HSRP |
Plaintext |
|
EIGRP |
MD5 |
|
OSPF |
Simple, MD5 |
|
VRRP |
Simple, IP-AH, HMAC_MD5_96 |
|
SIP |
Authorization and Proxy-Authorization (MD5) |
|
GRE/PPP |
PAP, CHAP-MD5, MS-CHAPv1, MS-CHAPv2 |
|
PPPoE |
PAP, CHAP-MD5, MS-CHAPv1, MS-CHAPv2 |
|
Oracle TNS |
DES, 3DES, AES-128, AES-192 |
|
|
|
|
Telnet |
Entire session is dumped to file starting from a packet containing data to a FIN packet |
|
*HTTPS |
Entire session is dumped to file + the same types as HTTP |
|
*LDAPS |
Entire session is dumped to file + the same types as LDAP |
|
*IMAPS |
Entire session is dumped to file + the same types as IMAP |
|
*POP3S |
Entire session is dumped to file + the same types as POP3 |
|
*FTPS |
Entire session is dumped to file + the same types as FTP |
|
*SSH-1 |
Entire session dumped to file (FULL-DUPLEX, stealth, supports DES, 3DES, Blowfish symmetric encryption algorithms, auto-downgrade to SSH-1 if server version is v1.99) |
|
MGCP/RTP |
Captures and decode VoIP conversations that travels on RTP protocol and saves them as WAV files. |
|
SIP/RTP |
Captures and decode VoIP conversations that travels on RTP protocol and saves them as WAV files. |
(*) = requires APR (Arp Poison Routing) to be enabled
Cain's sniffer filters are internally designed to survive into an unreliable world such as a network under ARP Poison attack; Cain uses different protocol state machines to extract from network packets all the information needed to recover the plain text form of a transmitted password. Some authentication protocols use a challenge-response mechanism, for this reason the sniffer needs parameters from each Client->Server and Server->Client traffic. On switched networks this can be achieved with a mirror port on the switch or if APR reaches the FULL-Routing state.
When APR (Arp Poison Routing) is enabled, the sniffer must process packets that normally aren't seen and also re-route them to the correct destination; this can cause performance bottlenecks on heavy traffic networks so be careful. APR's main advantage is that it enables sniffing on switched networks and also permits the analysis of encrypted protocols such as HTTPS and SSH-1.
Passwords and hashes are stored in .LST files in the program's directory. These files are TAB separated files so you can view or import them with your preferred word processor (e.g.: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).
For HTTPS, SSH-1 and Telnet protocols entire sessions are decrypted and dumped into text files using this naming convention:
<Protocol name>-<Year><Month><Day><Hour><Minute><Second><Milliseconds>-<client port>.txt
(e.g.: Telnet-20041116135246796-1141.txt)
For more information on .LST files please refer to the Installation page.
The sniffer can also process file captures (from Ethereal, Tcpdump and Winpcap) in off-line mode. The captures can be imported using the "open file" button of the sniffer's toolbar; when processing network traffic off-line all APR's functions are automatically disabled.
Routing protocols like VRRP, HSRP, RIP, OSPF, EIGRP are also analyzed by the program. This enables a quick identification of the subnet routing and perimeter.
For EIGRP and RIP protocols, the "Routes Extractor" feature will also dump the actual routing table shared between routers. The feature is only supported if these protocols don't require authentication.
The sniffer is activated/deactivated using the relative toolbar button and its parameters can be configured from the main configuration dialog.
- Supported Ethernet network adapter
- Winpcap Packet Driver (v2.3 or above) from Politecnico di Torino.
Copyright © 2001-2009 Massimiliano Montoro. All rights reserved.