Q: I have installed Cain and Winpcap but there are no adapters listed in the configuration dialog, why ?

A: This can happen after Winpcap installation. Try to reboot the system !

Q: I need to export sniffed passwords to another file ... how can I do that ?

A: Passwords and hashes are stored in .LST files in the program's directory. These files are comma separated files so you can view or import them with your preferred word processor. (ex: POP3.LST contains passwords and hashes sniffed from the POP3 protocol).

Q: Why I cannot sniff SSH-1 or HTTPS sessions generated from my workstation ?

A: You can't because you need APR and a Man-in-the-Middle condition to do that. These protocols are based on asymmetric encryption so something in the communication (encryption keys and certificates) needs to be changed on the fly. The Winpcap driver, by design, cannot block packets when they enter or leave your network card so the fake information cannot be injected correctly.

Q: What kind of symmetric encryption algorithms are supported by the SSH-1 sniffer ?

A: The sniffer supports DES, 3DES and Blowfish.

Q: Does the SSH-1 sniffer work like DSniff ?

A: No, DSniff works in HALF-DUPLEX PROXY mode that means that the victim machine talks to the SSH-1 server by mean of the sniffer using sockets. In this situation only the client-side traffic is decrypted and the sniffer establishes a socket connection to SSH server exposing its IP address. Cain uses APR and works in FULL-DUPLEX STEALTH mode decrypting both client and server traffic. If spoofing is enabled the sniffer's IP and MAC addresses are never exposed to the victim. Try a "netstat -an" on the client to check yourself.

Q: Is DNS spoofing required for Cain's  SSH-1 sniffer ?

No. The only requirement is a Man-in-the-Middle situation that can be obtained with APR.

Q: I cannot sniff an SSH-1 session that uses ZLIB compression, why ?

A: Because this feature has not been implemented yet. However don't feel yourself "secure" only because you are using compression.

Q: When I use HTTPS sniffer the client's browser popups a dialog telling him that the certificate comes from an untrusted certification authority, why ?

A: Because that server certificate is not the real one signed by a Trusted Root Certification Authority. It has been generated, self signed and injected by Cain to the client's browser.

Q: What is the form of a fake certificate generated by Cain ?

A: They contains exactly the same information as the real ones except for asymmetric encryption keys.

Q: Does the HTTPS sniffer work like DSniff ?

A: No, Cain's HTTPS sniffer works in FULL-DUPLEX CLIENT-SIDE STEALTH mode. Both server and client traffic is decrypted and if spoofing is enabled the sniffer's IP and MAC addresses are never exposed to the victim. Try a "netstat -an" on the client to check yourself.

Q: Is DNS spoofing required for Cain's HTTPS sniffer ?

A: No. The only requirement is a Man-in-the-Middle condition that can be achieved with APR.

Q: After recording an RTP session the VoIP sniffer says "unable to convert" and the WAV file is not saved, why  ?

A: The sniffer does not support the codec used in that RTP session.