Time
21 minutes
Difficulty
Intermediate

Video Transcription

00:05
the low side, where in some Welcome back to breaking stuff with Joe. I'm your eponymous host, Joe Perry, and you're watching the series with an actual dragon tattoo. That joke wasn't funny the first time I told him. You know what they say? The secret to a good joke is repetition.
00:19
So we're going to keep trying and eventually someone will laugh. And it will justify all of the stupid jokes I have made so far.
00:25
Today's video I'm very excited to be doing. It's about a tool or a set of tools called Cain and Abel. Now, if you're like me, you may have once believed that can enable was nothing but an allegory about the fact that God is not a vegetarian.
00:38
Slightly joking. Maybe a lot of joking more seriously, If you're like me, you may have Once not the candy was just another password cracking utility, and if it were, then this probably wouldn't be worth you know, its own video, since we just did John the Ripper not too long ago. The reason why can't unable to such a cool tool and the reason why I wanted to spend some time on it,
00:57
is that it's actually much more than just a basic packs password cracker.
01:00
It implements some really interesting theories and some really cool strategies. I don't want to take a little bit of time to talk about. So again, this video is gonna be about Cain, Abel. We're gonna have to primary objectives. First, we're gonna understand what the tools are and how they work. It's what they do under the hood there different features and functionalities. The second
01:18
we're actually going to have this is very exciting for me. We actually have a lab, a cyber score lab
01:23
who stood on the side, Marie website that's accessible to all over inside of pros and Oliver Enterprise customers and anybody who has access to the lab material.
01:32
And you're actually gonna be able to work alongside in real time as I work through the Cain and Abel section of our password cracking lab. So it's very exciting for me. I think it's gonna be a cool option where you can listen this video and you can work alongside it and really gain that
01:45
practical skill, that practical knowledge in real time. So I'm looking forward to that, and that's gonna be coming at the end of this video after the presentation portion. So again, I'm just thrilled to have you here. Thank you for joining us on breaking stuff with Joe. And I look forward to seeing you and the rest of the course. All right, so here you can see we have our presentation set up with the two tools. Cain and Abel
02:06
Kane is the first we're gonna talk about, and it consists of a lot of different parts. Actually, came is a pretty massive set of tools, techniques and ideas. So we're not going to spend time to go through every single one of its 15 plus methodologies, or it's it's different tools. Instead, we're gonna focus on three of what I think are its core features. The first is the remote registry.
02:24
The second was that password cracker, and the third is the sniffer.
02:28
So the remote registry is a really interesting tool which allows you to modify registry values over the network. Now, this is extremely valuable. When you're performing security analysis, when you're performing pen testing where you're breaking into a system because on windows the registry is king it overseas,
02:46
everything that happens, it is this massive
02:49
just spinal column of the Windows operating system. And importantly, when we're talking about a password cracking utility, which is fundamentally at its core, what cane enable is the registry is extremely important because it contains all sorts of security information and configuration, information and data that is going to be useful
03:07
when we start actually performing this, this password cracking
03:09
so they're registered a remote registry. The ability to actually mess with that registry over the network and to evaluate it and see what's in it is just incredibly powerful and incredibly useful.
03:21
Next you'll want to talk about is the password cracker. Now. We talked about Pastor cracking sort of the concepts of it when we were talking about John the Ripper in the very first video. But to kind of refresh those and to address them again, Brute force is the idea of intuitively trying every single possible combination of characters until such time as you reach the correct hash.
03:39
It will eventually break every possible password because it will eventually try every possible hash.
03:46
What's important about that is that the word eventually in that sentence can mean an incredibly long time in some cases with truly secure passwords and truly well designed systems. The heat death of the universe is likely to come before we get to that particular eventuality. Now again,
04:04
all of that being said, generally speaking, people's passwords aren't quite heat death of the universe impressive,
04:11
so you're much more likely to break it before that. But it can be, and in some cases has been on the order of months or years. As I'm sure some executives at a cyber, a crypto currency firm, would be unhappy to inform you. Sometimes the only option is to crack someone's password, no matter how long it's going to take.
04:30
The second type of attack that we're going to discuss real quick is dictionary attack now in John the Ripper. We call that award list, but it's the same general idea of just collecting. You know some number of extremely common or reasonably common passwords and words that are used that are then used to hash and test those ashes against
04:49
the operating system are against the hash file or whatever you have,
04:53
so dictionary attacks tend to be much faster if your if your word is in the dictionary, it's just a matter of time until the cracker gets to that level or gets to that point. That said, it's not as extensive if it's not in the dictionary or if it's not a mangled version of something in the dictionary
05:10
than a dictionary, just simply can't find that password and will not successfully crack it.
05:15
So it is worth noting that the brute force is potentially infinitely slower. It is also much more likely to succeed, and dictionaries do have their own limitations
05:24
Now. The third method here isn't exactly like anything we talked about in John the Reboot, although there are some similar theories behind two, this is is called crypt analysis, and basically it's the application of of mathematical algorithms and a certain sort of behavioral heuristics toward passwords. You know, in the same way that John the Ripper
05:42
first attempts to use passwords based on your home directory and your full name, your username and things like that.
05:46
Similarly, crypt analysis is based on identifying behavioral quirks and identifying sort of fundamental or procedural weaknesses in the creation and storage of passwords, so that instead of trying to crack the password by just guessing it, it cracks the password by making sort of
06:04
more educated, I guess. Still, guess what much were educated guess
06:09
and giving a better chance of cracking that password without just repeatedly trying different options.
06:14
Now the third, functionally the third capability of John of John obtained that I want to talk about in this video is the sniffer now the packet sniffer for Cain and Abel. For those you don't know what a packet sniffer is actually back up just a little bit. It's a really useful utility that allows you to read Internet Trafficker, read network traffic off the wire so it captures. It
06:34
captures packets,
06:35
and it presents those packets to you as data streams or a streams of information that you can then use to read or even reconstitute network traffic. Now Kane's packet sniffer. If you're just looking for a packet sniffing utility, is probably not gonna be your go to. It's not bad, but it lacks a lot of the professional features of something like wire shirt.
06:55
Now the reason for that is because, and it's talked about on the oxen site,
06:59
by the way, the download link will be included on our supplemental material, but The reason why this sniffer isn't really is Robustas others is because all the sniffer is four with cane is password cracking. So this is taking advantage of
07:13
when passwords or passed over the network or when they're calling response, actually challenge response actions when tokens were being handed across the wire.
07:19
What Cane is actually doing here is it's monitoring network traffic and looking for specific behaviors and specific signatures that will allow it to identify your password or gain more information for crypt analysis of your password completely based on network traffic, which I find absolutely fascinating. The idea that it's just using this network trafficking network behavior
07:40
and it's actually using that
07:41
to dramatically augment its ability to crack your passwords that may just be sitting on disc is just to me, absolutely mind blowing.
07:48
So that's cane. Like I said, it does have other utilities, and in our supplemental materials we will include the help manuals from the website. So I do highly recommend you spend a little bit of time perusing those because there's a bunch more that cane conduce do that. We just simply don't have that kind of time to get into in a 20 to 30 minute video
08:05
that said the next Well, I wanna look at very quickly is obviously able
08:09
now. Abel has a few different functions with one that's truly relevant to us right now is the one that is displaying on your screen. And that function is actually a remote, A remote command prompt into your target system so able is capable of get sending you back a terminal a control. Utter a command line
08:30
that is at the local system privilege level, which is the highest level of privilege that you can get on a given machine.
08:37
You're operating with the same level of privilege as the network drivers. As the colonel drivers as the operating system itself, you have essentially limitless capacity to inflict damage. Now it is worth noting in this screen you see that it's starting a Windows X P box.
08:54
It is true that a lot of cane enables tactics are focused on things like NTL M, which is not an outdated but an older version of Windows security. Excuse me, Cough there. Uh huh. And a new older version of Windows Security. Now it's using Kerberos s o. It is true that Cain and Abel is not gonna be as
09:13
robust or as effective against the more modern systems.
09:16
However, it's still worth using its worth learning about because of the fact that Aton of organizations, a ton of networks still have legacy systems still have older systems attached to that network in some way. You know, it's 2019 and I Still, every time I look
09:31
at an organizational network, I'm willing to bet you I can find at least one X p blocks
09:35
plugged in. Someone has forgotten about it. Just sort of the nature of the beast with networks growing is suddenly and rapidly as they do so, it's still worth using these tools, even if they don't necessarily always have material for the most recent password invitations. You can still find a lot of cases, a lot of use cases and a lot of dangers on the target system.
09:54
That candidate will help you exploit.
09:58
So those are the two tools Cain and Abel. That's sort of our presentation section of this video for the rest of the time. On this video, you're gonna get tau watch and hopefully work alongside as I go through the absolutely spectacular cyber score lab that's gonna teach us had a better use. Cain and Abel.
10:16
All right, So you can see now with a little bit of cross fading, a little bit of movie magic. I have navigated my way to the cyber, a website. To get to where we're going to need to start in order to look for this lab, you just want to navigate right up here to cyber re dot it slash catalog. And then down here in our search bar, we're just gonna type the phrase Cain and evil,
10:37
and you'll see that right away the first thing that pops up, the only thing that pops up is this cyber scorecard of this lab here. This is actually using both John the Ripper and Cain and Abel in order to crack passwords. So we're gonna be able to use that. You could come back and use the John the Ripper section of this lab later on. Kind of down the road,
10:54
you'll be able to, you know, after we finished going through Cain and Abel in this video,
10:58
you could just hang out in this lab and finish up the John the Ripper stuff as well, and see how much you remember from our previous video on that particular tool. Now, the lab environments getting built, it doesn't take terribly long. It says 20 seconds on the screen. I've generally found that it usually takes closer, maybe five or 10. That's just gonna depend on you know, that your personals
11:18
situation, when you're logging on,
11:18
I tend to do most of my recording in the middle of the night. It's currently just about midnight here near Washington D. C. So there's pretty much nobody logged down, and it makes it very easy to log it to get into my machine very quickly. So here you can see John the River and Windows is the first thing that pops up. Because John the Ripper and Windows is the first part of this lab.
11:37
We're not gonna worry about that right now. We're gonna skip ahead to Cain and Abel on windows,
11:41
where you see what the first task is for that now, you could see your encouraged to explore forward, but be sure to click down when you complete a task. Totally fine. No worries there. So
11:50
next we'll use Cain and able to crack the same password, dump, text file, Open up the tools and run, Kane. Well, obviously, the first thing we want to do is log into this machine. So we're gonna step back just a little bit and see what our user name and password our user name is gonna be administrated, which we see is already there. Password is gonna be the highly sicker, highly secure
12:09
P at S s W o W zero r d'q that'll Laugesen
12:16
There we go. You can go back the way John the Ripper, and we're gonna move the Cain and Abel. All right, So open Cain and Abel.
12:22
Fair enough. Let's open up tools. That's not tools. This is tools right here.
12:28
DoubleClick that You could see that we have cane.
12:31
We're gonna run cane from this directory,
12:33
See what pops up.
12:35
All right, so this is what you probably remember from those from that presentation. This is just the the initial use of cane. That's what happens when you first load it up.
12:43
Next thing we're gonna be doing, we're gonna be attempting to crack in the hash values of the passwords for the user accounts in the windows. That text file. So the first thing we want to do there obviously is. We're gonna navigate our way to this cracker tab, find L m and N T l M hashes, which should be the first item. And we're going to click the blue
13:03
plus icon once we clicked that you'll see a blue plus icon light up.
13:05
And you can use that to bring up this window.
13:11
Next, we're going to click on the import hash is from a text file, which it may be a little bit hard to see in C is right there
13:20
and we're going to hit the brows. But which is this little ellipsis box here?
13:26
And of course, the first thing that comes up because this is pre configured to make life a little bit easier on us. We're going to open windows, not text, and then we're gonna hit the next button.
13:35
Once we've done that,
13:37
you see this little error message or this little warning message pops up here? Which users have the same lm hatches? We see that Jane and Joey
13:46
spend that just a little bit. Jane and Joey have identical lm hashes. That's very valuable to us.
13:52
That's very useful information because it suggests they might just have the same password.
14:01
So our next thing here, we're gonna look at the NT hash is now we're gonna do the same thing. We're gonna expand the NT hash, call them here,
14:07
and we're gonna look and see
14:09
the accounts. I had the same lm hashes have different anti hashes. So why might this be? Why why would it be? They have the same of one hash, but not the other.
14:18
That's because windows right here, as you can see in the health message that pops out, does not utilize salting. Now, salted for those you don't know is a method of attaching some piece of random or semi random information to a password before computing. So sometimes you might use a random number. Is it indicates on on this lab.
14:37
Sometimes it uses the person's user name
14:39
sometime that uses some special cryptographic ce flag. Your signature that the site has The general idea is it's going to you're gonna want it to be some kind of randomized, uh,
14:50
so because of the fact that if you're using a repeated salt, that could very easily be accounted for and kind of ruin the purpose of salting.
14:58
So what's really cool about using salting is that says, here on the lab, two identical passwords could have different hash values.
15:09
So then I said, we're gonna do here our next task. What? Gotta close that box.
15:16
There we go.
15:18
Next thing we're gonna do here is gonna select the dictionary attack for a selective account. So we're just gonna highlight all of these usernames, right? Click them and you see the first of the pops up his dictionary attack against LM hashes.
15:30
Fantastic. Now we want at a password list of this, and so we're just gonna want to right click anywhere in this dictionary area, and we're gonna select at list. Then we're gonna move over to where? In the same project we have
15:43
John the Ripper, where a word list is being stored currently.
15:54
And what's
15:56
in John the Ripper were in run.
16:07
So what we want to do is we want to import the password dot l s t file.
16:12
So right now it's just showing the dot t x t
16:17
for the file name we should be able to do. Just star l S t. And there you go. We'll see that appeared. Sorry, I got a little bit confused myself because I realize that this dot text field was unchangeable. So, yes, we type in our asterisk, not LSD. And the password got LSD. File will come up,
16:33
and then we're just going to double click on that or click Click on open. Now we hit. Start,
16:40
and it's gonna run. It's gonna run relatively quickly. It's not gonna take a terribly long time to catch a little these positions here. You can see it. Finished cracking. Two of these hash is almost instantly. The plain text of this hash is password. And the plain text of this hash is actually also password
17:00
and we can see down here. If you click this again, it will show you
17:04
Those are the correct password that were cracked. We did everything right. Fantastic.
17:10
Next you want to do is try using a brute force attack. So this time
17:14
we're not going to target. All of them were just gonna target Jame,
17:18
Joey
17:19
and Andy.
17:22
And they were just gonna right click
17:23
and select the brute force.
17:26
And we're going to pick the N t l m.
17:33
Now, here's where you have a pretty useful pull this upload what? We would see all of it. Here. We have a pretty useful ability where you can actually make some specific changes and define the characteristics that are being looked for in this brute force attack. So I mentioned the brute force attacks will target every possible combination.
17:49
It is still true that you can configure depending on what system you're using, what tool you're using.
17:55
You can configure your brute force attack to use specific password lengths to use specific character options so that even though you're targeting every possible combination, if you know for one reason or another that certain combinations aren't possible, you're not wasting your time calculating those so change the minimum and massive maximum password lengths to eight.
18:14
So we know that whoever this is has an eight character password.
18:19
There you go. And then we're gonna type in a password to the start from field.
18:26
Oh,
18:26
people are not screwing on there. You type in a password to the start from field, and I noticed here this key space number that keeps changing that is an indicator of your in your brute force. This is the number of possible combinations based on the information you give him.
18:41
So select the pre defined character set as the one with the upper case, lower case numbers and special characters. Here you can see we have a bunch of different options, and down here at the very bottom, we have uppercase, lower case numbers and special characters.
18:57
Second from last option, I apologize,
19:00
and then we're going to hit the start,
19:03
and it's going to start calculating now. This is gonna take a while. When those pastors air finally cracked, you will see the proper cases shown on that's gonna be important in just a minute when we talk about it. But you can see here this actually recommends you give it 10 minutes and see how many of the passwords have been cracked. So just like we did with the John the Ripper video, when we're playing with that wordless,
19:22
we're gonna go ahead and performs a movie magic for you
19:26
and sneak out before I go, though I do just want indicating the other three fields shows you the current password that's being tried. The key rate, how many passwords per second you can see is a massive number about eight and 1/2 1,000,000 passwords for second and fantastically, That means that at our current rate, we will have exhausted all possibilities in just over
19:45
four years.
19:47
Hopefully, it doesn't take quite that long, or I'm going to miss the deadline for this video very dramatically. I'll see you back here in just about 10 minutes.
19:56
Okay? And a little bit of time has passed. You're about 10 15 minutes or so, and we're gonna go ahead and stop a brute force attack and we can look up here. We can actually see, uh, under NT password. We've actually not cracked anything new, and this is kind of an interesting detail. What's kind of cool about the way this tool works
20:15
is that actually
20:15
what was being demonstrated here is that it doesn't necessarily work in terms of brute force is fast or even is close to us fast as it might work, using a dictionary or rainbow tables or any sort of crypt analysis. So we let our our brute force run for about 15 20 minutes.
20:34
It did not crack any of the new passwords.
20:37
But what's really cool
20:38
about this is it for those of you who are playing along those were working along. It's entirely possible that it did work for you because of the random reading or the pseudo random nature of the way this tack isn't is played out.
20:52
So that is going to be the end of this video. A slightly anti climactic end. But that's OK because we did get those passwords when we're cracking them from the LM Hash is so I don't feel too bad about it. Uh, again, I just want to thank all of you for watching this video. I hope you find Cain and Abel to be interesting tools.
21:08
I hope you enjoyed going through this lab and that you spend a little bit of time going through the John the Ripper sections
21:14
that are both before and after the cane enable sections.
21:18
I just want to thank you all for watching this video again. My name is Joe Perry. You're watching breaking stuff with Joe. You're on cyber eri on demand that I will see you back in our next video

How To Use Cain & Abel (BSWJ)

Cain and Abel is specifically designed to target Windows systems and is capable of gathering data from a remarkable array of sources to enable its mission.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor