You should have Cain & Abel in your security toolbox
By Tony Bradley, PCWorldDec 17, 2012 10:50 am PST
There’s a sort of cruel irony to passwords. The legitimate passwords people need to use to access crucial applications or data are often forgotten, and yet the bad guys seem to be able to crack passwords without breaking a sweat. Thankfully, there’s a free tool available that can help you in either of these cases—Cain & Abel.
What is Cain & Abel? It’s described as a Windows-based password recovery tool, but it does much, much more than just password recovery. The software can capture and monitor network traffic for passwords, crack encrypted passwords using various methods, record Voice over IP (VoIP) conversations, recover wireless network keys, and more.
If you’ve forgotten a crucial password, and don’t have any password reset capability in place, you can use Cain & Abel to try and crack the password for you. Cain & Abel can perform a dictionary attack—essentially trying every word in the dictionary—to guess the password. It can also do a brute force attack, which attempts every possible combination of uppercase and lowercase letters, numbers, and symbols until it finds the right one, or cryptanalysis attacks that attempt to circumvent password encryption techniques. It could take hours, or possibly days, but given enough time Cain & Abel should be able to recover the password for you.
There’s another way to put a tool like Cain & Abel to use for password security. You can run Cain & Abel against your password database to test the strength of your password policies. You might have a password policy in place, but you’d be surprised how easily some passwords that meet the password policy requirements can be cracked.
In one security assessment I participated in, the client had given us network access that allowed us to access the SAM (Security Account Manager) database, which stores all of the hashed passwords of users. The client had a reasonably strict password policy that met or exceeded the best practice guidelines at the time. But, we ran Cain & Abel against the SAM file, and within a couple of hours we were able to successfully crack most of the passwords—including the passwords of executive managers.
Cain & Abel does not exploit vulnerabilities to crack passwords. It simply takes advantage of weaknesses in general operating system security, network protocols, authentication methods, and caching mechanisms.
The latest version is capable of analyzing encrypted network traffic such as SSH-1 or HTTPS, and has a new feature called APR. APR stands for ARP (Address Resolution Protocol) Poison Routing, and enables Cain & Abel to sniff traffic on switched LANs, or simulate MitM (Man-in-the-Middle) attacks.
Cain & Abel is a useful, valuable security tool, and you can’t beat the price—its free. The developers do warn that there is a possibility that the software could cause damage or loss of data, and they assume no liability. Basically, you get what you pay for, but mature tools like Cain & Abel have been tested and refined over time, and the risk is probably not any greater than with any commercial software product.
Cain & Abel could potentially be used by attackers, but it was developed as a security tool. Illegal activity using Cain & Abel is neither supported nor condoned by its developers.