All About HackingBlackhat Hacking ToolsCracking toolsHacking coursesMore Hacking Tools

Password cracking using Cain & Abel 2023

Today we will learn Password cracking using Cain & Abel in this articl.

Password cracking using Cain & Abel

According to the official website, Cain & Abel is a password recovery tool for Microsoft operating systems. It enables easy recovery of various kinds of passwords by scanning the network, breaking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding encrypted passwords, recovering wireless network keys, revealing password boxes, revealing cached passwords and routing analysis. protocols.

The latest version is faster and includes a lot of new features such as APR (ARP Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this release can also analyze encrypted protocols such as SSH-1 and HTTPS, and includes filters to capture credentials from a variety of authentication mechanisms. The new version also delivers routing protocol authentication monitors and routing extractors, dictionaries and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders, and some not-so-common networking and security tools system.

Who should use this tool?

Cain & Abel is a tool that will be quite useful for network administrators, teachers, professional penetration testers, security consultants/professionals, forensics and security software vendors.


The system requirements needed to successfully set up Cain & Abel are:

  • At least 10 MB of hard disk space
  • Microsoft Windows 2000/XP/2003/Vista operating system
  • Winpcap Packet Driver (v2.3 or higher)
  • Airpcap Packet Driver (for passive wireless WEP sniffer / cracker)


First we need to download Cain & Abel, so go to the download page

After downloading it, just run the self-installing executable package and follow the installation instructions.

Cain’s features

Here is a list of all the Cain features that make it a great network penetration testing tool:

Protected Storage Password ManagerCredential Manager Password Decoder
LSA Secrets DumperDialup Password Decoder
Service ManagerAPR (ARP Poison Routing)
Route Table ManagerNetwork Enumerator
SID ScannerRemote Registry
SnifferRouting Protocol Monitors
Full RDP sessions sniffer for APRFull SSH-1 sessions sniffer for APR
Full HTTPS sessions sniffer for APRFull FTPS sessions sniffer for APR
Full POP3S sessions sniffer for APRFull IMAPS sessions sniffer for APR
Full LDAPS sessions sniffer for APRCertificates Collector
MAC Address Scanner with OUI fingerprintPromiscuous-mode Scanner
Wireless ScannerPWL Cached Password Decoder
802.11 Capture Files DecoderPassword Crackers
Access (9x/2000/XP) Database Passwords DecoderCryptanalysis attacks
Base64 Password DecoderWEP Cracker
Cisco Type-7 Password DecoderRainbowcrack-online client
Cisco VPN Client Password DecoderEnterprise Manager Password Decoder
RSA SecurID Token CalculatorHash Calculator
TCP/UDP Table ViewerTCP/UDP/ICMP Traceroute
Cisco Config Downloader/Uploader (SNMP/TFTP)Box Revealer
Wireless Zero Configuration Password DumperRemote Desktop Password Decoder
MSCACHE Hashes DumperMySQL Password Extractor
Microsoft SQL Server 2000 Password ExtractorOracle Password Extractor
VNC Password DecoderSyskey Decoder

MAC: (from Wikipedia) “A Media Access Control address (MAC address) is a unique identifier assigned by a network interface for communication on a physical network segment. MAC addresses are used for a number of network technologies and most IEEE 802 network technologies, including Ethernet. MAC addresses are logically used in the Media Access Control protocol sublayer of the OSI reference model.

MAC addresses are most often assigned by the network card (NIC) manufacturer and are stored in its hardware, in the card’s read-only memory, or in some other firmware mechanism. If a MAC address is assigned by the manufacturer, it usually encodes the manufacturer’s registered identification number and may be referred to as a burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address, or physical address. A network node can have multiple NICs and then will have one unique MAC address per NIC.

Sniffing: (from Wikipedia) “A packet analyzer (also known as a network analyzer, protocol analyzer, or packet sniffer, or for certain types of networks an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can capture and log traffic passing through a digital network or parts of the network. As data flows through the network, the sniffer captures each packet and, if necessary, decodes the raw data of the packet, displays the values ​​of various fields in the packet, and analyzes its contents according to relevant RFCs or other specifications.

ARP (from Wikipedia) “Address Resolution Protocol (ARP) is a telecommunications protocol used to resolve network-layer addresses to link-layer addresses, a critical function in multi-access networks. ARP was defined by RFC 826 in 1982. It is the Internet standard STD 37. It is also the name of the program for manipulating these addresses in most operating systems.”


Now after launching the application we need to configure it to use the appropriate network card. If you have multiple network cards, it is better to know the MAC address of the network card you will use for the sniffer. To get the MAC address of your network interface card, do the following:

  • 1- Open CMD prompt.
  • 2- Type the following command “ipconfig /all”.
  • 3- Determine the MAC address of the required Ethernet adapters, write it down in a notepad, and then use this information to determine which network card to select in Cain.
  • Now click on Configure in the main menu. A configuration dialog will open where you can select the desired network interface card.

Now let’s go through the configuration dialog tabs and briefly look at most of them:

Sniffer tab:

This tab allows us to specify which Ethernet card we will use for sniffing.

ARP tab:

This tab allows us to configure ARP poison routing to perform an ARP poisoning attack that fools the victim’s computer by impersonating other devices to get all the traffic that belongs to that device, which is usually a router or an important server.

Filters and Ports tab:

On this tab are the most standard services with the default port running. You can change the port by right-clicking on the service whose port you want to change, then enable or disable it.

Cain sniffer filters and application protocol TCP/UDP port.

HTTP field tab:

There are some Cain features that analyze the information from websites viewed by victims, such as LSA Secrets dumper, HTTP Sniffer, and ARP-HTTPS, so the more fields you add to the username and password fields, the more HTTP usernames and passwords you can capture. from HTTP and HTTPS requests. Here is an example:

The following cookie uses the fields “logonusername=” and “userpassword=” for authentication purposes. If you do not include these two fields in the list, the sniffer will not get the relative credentials.

GET /mail/Login?domain=xxxxxx.xx&style=default&plain=0 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, app/, app/, app/msword, app/x-shockwave-flash, */ *

Referer: http://xxx.xxxxxxx.xx/xxxxx/xxxx

Accept-Language: it

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3); .NET CLR 1.1.4322)

Host: xxx.xxxxxx.xx

Connection: Keep-Alive

Cookie: ss=1; [email protected]; ss=1; srclng=it; srcdmn=it; srctrg=_blank; srcbld=y; srcauto=on; srcclp=on; srcsct=website; userpassword=password; video=c1; TEMPLATE=default;

Traceroute Tab:

Traceroute is a technique to determine the path between two points by simply counting how many hops a packet takes from the source computer before reaching the destination computer. Cain also adds additional features that enable hostname resolution, netmask resolution, and Whois information collection.

Certificate spoofing tab:

This card will allow certificate forgery. From Wikipedia:

“In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document that uses a digital signature to associate a public key with an identity—information such as a person’s or organization’s name, their address, and so on. The certificate can be used to verify that the public key belongs to an individual.

In a typical Public Key Infrastructure (PKI) scheme, the signature will be a Certificate Authority (CA). In a trust scheme, the signature is either a user (self-signed certificate) or other users (“attestation”). In both cases, the signatures on the certificate are confirmation by the signer of the certificate that the identity information and the public key belong together.

We can simply think of it as some kind of data (cipher sets and public key and some other information about the owner of the certificate) that contains information about the target server and is encrypted by trusted companies (CAs) that are authorized to create them. data types. The server sends its own certificate to the client application to make sure it is communicating with the correct server.Also read:An Evolution of MBR and VBR Infection Techniques : 0lmasco

Certificate Collector tab:

This tab will collect all certificates back and forth between servers and clients by setting proxy IPs and ports they listen on.

Challenge spoofing tab:

Here you can set a custom challenge value to override in NTLM authentication packets. This feature can be quickly activated from Cain’s toolbar and must be used with APR. A fixed challenge allows cracking of network-captured NTLM hashes using Rainbow Tables.

Password cracking

Now it’s time to talk about the cracker card, the most important feature of Cain. When Cain captures some LM and NTLM hashes or any kind of passwords for any supported protocol, Cain automatically sends them to the Cracker tab. We will import a local SAM file for demonstration purposes only to illustrate this point. Here’s how to import a SAM file:

Here are the 4 NTLM and LM hashes which will appear like the following image:

And here you will find all possible password techniques in the following image:

As you can see from the previous image, there are various types of techniques that are very effective in password cracking.We will look at each of their definitions.

Dictionary attack:

From Wikipedia: “A dictionary attack uses a targeted technique of sequentially trying all the words in an exhaustive list called a dictionary (from a pre-prepared list of values). Unlike a brute-force attack, where a large portion of the key space is systematically searched, a dictionary attack tries only those options most likely to succeed, typically derived from a list of words, such as a dictionary (hence the phrase dictionary attack). In general, dictionary attacks are successful because many people tend to choose passwords that are short (7 characters or less), single words found in dictionaries, or simple, easy-to-predict variations of words such as appending a digit. However, they are easily defeated. Adding a single random character in the middle can make dictionary attacks unsustainable.”

Assault with brute force:

From Wikipedia: “In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that can theoretically be used against any encrypted data (except data encrypted in a theoretically secure manner). Such an attack can be used when it is not possible to exploit other weaknesses in the encryption system (if any) that would facilitate the task. It consists in systematically checking all possible keys until the correct key is found. In the worst case, this would mean traversing the entire search space.

The length of the key used in the cipher determines the practical feasibility of performing a brute force attack, with longer keys being exponentially more difficult to crack than shorter ones. A cipher with a key length of N bits can be broken in the worst case in a time proportional to 2N and an average time in half. Brute-force attacks can be made less effective by obfuscating the data to be encrypted, making it difficult for an attacker to recognize when they have cracked the code. One measure of the strength of an encryption system is how long it would theoretically take an attacker to perform a successful brute force attack against it.”

Cryptanalysis attack (using Rainbow Table):

From Wikipedia: “A rainbow table is a precomputed table for inverting cryptographic hash functions, usually for cracking password hashes. Tables are usually used when recovering a password in plain text format up to a certain length consisting of a limited set of characters. It is a practical example of a space-time trade-off where more computer processing time is used at the cost of less storage in computing the hash on each attempt, or less processing time and more storage compared to a simple one-entry-per-hash lookup table. . Using a key derivation function that uses a salt makes this attack infeasible. Rainbow tables are a refinement of Martin Hellman’s earlier, simpler algorithm.”

How to make a rainbow table?

There are many tools that create a rainbow table, and many rainbow tables are already available on the Internet. Fortunately, Cain comes with a tool called winrtgen, located in its own installation folder.

You will need to choose ahash algorithm, minimum andmaximum length of password, and finally the charset that the password will use.Then press OK.


Cain and Abel is a powerful tool that does a great job of cracking passwords. It can crack almost all kinds of passwords and it’s usually only a matter of time before you get it.





Leave a Reply

Your email address will not be published. Required fields are marked *