You should have Cain & Abel in your security toolbox

A look at Cain & Abel--a free password cracking and security tool that can come in handy for IT admins.
  • Tony Bradley (PC World (US online))
  • — 17 December, 2012 21:23

Theres a sort of cruel irony to passwords. The legitimate passwords people need to use to access crucial applications or data are often forgotten, and yet the bad guys seem to be able to crack passwords without breaking a sweat. Thankfully, theres a free tool available that can help you in either of these casesCain & Abel.

What is Cain & Abel? Its described as a Windows-based password recovery tool, but it does much, much more than just password recovery. The software can capture and monitor network traffic for passwords, crack encrypted passwords using various methods, record Voice over IP (VoIP) conversations, recover wireless network keys, and more.

If youve forgotten a crucial password, and dont have any password reset capability in place, you can use Cain & Abel to try and crack the password for you. Cain & Abel can perform a dictionary attackessentially trying every word in the dictionaryto guess the password. It can also do a brute force attack, which attempts every possible combination of uppercase and lowercase letters, numbers, and symbols until it finds the right one, or cryptanalysis attacks that attempt to circumvent password encryption techniques. It could take hours, or possibly days, but given enough time Cain & Abel should be able to recover the password for you.

Theres another way to put a tool like Cain & Abel to use for password security. You can run Cain & Abel against your password database to test the strength of your password policies. You might have a password policy in place, but youd be surprised how easily some passwords that meet the password policy requirements can be cracked.

In one security assessment I participated in, the client had given us network access that allowed us to access the SAM (Security Account Manager) database, which stores all of the hashed passwords of users. The client had a reasonably strict password policy that met or exceeded the best practice guidelines at the time. But, we ran Cain & Abel against the SAM file, and within a couple of hours we were able to successfully crack most of the passwordsincluding the passwords of executive managers.

Cain & Abel does not exploit vulnerabilities to crack passwords. It simply takes advantage of weaknesses in general operating system security, network protocols, authentication methods, and caching mechanisms.

The latest version is capable of analyzing encrypted network traffic such as SSH-1 or HTTPS, and has a new feature called APR. APR stands for ARP (Address Resolution Protocol) Poison Routing, and enables Cain & Abel to sniff traffic on switched LANs, or simulate MitM (Man-in-the-Middle) attacks.

Cain & Abel is a useful, valuable security tool, and you cant beat the priceits free. The developers do warn that there is a possibility that the software could cause damage or loss of data, and they assume no liability. Basically, you get what you pay for, but mature tools like Cain & Abel have been tested and refined over time, and the risk is probably not any greater than with any commercial software product.

Cain & Abel could potentially be used by attackers, but it was developed as a security tool. Illegal activity using Cain & Abel is neither supported nor condoned by its developers.

Tags: passwords, security, business security

Fake-police ransomware reaches Australia

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.