- Added Windows Vault Password Decoder.
- Added Windows 8 support in LSA Secret Dumper.
- Added Windows 8 support in Credential Manager Password Decoder.
- Added Windows 8 support in EditBox Revealer.
- Added ability to keep original extensions in fake certificates.
- Added support for Windows 8 RDP Client in APR-RDP sniffer filter.
- Winpcap library upgrade to version 4.1.3 (Windows8 supported)
- Added Root Certificate Generator in Certificate Spoofing configuration page.
- Added experimental Certificate Injection feature to inject custom certificates into HTTPS/ProxyHTTPS responses directed to victim APR's clients.
Added Anticache option for APR-HTTPS/APR-ProxyHTTPS (touch "If-Modified-Since" and "If-None-Match" fields in HTTP headers from client).
- Added Anticompress option for APR-HTTPS/APR-ProxyHTTPS (touch "Accept-Encoding" field in HTTP headers from client).
- Added Anticompress option for APR-IMAPS (touch "COMPRESS=DEFLATE" field in capabilities from server).
- Speed improvement in Certificate Collector.
- Speed improvement in APR engine.
Speed improvement all APR-SSL sniffer filters.
- Added Automatic extraction of Subject Common Name (CN) from server certificates to be used as hostname in APR-SSL lists.
- Preservation of Subject Alternative Name extension in fake certificates.
- New Base64 Password Decoder dialog.
- OpenSSL library upgrade to version 1.0.1f.
- OUI List updated.
- Several bugs fixed.
Windows Vault Password Dumper v1.0 released. This tool uses native undocumented functions of Windows
Vault API to enumerate and extract credentials stored by Microsoft Windows Vault (eg: Internet Explorer 10 passwords).
The full source code is available in the Topics area. Binaries are available here.
v4.9.43 released - Added SAP R/3 sniffer filter for SAP GUI authentications and SAP DIAG protocol decompression.
- Added support for Licensing Mode Terminal Server connections to Windows 2008 R2 servers in APR-RDP sniffer filter. -
Added support for MSCACHEv2 Hashes (used by Vista/Seven/2008) in Dictionary and Brute-Force Attacks.
- Added MSCACHEv2 Hashes Cryptanalysis via Sorted Rainbow Tables.
- Added MSCACHEv2 RainbowTables to WinRTGen v2.6.3.
- MS-CACHE Hashes Dumper now supports MSCACHEv2 hashes extraction from Windows Vista/Seven/2008 machines and offline registry files.
- Fixed a bug (crash) in Certificate Collector with Proxy settings enabled.
v4.9.40 released - Added Proxy support for Cain's Certificate Collector.
- Added the ability to specify custom proxy authentication credentials for Certificate Collector.
- Added ProxyHTTPS Man-in-the-Middle Sniffer (TCP port 8080).
- HTTP, APR-HTTPS and APR-ProxyHTTPS sniffer filters are now separated.
- Added progress bar indicator in the off-line capture file function.
- Bug fixed in ProxyHTTPS Man-in-the-Middle Sniffer parsing "Connection Established" string.
- Bug fixed in VoIP Sniffer creating MP3 Mono files.
- Bug fixed in RTP Sniffer processing off-line capture files.
- WinRTGen recompiled with OpenSSL library version 0.9.8q.
- OpenSSL library upgrade to version 0.9.8q.
- Winpcap library upgrade to version 4.1.2.
- Added TCP/UDP Large Send Offloading status detection on Windows Vista/Seven.
- Better handling of APR-SSL MitM threads.
- Fixed a problem with APR in Windows7 causing attacker's machine to be isolated from poisoned hosts.
- Speed improvement in Credential Manager Password Decoder for x64 operating systems.
- Fixed a Cain's runtime error when SIP/RTP sniffer filter is disabled.
- SIP, MGCP and RTP sniffer filters are now separated.
- Fixed RTP sniffer filter to avoid processing Link-local Multicast Name Resolution (LLMNR) traffic on UDP port 5355.
- Fixed RTP sniffer filter to avoid processing SSDP traffic on UDP port 1900.
- Fixed RTP sniffer filter to avoid processing Multicast DNS (MDNS) traffic on UDP port 5353.
- Improved RTP protocol validation function.
v4.9.36 released - Added MP3 audio file generation in VoIP sniffer.
- Fixed Abel DLL crashes on 64-bit operating systems.
- Modified Export function to Users, Groups, Services and Shares lists with TAB separators.
- Fixed a bug in Wireless Password Decoder concerning Microsoft Virtual WiFi Miniport Adapter.
- Fixed a bug in NTLMv2 Cracker within the "Test Password" function.
- Removed "WindowsFirewallInitialize failed" startup error message if Windows Firewall service is stopped.
v4.9.35 released - Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
- Added Abel64.exe and Abel64.dll to support hashes extraction on x64 operating systems.
- Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder,
Credential Manager Password Decoder, DialUp Password Decoder.
- Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
- Fixed a bug of RSA SecurID Calculator within XML import function.
- Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.
- Executables rebuilt with Visual Studio 2008.
- Added Windows Firewall status detection on startup.
- Added UAC compatibility in Windows Vista/Seven.
- Winpcap library upgrade to version 4.1.1.
v4.9.31 released - SIPS Man-in-the-Middle Sniffer (TCP port 5061; successfully tested with Microsoft Office Communicator with chained certificates).
- Added support for RTP G726-64WB codec (Wengo speex replacement ) in VoIP sniffer.
- X509 certificate's extensions are now preserved in chained fake certificates generated by Certificate Collector.
- Extended ASCII characters support for SSID in Passive Wireless Scanner.
- Some bugs in Cain's Traceroute fixed.
v4.9.30 released - Added support for the following codecs in VoIP sniffer: G722, Speex-16Khz, Speex-32Khz, AMR-NB, AMR-WB.
Added Certificate Collector ability to generate self-signed or chained fake certificates.
- Added certificate format conversion function (from PKCS#12 to PEM).
- Added support for Licensing Mode Terminal Server connections in APR-RDP sniffer filter.
Added channel hopping capability on A, BG and ABG channels in Passive Wireless Sniffer.
- Added support for A channels in Passive Wireless Sniffer.
- Added automatic detection of RX/TX ABG channels for AirPcap NX adapters.
- WEP ARP Injection thread now avoid sending packets to disassociated stations.
- AirPcap library upgrade to version 4.0.0 (to support the new AirPcap NX adapters from CACE Technologies).
- Winpcap library upgrade to version 4.1 beta 5. - OpenSSL library upgrade to version 0.9.8j.
v4.9.25 released - Oracle 11g (case sensitive) Password Extractor via ODBC.
- Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
- Experimental SQL Query tool via ODBC.
- Fixed a buffer overflow condition in Remote Desktop Password Decoder.
My paper about Oracle TNS 11g (AES-192) authentication has been added in the Topics area.
- Added LRWB-16Khz codec support in VoIP sniffer.
- Added MGCP/RTP sniffer filter. Cain can now extract SDP-RTP parameters from MGCP protocol.
- Fixed some bugs in SIP/RTP sniffer filter causing crashes while sniffing.
- All Dumper's DLL Injection functions have been rewritten to directly use undocumented ZwCreateThread
API instead of CreateRemoteThread. On XP/2003, Cain now supports passwords/hashes/secrets extraction even if executed in Terminal Server sessions.
- Fixed a bug in dictionary attack "Double" option.
- Added PPPoE sniffer filter for PAP, CHAP, MS-CHAPv1 and MS-CHAPv2 authentications.
- Added GRE/PPP sniffer filter for MS-CHAPv2 authentications.
- Added automatic translation of MS-CHAPv2 to NT-challanges in "Send to Cracker" function.
- Added support for Remote Desktop client v6 in APR-RDP sniffer.
- Added support for Oracle TNS 10g (AES-128) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 10g (AES-128) in Oracle TNS sniffer filter.
Added UserField and PassField columns in HTTP sniffer list.
- Added a "Note" column in all Cracker's lists.
- Fixed a bug in offline NTLM hashes dumper when BootKey parameter is not specified.
- Fixed a bug in offline NTLM hashes dumper when LM hash is not present.
- Charset file updated to support German an Danish special characters in rainbowtables (for Cain and Winrtgen).
I just want to share results of my research on Oracle TNS (9i 3DES) and (10g AES-128) authentication. The papers can be found in the Topics area.
v4.9.15 released - Added Oracle TNS Password Cracker (Dictionary and Brute-Force Attacks for DES and 3DES hashes).
- Added Oracle TNS sniffer filter for DES and 3DES authentications.
Fixed a bug in VNC sniffer filter for new RFB protocol versions.
- Fixed a bug with TCP/UDP/ICMP traceroute and Windows raw socket error code 10022.
- Fixed a bug in RSA SecurID Calculator for keyfobs with serial numbers of more than 8 digits.
- Fixed a bug in Dictionary Attack crackers regarding mixed Hybrid and Case Permutations variants.
- Fixed a bug in challenge spoofing and NTLM downgrading when one of the victim hosts is a gateway.
- OpenSSL library upgrade to version 0.9.8h.
v4.9.14 released -
Added GRE/PPP sniffer filter for PAP, CHAP and MS-CHAPv1 (LM & NTLM) authentications.
- Added CHAP-MD5 (Dictionary and Brute-Force Attacks).
- Added sniffer analysis on GRE/PPP incapsulated traffic; MPPC compression not supported yet.
v4.9.12 released New features:
- Added Windows Vista compatibility in all APR-SSL sniffers.
- Added support for new Aircrack-ng's IVs file format in WEP IVs sniffer and cracker.
- Modified separator character in cracker's and sniffer's LST files from ";" to "TAB".
WARNING !!! The password list file format is changed and old LST files are not compatible anymore. It is strongly suggested to backup your files before upgrade to this new release.
v4.9.10 released New features:
- Added Remote Registry Editor.
- Added SIREN codec support in VoIP sniffer (the default one used by Windows Messenger). - Added support for new AES-128bit Keyfobs in RSA SecurID Token Calculator.
- Microsoft SQL Server 2005 Password Extractor via ODBC.
- Fixed a bug in Internet Explorer 7 AutoComplete password decoder.
- Default HTTP users and passwords fields updated.
- Automatic recognition of AirPcap TX capability based on channels.
- AirPcap library upgrade to version 3.2.
- Winpcap library upgrade to version 4.0.2.
Mao's marriage to Roberta.
v4.9.6 released New features:
- Added Windows Vista support in LSA Secrets Dumper for external registry files.
- Fixed a bug in LSA Secrets Dumper causing application crashes.
- Fixed a bug in NT Hashes dumper for hive files when only NT hashes are present.
- Winpcap library upgrade to version 4.0.1.
- Added Windows Vista support for Active Wireless Scanner.
- Off-line capture file processing now compatible with 802.1Q Vlan encapsulation.
- Sniffer filter for LDAP passwords.
- Automatic Certificate Collector for LDAPS protocol.
- LDAPS Man-in-the-Middle Sniffer and password collector (TCP port 636).
screenshots from Farrell's computer in Die Hard 4 movie ... take a look over the red devil here and here.
v4.9.4 released New features:
- Automatic Certificate Collector for FTPS (implicit), IMAPS and POP3S protocols.
- FTPS Man-in-the-Middle Sniffer and password collector.
- POP3S Man-in-the-Middle Sniffer and password collector.
- IMAPS Man-in-the-Middle Sniffer and password collector.
- Added Windows Mail (Vista) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
- Added PTW WEP cracking attack.
- Added Windows Vista support in Wireless Password Decoder.
- Wireless Password Decoder now uses DLL injection under XP.
v4.9.1 released New features:
- Added Windows Vista support in NT Hashes Dumper.
- Added Windows Vista support in LSA Secrets Dumper.
- Added Windows Vista support in Credential Manager Password Decoder.
- Added Windows Vista support in DialUp Password Decoder.
- Added Windows Vista support in all DLL Injection functions.
- Added support for Internet Explorer 7 AutoComplete passwords.
- Added support for Outlook Express Deleted Accounts in Protected Storage Password Manager.
- WPA-PSK (Dictionary and Brute-Force Attacks).
- WPA-PSK Auth (Dictionary and Brute-Force Attacks).
- WPA-PSK Authentications sniffer.
- WPA-PSK Hashes Cryptanalysis via Sorted Rainbow Tables.
- WPA-PSK RainbowTables have been added to Winrtgen v2.5.
- Added IE7 passwords support in Credential Manager Password Decoder.
- OpenSSL library upgrade to version 0.9.8e.
CACE Technologies asked me to remove the Airpcap drivers v2.0 beta TX from my site, so you cannot download it anymore from oxid.it. That driver was intended for testing purposes only .... a new Airpcap driver with TX capabilities is expected to be available on their site in the future.
v4.5 released New features:
- WEP cracking speed up via wireless ARP requests injection (AirPcap USB adapter is needed).
This feature has been successfully tested with Airpcap drivers v2.0 beta TX.
- Ability to deauthenticate client stations from Access Points.
- Added Windows Vista compatibility in NTLM Hashes Dumper, LSA Hashes Dumper and Syskey Dumper for hive files.
v4.3 released New features: - Cain's MitM NTLM Challenge Spoofing. (Requires APR to be active and a MitM condition between victim hosts).
You can now spoof server challenges in NTLM authentications; this feature enables the use of RainbowTables for cracking network hashes. WARNING !!! Enabling Challenge Spoofing cause users to fail authentications so use it carefully. - NTLM Session Security authentications downgrade to LM&NTLMv1. The following protocols are supported: SMB, DCE/RPC, TDS, HTTP, POP3, IMAP, SMTP. - LM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
- HALFLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables. - NTLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables. - New types of RainbowTables have been added to Winrtgen v2.4.
"lmchall" and "ntlmchall" tables can be used against LM and NTLM response hashes for spoofed challenges (default: 0x1122334455667788).
"halflmchall" tables can be used against the first 8 bytes LM response hashes for spoofed challenges
to recover the first 7 characters of the original password.
- Added HALFLMCHALL hashes submission to rainbowcrack-online client.
- Ability to dump LSA Secrets directly from SYSTEM and SECURITY registry hive files.
A big thanks to all oxid.it forum's users for the excellent support.
Mao at Hackcon#2 security conference (February 7/8 - OSLO, Norway)
I have been asked to be there as a speaker to present the latest features of my program Cain & Abel.
Detailed information at http://www.hackcon.org.
I've just noticed that Cain & Abel voip features are demonstrated in the book Hacking Exposed Voip by David Endler and Mark Collier.
v3.9 released New features:
- Added Ophcrack's RainbowTables support for NTLM Hashes Cryptanalysis attack.
- Added ability to dump MSCACHE hashes directly from SYSTEM and SECURITY registry hive files.
- MSCACHE Hashes Cryptanalysis via Sorted Rainbow Tables. - ORACLE Hashes Cryptanalysis via Sorted Rainbow Tables.
- New RainbowTable types have been added to Winrtgen v2.0. "mscache" and "oracle" tables can be used against MSCACHE and ORACLE hashes for
specific usernames that can be set in the configuration dialog.
& sTerm v1.7 released New features:
- Winpcap library upgrade to version 4.0 beta2.
v3.3 released New features:
- Support for AirPcap USB 2.0 adapter in Wireless Scanner.
- Passive Wireless Scanner with channel hopping support.
- AirpCap.DLL dynamically linked.
- WEP IVs sniffer (Capture files are compatible with Aircrack's .ivs files).
- 802.11 capture files analyzer compatible with PCAP and Aircrack's .ivs file formats.
- 802.11 capture files decoder (support WEP and WPA-PSK encryption).
- WPA-PSK pre-shared key calculator.
- WEP Cracker using Korek's Attack (64-bit and 128-bit key length supported).
- Off-line capture file processing now compatible with Wireless extensions.
- Added G722.1 codec support in the VoIP sniffer.
- Added sniffer filter for DCE/RPC authentications (Outlook connecting to Exchange server).
- Added support for Winpcap library version 4.0 and higher.
- Added an option to disable the promiscuous mode of the network card.
- Fixed a problem with bugus lengths in UDP header to avoid sniffer crashes.
- Fixed a problem in MS-CACHE hashes dumper.
- Fixed a memory allocation bug in cryptanalysis attack via RainbowTables on systems with 2Gb of RAM or more.
- OpenSSL library upgrade to version 0.9.8d.
- Winpcap library upgrade to version 4.0 beta2.
I've just received an AirPcap USB adapter from CACE Technologies (thanks Loris). This wonderful piece of hardware enables the capture of 802.11 frames on Windows by mean of the AirPcap driver, it is highly suggested for troubleshooting wireless networks. The adapter will be supported in the next release of Cain & Abel, stay tuned.
for PocketPC (ARM) v1.3 released. Download it here. New features: - Pocket Outlook Password Decoder.
Incredible results for Cain
& Abel at Insecure.Org 2006 survey
Thanks to all security professionals that voted for the program. I would also like to say a big thanks to all users and beta testers for the help given, donations, improvement suggestions, bug reports, and the great support.
v2.9 released New features:
- Added Ophcrack's RainbowTables support for LM Hashes Cryptanalysis attack.
- Added hashes syncronization functions (Export/Import) to/from Cain for PocketPC via ActiveSync. - Added VoIP sniffer support for the following codecs: G723.1, G726-16, G726-24, G726-32, G726-40, LPC-10.
- Added support for Winpcap v3.2.
I recently read a Washington Post articleshowing a picture of US President George W. Bush visiting the National Security Agency (NSA) headquarters in January 2006. Cain & Abel is there, displayed on the Talisker Radar in the background. Altough I'm not concerned about NSA monitoring the program's development (they are welcome), I think they are actually missing a lot of features because the version on the screen is not updated.
for PocketPC (ARM) v1.2 released. Download it here. Requirements:
- PocketPC 2003 device with an ARM based microprocessor architecture (eg: ipaq6515, Qtek 2020, Qtek 9090 ....).
- Microsoft Windows CE or Windows Mobile operating system.
- 5 Mb of free memory Features:
- Rainbowcrack-online client (works with any Internet connection available such as GPRS, ActiveSync .... ).
- Dictionary Attacks for the following hash types: MD2, MD4, MD5, SHA1, RIPEMD160, CiscoPIX, MySQL v3.23, MySQL v3.23 + challange, MySQL SHA1, MySQL SHA1 + challange, LM, LM + challange, NTLM, NTLM + challange, NTLM Session Security.
- Hash Calculator.
- Base64 Password Decoder.
- Cisco Type-7 Password Decoder.
- Cisco VPN Client Password Decoder.
- VNC Password Decoder.
- Microsoft Messenger Password Decoder.
- Internet Explorer Password Decoder.
- ActiveSync Password Decoder.
Your help is needed for the recovery of Pocket Outlook passwords ! They are probably stored into "pmailFolders" database under the form of security BLOBS. If you find details about the correct way to decrypt them, please send them to me and I'll update Cain as soon as possible.
v2.8.4 released New features: - Rainbowcrack-Online client.
The client has been developed in collaboration with Rainbowcrack-Online team. Cain can now interact with the outstanding power of this on-line cracking service based on RainbowTable technology. The service is not free and you need a valid account to use this feature, please check current rates on their site. The communication between Cain and the web site is SSL enabled to ensure privacy of transmitted information.
- Oracle Password Cracker (Dictionary and Brute-Force Attacks).
- Oracle Password Extractor via ODBC.
- MySQL Password Extractor via ODBC.
- Program's Manual updated.
Tokyo International Security Conference 2005
SIDC KK and M Factory Corporation of Japan have entered into an
agreement to host and sponsor the first annual Tokyo International
Security Conference (Tokyo InterSec) to be held on November 17th and
I have been asked to be there as a speaker to present the latest release of my program Cain & Abel.
v2.8 released New features:
- Cisco VPN Client Password Decoder.
- Syskey Decoder. Cain can now extract the Boot Key, generated with the Syskey utility, from the local system or external SYSTEM registry files.
- NT Hashes Dumper can now extract password hashes from "off-line" SAM files encrypted with the Syskey utility.
- Wireless Zero Configuration Password Dumper. - RDPv4 session sniffer for APR.
Cain can now perform man-in-the-middle attacks against the heavy encrypted Remote Desktop Protocol (RDP), the one used to connect to the Terminal Server service of a remote Windows computer. The entire session from/to the client/server is decrypted and saved to a text file. Client-side key strokes are also decoded to provide some kind of password interception. The attack can be completely invisible because of the use of APR (Arp Poison Routing) and other protocol weakness. - Winrtgen v1.8 added to the installation package. (fastlm tables generated with a version prior to 1.7 could have problems, please update)
- Fixed a problem in the LSA Secrets Dumper causing crashes on systems with DEP enabled. Thanks to Nicolas RUFF for the bug report.
- Fixed a problem with extended ASCII characters in the Cryptanalysis Attack. Thanks to Ramius from rainbowtables.net for the bug report.
- Bug fixed in rainbow table's verification function. Thanks to all beta testers for the the bug reports.
- Bug fixed in fastlm rainbow table's algorithm.
- OpenSSL library upgrade to version 0.9.8a.
28/05/2005 - mao's birthday
Security Advisory: Remote Desktop Protocol, the Good the Bad and the Ugly. Check the topics area for details.
v2.69 released New features:
- A new type of Rainbow Tables has been added to Winrtgen v1.3. "FastLM" tables can be used against LM Hashes and provide both faster generation and cryptanalysis. FastLM tables are not compatible with standard tables for LM Hashes generated by RainbowCrack, renaming the filenames is useless.
- LM Hashes Cryptanalysis via FastLM Sorted Rainbow Tables.
- Benchmark added to Cain's cryptanalysis dialog.
- Fixed two bugs in Kerberos5 and SNMP sniffer filters (thanks for the bug reports).
- MSCACHE Hashes Dumper
- MSCACHE Hashes Dictionary and Brute-Force Crackers - Sniffer filter for SIP-MD5 authentications
- SIP-MD5 Hashes Dictionary and Brute-Force Crackers
- Off-line capture file processing compatible with winpcap, tcpdump, ethereal format.
v2.67 released Fixed two buffer overflow conditions in IKE-PSK and HTTP sniffer filters. Many thanks to Gary Oleary-Steele and Rafal ^^MAg^^ Kwasny for the bug reports. Also fixed several heap overflow bugs in POP3, SMTP, IMAP, NNTP and TDS sniffer filters.
v2.65 released New features: - VoIP sniffer / recorder
Cain's sniffer can now extract audio conversations based on SIP/RTP protocols and save them into WAV files. The following codecs are supported: G711 uLaw, G711 aLaw, GSM, MS-GSM, ADPCM, DVI, LPC, L16, G729, Speex, iLBC. This feature is experimental, let me know your results.
v2.5 released Finally, release version 2.5 is out. This
does not mean that the program is now error free or that there is
nothing more to do within it, however after 65 beta version I think is now time for a release. I spent considerable time working
on this program and its documentation but things could change in
the future..... You can now help oxid.it continuing to develop freeware
software making donations to my PayPal account. The
money I receive this way goes towards my ongoing web hosting fees and other
costs that I incur by making the programs on this site available to you free
Table Generator) released -
Added table generation for SHA-2(256), SHA-2, (384) and SHA-2 (512)
- Added custom charset support
Cain & Abel v2.5 beta65 for NT/2000/XP released
(this is probably the last beta version, Cain & Abel v2.5
User Manual will be available as soon as possible) New
Credential Manager Password Decoder for Windows XP/2003 Credential Manager is a new SSO solution that Microsoft offers in Windows Server 2003 and Windows XP.
Cain can now dump passwords from user's credential files and
show them in they're clear text form. I also prepared a command line
version of this feature called creddump.
The FULL SOURCE
CODE for Visual C++ is included.
- Brute-Force and Dictionary
Attacks for SHA-2(256), SHA-2(384), SHA-2(512) Hashes
SHA-2(384), SHA-2(512) Hashes Cryptanalysis via Sorted Rainbow Tables
TCP Traceroute now uses Winpcap to bypass the new Windows XP SP2
restrictions on raw sockets
- Support for Extended ASCII
passwords in LM & NTLM crackers
- Sniffer filter for SNMP Community
- Ability to insert/modify sniffer's TCP/UDP protocol
- Ability to insert/modify Username and Password Fields
used by HTTP Sniffer Filter
- Ability to select active DNS names
to spoof in APR-DNS
- Password decoders for MSN Explorer Sign
In, MSN Explorer Autocomplete, Outlook Express Identity Manager,
Outlook Express (HTTP Mail) and Outlook (IMAP,POP3,...) in Protected
Storage Password Manager
- Support for Outlook Express multiple
identity in Protected Storage Password Manager
- Added Hashes
of type SHA-2(256), SHA-2(384), SHA-2(512) in Hash Calculator
Export function in Dialup Password Decoder
- Winpcap library updated to version 3.1
Cain & Abel v2.5 beta59 for NT/2000/XP released -
Added Password History Hashes in the Hash Dumper
Abel-side Password History Hashes Dumper
- Some bugs fixed and code cleanup in Hash Dumper
- Bug fixed in LSA Secret Dumper with WindowsXP Service
needed for WEP cracking on windows ! I wrote a quick
and dirty sample program to control Prism2 based cards using
the Winpcap protocol driver and the PacketRequest API. WEP cracking
requires the capture of 802.11 frames; this program shows how to set
those cards into HostAP and monitor mode and contains functions
to get/set parameters of the Prism2 chipset. The FULL SOURCE
CODE for Visual C++ is included, I hope that you can help me on
some topics and problems I found. The code should compile without
problems but to test the program you need a Prism2 based card and
the Winpcap driver installed.
can download Prisma here.
Table Generator) released Some of you asked for a
graphical version of rtgen and rtsort from RainbowCrack
v1.2. Winrtgen generates rainbow tables for LM, NTLM, MD2,
MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1 and CiscoPIX hashes.
You can find Winrtgen in the projects area.
For details on tables generation please refer to RainbowCrack's
Cain & Abel v2.5 beta56 for NT/2000/XP released New
features: - Wireless Scanner
scanner uses the Winpcap protocol driver so it should work on Windows
2000 and WindowsXP. I really don't know how many cards are supported,
the compatibility chart is here.
Please let me know your results.
- Winpcap library updated to version 3.1 beta3
Cain & Abel v2.5 beta51 for NT/2000/XP released New
features: - MySQL Hashes Cryptanalysis via Sorted Rainbow Tables - Cisco
PIX Hashes Cryptanalysis via Sorted Rainbow Tables
( I also
prepared a patch for RainbowCrack
v1.2 to support those tables )
- MySQL Password Cracker (works
with both v3.23 and SHA1 Hashes)
- Sniffer filter for MySQL
authentications (v3.23 and SHA1)
- Brute-Force and Dictionary
attacks rewritten for all crackers
- OpenSSL library updated
to version 0.9.7d
- Winpcap library updated to version 3.1 beta2
Bug fixing and code cleanup (A special thanks to SgarS for the fast assembler binary search algorithm)
Cain & Abel
on TechTV The program has been
"The Screen Savers".
Details and video here.
Cain & Abel v2.5 beta47 for NT/2000/XP released New
- NTLM, MD2, MD4, MD5, SHA1 and RIPEMD160 Hashes cryptanalysis via Sorted Rainbow Tables
with RainbowCrack v1.2
- Dialup Password Decoder
- Microsoft SQL Server 2000 Password Cracker
SQL Server 2000 Password Extractor via ODBC
- Enterprise Manager Password Decoder (SQL Server 7.0
and SQL Server 2000 supported)
- Remote Desktop Password Decoder
(decode passwords in .RPD files)
- Support for MS-Outlook 2002
POP3, IMAP, HTTP and SMTP passwords in Protected Storage Password
Cain & Abel v2.5 beta41 for NT/2000/XP released New
features: - LM Hashes cryptanalysis
via sorted RainbowTables
Cain can now perform cryptanalysis
attacks on LM Hashes using RainbowCracks's sorted tables. This kind
of attack is pretty fast but works only on LM Hashes not encrypted
with a challenge. For informations on Rainbow Tables generation
and sorting please read the RainbowCrack's Tutorial (http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm)
Cain & Abel v2.5 beta40 for NT/2000/XP released New
- Cisco Config Uploader
Cain can now upload
configuration files to Cisco devices via SNMP/TFTP. This feature
works on routers and switches that support the OLD-CISCO-SYSTEM-MIB. TFTP server is NOT required.
Bug fixing and code cleanup
Cain & Abel v2.5 beta36 for NT/2000/XP released New
features: - NTLM Session
Security Password Cracker
The long awaited cracker for
NTLM Session Security authentications is finally available in this
version. Now, all kind of LM, NTLM and NTLMv2 Hashes with or without
NTLMSSP encapsulation are supported and can be "Sent to the
Cracker" for Dictionary and Brute-Force attacks. - IKE Aggressive Mode Pre-Shared Keys Cracker
The cracker works with both MD5 and SHA1 Hashes. - Sniffer filter
for IKE Aggressive Mode Pre-Shared Keys authentications
collects all the parameters needed to crack a Pre-Shared Key used
in IKE Aggressive Mode authentications (see RFC-2409 for details).
IKE-PSK sniffer/cracker has been successfully tested using a Cisco
VPN Client v4.0 and a Cisco PIX Firewall Version 6.3(1). Please
let me know your results.
Cain & Abel v2.5 beta34 for NT/2000/XP released New
- Cisco Config Downloader
Cain can now download
the configuration file from Cisco devices via SNMP/TFTP. This feature
works on routers and switches that support the OLD-CISCO-SYSTEM-MIB
or the new CISCO-CONFIG-COPY-MIB. TFTP server is NOT required. - Bug fixing
Cain & Abel classified as
one of the Top-75 Security Tools Thanks
to all of you out there that voted for Cain & Abel as one of
the Top-75 Security Tools available. For more informations check out the
complete list here.
Cain & Abel v2.5 FAQ
started I started to write a
document of frequently asked questions about the program. You
can find it in the Topics area.
Cain & Abel v2.5 beta29 for NT/2000/XP released New
features: - Automatic HTTPS Certificates
The collector automatically grabs certificates
from HTTPS servers and creates a fake copy of them locally. All
fake certificate's parameters except for public keys are the same
as the originals. - HTTPS
Man-in-the-Middle Sniffer for APR
works in in FULL-DUPLEX-MODE processing both Client and Server HTTPS
traffic. It makes use of APR (Arp Poison Routing) so the attacker's
IP and MAC addresses can be totally spoofed client-side. The sniffer
cannot decrypt HTTPS traffic if directed to/from the attacker's
- LSA Secrets Dumper (Cain can now dump LSA Secrets
from the registry using LSASS code injection technique)
- Sniffer filter for ICQ authentications
Shared Keys Cracker
- RADIUS User's Passwords Sniffer/Decoder
- Sniffer filter for MSN Messenger authentications
- Sniffer filter for RADIUS authentications
- Bug fixing in HTTP sniffer filters
Cain & Abel v2.5 beta21 for NT/2000/XP released New features: - RSA
SecurID Tokens Calculator
The calculator produces valid
tokens given the serial number and the activation key of an RSA
SecurID device. These parameters are found in Token's activation
files typically named "something.ASC". - SSH-1 sniffer for APR
sniffer works in in FULL-DUPLEX-MODE decrypting both Client and
Server SSH-1 traffic.
It uses APR (Arp Poison Routing) so
the attacker's IP and MAC addresses can be totally spoofed and never
exposed on the network. APR and a Man-in-the-Middle situation is
also required because of the RSA asymmetric encryption used in SSH-1
negotiation's phase. The sniffer supports 3 symmetric encryption
algorithms: DES, 3DES and Blowfish. Zlib compression is not supported
in this version. The sniffer cannot decrypt SSH-1 traffic if directed
to/from the attacker's workstation. Automatic downgrade SSH-2
connections to SSH-1 if server version is v1.99. An example of
the output file produced from an SSH-1 session to a Cisco PIX firewall
in my test environment is available here. -
The scanner tries various tests
based on non-standard ARP packets using the same Spoofing configuration
Copyright (c) 2001-2014 Massimiliano Montoro. All rights reserved