Monday, March 03, 2008

Pentester trick #3: using Cain without installing it

Cain is one of the most useful pentesting tool for Windows. It has been rated #9 in the Top 100 of security tools.

While Cain is powerful when used on the pentester's computer, it is quite limited in terms of "pivoting" (i.e. using a compromised host as a bouncer to reach another part of the target network).

Installing Cain on a compromised host yields at least two severe limitations :
  1. Cain requires Winpcap. If Winpcap is not found, Cain will refuse to load. Winpcap installs a new driver, and might require a reboot, which is not good in terms of footprint.
  2. Cain is being detected as Potentially Unwanted Software by most antivirus software out there.
Fortunately, both limitations can be removed.

To have Cain loading properly, it is enough to add the following DLLs in Cain directory :
  • packet.dll
  • wanpacket.dll
  • wpcap.dll
Note#1: without Winpcap driver, Cain will lack network features like password sniffing and ARP poisoning.

To make Cain undetected by most (if not all) antivirus software, the software must be "repacked". However, this is another story :)

Note#2: Cain still requires administrative rights on the compromised host.


Nono said...

Do forget Abel: a client for compromised host. Execute some (pwdump) command remotely without uploading cain files.

newsoft said...

Indeed, but Cain can collect far more passwords from the localhost than Abel - and Cain can explore locally visible Windows domains, too.

Most password collection utilities are available individually from NirSoft, but it is nice to have this "all-in-one" functionnality in Cain.

BTW, "abel.dll" is also blacklisted by many antivirus software.

Anonymous said...

Where do I find those DLLs?

newsoft said...

You can get them by installing WinPcap ( ... or from Cain on an other machine :)