Monday, March 03, 2008

Pentester trick #3: using Cain without installing it

Cain is one of the most useful pentesting tool for Windows. It has been rated #9 in the Top 100 of security tools.

While Cain is powerful when used on the pentester's computer, it is quite limited in terms of "pivoting" (i.e. using a compromised host as a bouncer to reach another part of the target network).

Installing Cain on a compromised host yields at least two severe limitations :
  1. Cain requires Winpcap. If Winpcap is not found, Cain will refuse to load. Winpcap installs a new driver, and might require a reboot, which is not good in terms of footprint.
  2. Cain is being detected as Potentially Unwanted Software by most antivirus software out there.
Fortunately, both limitations can be removed.

To have Cain loading properly, it is enough to add the following DLLs in Cain directory :
  • packet.dll
  • wanpacket.dll
  • wpcap.dll
Note#1: without Winpcap driver, Cain will lack network features like password sniffing and ARP poisoning.

To make Cain undetected by most (if not all) antivirus software, the software must be "repacked". However, this is another story :)

Note#2: Cain still requires administrative rights on the compromised host.