Activity: Man-In-The-Middle Attack with Cain & Abel
This activity is ungraded.
Remember: Be sure to watch the Demo video from this unit before trying this activity. Watching me do it first will help you understand each of the steps.
Getting help: If you have trouble with these activities, please ask questions in the “Troubleshooting” forum in General Class Discussion.
System:
You will need two systems for this activity.
- A Windows machine to act as the attacker, using Cain and Abel.
- A victim machine running any operating system.
This cannot be a VM using the attacker machine as host machine.
Download
- Cain & Abel installer (Cain & Abel v4.9.56 for Windows NT/2000/XP)
Installation instructions
Note: You will have to disable antivirus software and firewalls to let this program install. After all, it is extremely malicious!
Remember to reactivate your antivirus software and firewall after completing this activity.
- Run the downloaded installer, ca_setup.exe.
- Click Next five times, and then Finish.
- When prompted for the WinPcap Installation, click Don’t install, as we’ve already installed this for Wireshark at the beginning of the course.
- Copy the files Abel64.exe and Abel64.dll from C:\Program Files (x86)\Cain into C:\Windows.
Note: 32-bit systems should use Abel.exe and Abel.dll instead
- Abel is a Windows service composed of two files: Abel.exe and Abel.dll.
The installation copies these files to C:\Program Files (x86)\Cain, but the service is not automatically installed on the system.- Abel can be installed locally or remotely (using Cain) and requires Administrator privileges on the target machine.
- Run Abel.exe (as Administrator) to install the service, as it is not automatically started.
- Start the Abel service. To do this, click the Start button, and enter services.msc. Select Services, right click the Abel service, and select Start.
- Go to Control Panel\Network and Internet\Network Connections and right-click your NIC.
- Go to Properties and double-click Internet Protocol Version 4 (TCP/IPv4).
- Click the Advanced button, and then click the DNS tab at the top.
Put a check in the box Use this connection’s suffix in DNS registration box. - Click OK on the three OK buttons that follow.
The software is now installed and configured for this activity.
Time: This activity should take you 30 to 60 minutes to complete.
Goal
- To launch a Man in the Middle attack with Cain and Abel to on another machine, and obtain usernames and passwords.
Instructions
- Double-click the Cain icon on the desktop to launch Cain.
- From the top menu, click Configure.
- In the Configuration Dialog box, on the Sniffer tab, verify that the interface with the IP address that goes to the Internet is highlighted.
- In the Configuration Dialog box, on the APR tab, click the Use ARP Request Packets (More Network Traffic) radio button at the bottom.
- Change the seconds value to 10. Click OK.
- In the upper left of the Cain window, click the Start/Stop Sniffer button (the second button from the left), and the Start/Stop APR button (third from the left) so they are both depressed.
- At the top of the screen, click the Sniffer tab. On the toolbar, click the + icon.
- In the Mac Address Scanner box, leave the Target as All hosts in my network, and check the All Tests box.
- Click OK.
Several progress bars will move across the screen. - Click the APR tab at the bottom. Click in the empty upper right hand table. Click the + icon on the toolbar.
- On the victim machine, check the ARP cache, with the arp -a command, in a command line interface.
You should see the actual MAC address of your default gateway associated with your gateway’s IP address. - Start Wireshark on the victim machine, with a display filter of arp.
- In Cain and Abel, on the attacker machine, in the New ARP poison Routing box, click the gateway IP in the left pane, then click the host IP address that you’re going after in the right pane.
- Click OK.
- Wait 30 seconds.
You should see a Status of Poisoning.
If you see a status of Idle, toggle the Start/Stop Sniffer button and the Start/Stop APR buttons, leaving them both depressed. - Now, recheck the ARP cache on the victim machine.
- On the bottom of the Cain window, click the Passwords tab. In the left pane, then click the HTTP item to select it.
NOTE: As you complete the next step, watch this location intently. - On the victim machine, open up Firefox and go to mycourses.rit.edu.
- Try to log in with a fake username and password.
- Do this again for www.edx.org, and www.citibank.com.
- You should see warnings about the security certificate on each site. Agree to connect anyway.
NOTE: You should never agree to connect when seeing this warning under normal conditions! You’re only connecting now for the purposes of this activity. - You should see connections appearing in the lower portion of the Cain window.
- Visit the same three secure sites, or different ones using Chrome as your browser.
- Note the connection warning you receive.
Remember to reactivate your antivirus software and firewall!
After you've finished, answer the Check Your Work questions.