I want to start this article off by saying that the information contained in this article may be of a controversial nature. But, I want to just remind everyone that information in and of itself is amoral; that is, it is neither good nor evil. It is only what someone decides to do with this information that can be good or evil. It is my sincerest hope that you will choose to make the world a better place with this information.Tim
Here is the scenario that I have had several of my family members in. They come to me all excited because they just bought a new computer but they need help setting it up. As usual, I say, “Sure” as I don my “No, I Will Not Fix Your Computer” T-shirt. Then, I ask the fateful question. I don’t know why I ask it because I already know the answer. But I ask anyway.
“Can I get all of your passwords for e-mail, internet, etc.?”
The family member then goes through very distinct phases:
- What is he talking about?
- That was a long time ago and I haven’t got a clue as to where the information is. Oh well.
- Wait! If I don’t have my passwords, Tim can’t set up my computer!
It is usually at this point that they get the “Tim! You gotta do something!” look.
Fortunately, I can do something and soon you will be able to as well.
In The Beginning…
To start the process, you will be needing at least one tool. My (freeware) tool of choice for this task is Cain & Abel from oxid.it. oxid.it is a security site aimed at helping IT personnel find potential holes in their networks and systems.
Cain & Abel is a very powerful tool that helps you to recover a number of passwords from Microsoft operating systems. From their website:
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.
Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.
This is going to be the tool that will allow us to recover the passwords that you require.
Downloading and Installing Cain & Abel
The first thing that you will have to do is download Cain & Abel. There are two version that are available. One for Windows 9x (which is no longer supported) and the other for Windows NT/2000/XP. I will be focusing on the Windows NT/2000/XP version.
Once you have downloaded Cain & Abel, you need to install it. For those of you that are a bit more Mulder than Scully (I know that I am) when it comes to applications like this, I have included a complete list of all the changes that the application makes on your system, both file and registry changes.
To install Cain & Abel, simply double click the file you downloaded (probably ca_setup.exe or something similar). Your entire screen will turn red (don’t be alarmed) and you will see the intro screen.
Click Next.
Read the license agreement (you do read those, right?) and then click Next.
Make sure that the installation location is where you would like it and click Next.
Click Next to start the installation.
Click Finish to complete the installation. At this point you will probably be prompted to install the WinPcap v4.0 beta2 packet driver. This driver is what allows Cain & Abel to pull information from your network connection.
Click Install.
Click Next.
Read the license agreement (yes, another one) and click I Agree.
Click Finish to complete the installation.
Running Cain & Abel
Running Cain & Abel is a relatively simple process. Just double click the Cain icon:
This brings up the main Cain & Abel interface.
At first, there is an awful lot to absorb. Do not be intimidated. This is a really good time to play around with the program and just try some of the options. Some may be a bit too high up on the nerd scale for what you would like to do but if you are willing to put in some time reading and learning, this utility will reward you with a lot of power.
Configuring Cain & Abel
In order to properly gather information that will allow you to retrieve passwords from the system, you will need to configure it to sniff the network. This is a relatively simple process. Start by going to the Configure menu. You will now be prompted to select a network card. This is probably the hardest part of the entire process because it is not uncommon for more than one network card to show up in the list.
Many people do not know which device to use because they do not know how to determine which is their real network card. The easiest way to do this is to check your system’s IP address and select the network device that has the same IP address. Or, if only one device comes up with an IP address other than 0.0.0.0, then non-0.0.0.0 device is probably the one you want to select.
Once you have selected the correct network device, you can then click on the OK button.
Next, click on the icon of a network card: 
This will start monitoring your network connection for passwords.
Recovering E-Mail Passwords
One of the very first things that I learned to do with Cain & Abel was retrieve e-mail passwords that are stored on the system. This is probably the most common problem that people run into because they set up their e-mail accounts on their systems when they first connect up their internet account and then they promptly forget them.
This also really intrigued me because I learned how to retrieve e-mail username and passwords the hard way. I would put a sniffer such as Wireshark on the system and then monitor the network activity for POP3 and SMTP packets. Once you saw these, you would manually look through them for something that looks like a password. Not the easiest.
If you has set up Cain & Abel as described above, all you need to do is send yourself an e-mail. Once you have sent and received the e-mail, go back to Cain & Abel. Click on the Sniffer tab at the top and then the Passwords tab at the bottom. On the left hand side, you will see a listing of different types of passwords that can be retrieved from the network. Your e-mail is likely POP3 so click on that POP3 option.
If everything is set up properly, you will see a list of entries. There you will have the IP address of the pop3 server, the IP address that it came from (this should be your IP address), the username used to connect to the POP3 server, and the password that the account used.
That’s all there is to it!
Retrieving Other Passwords
There are several other password types that you can also retrieve from the network. Some of these include:
- FTP (e.g. file uploads to your website)
- HTTP (e.g. accessing your firewall’s web interface)
- Telnet (e.g. remotely configuring your Cisco router)
- VNC (e.g. remotely controlling systems)
- ICQ (e.g. instant messaging)
- MySQL (e.g. database)
The process is pretty much the same for these services as for the e-mail recovery. Simply use the service while Cain & Abel is running and sniffing the network. Then, check their passwords on the system.
Limitations
While there are a lot of different passwords that can be retrieved using this method, there are some that are not retrievable. Primarily, these are encrypted passwords such as encrypted POP3 connections or HTTPS connections. Since these connections are encrypted prior to hitting the network card, you will need to retrieve the passwords some other way.
Conclusion
This is just the tip of the iceberg for Cain & Abel. It can do a lot more such as recovering Access database passwords and revealing what is under the ******** you see in password fields. But, retrieving e-mail and other web based passwords is probably what most normal users will be the most concerned with.
But remember, now that you have this power, use it for good, not evil.
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
| Trackback link - http://www.dailycupoftech.com/recovering-your-lost-passwords/trackback/ |
|
November 18th, 2006 at 1:39 pm
Just a little specification to your readers:
Cain & Abel doesn’t work on switched Network unless you use ARP Poison Routing, which will mess up your network while it is running. All sorts of weird thing will start happening if you use it. THe software will only run properly on a network that is running on a HUB.
If you really need to do this, you will need to put a HUB (Or a managed switch that does port mirroring) between your internet connection and your switched network.
like this:
Internet - Router - Hub - switch - Network
|
Computer (Cain & Abel)
this will allow you to sniff all incoming and outgoing traffic to the internet.
For those that are interested about password auditing and recovering, Our blog has 3 articles that might be of interest to you all:
1- Auditing your users passwords for complexity : convincing management to adopt a strong password policy (using Cain & Abel)
2- Cracking your Windows SAM Database in Seconds with Ophcrack 2
3- Forgot your Windows password? No problems : Password resetting and recovering techniques
November 18th, 2006 at 2:49 pm
Kiltak,
Thanks for the clarification. It is true that you can receive this type of information from systems other than the one you are running on with ARP Poisoning but I definitely do not recommend it, primarily for the reasons that you mention and also because if you are doing this without permission, you could really get into a mess of trouble.
If you are an authorized network administrator and you do have a legitimate reason to do this, I would suggest a better way would be using port mirroring on the switch and mirror the port for the external router.
Just as an aside, (this is not directed at you, Kiltak, or anyone in specific) I want to re-emphasize that this article is to help you or your friends out in a bind. It is not intended as a tutorial on how to hack into someone else’s system.
I also suggest going an reading the articles mentioned by Kiltak. They are well worth the read.
Tim
November 20th, 2006 at 9:33 pm
Hi,
What program did you use to monitor the file and registry changes Cain & Abel made to your system? I would like to use one too.
November 20th, 2006 at 9:56 pm
I used a program called Total Uninstall. It basically takes a snapshot of your system prior to the installation and then takes another snapshot after the installation. It then compares the two snapshots and generates a difference report.
November 22nd, 2006 at 8:52 am
I’m actually pretty interested in the Total Uninstall program you mentioned (not that the Password Recovery article wasn’t great!). This is why you ALWAYS read the comments.
Is this the same Total Uninstall you use: http://www.martau.com/index.php
November 22nd, 2006 at 9:22 am
That’s the one. They used to have a free version but it is no longer available.
Tim
November 22nd, 2006 at 10:39 am
As for recovering passwords from email applications and the like, one of the things I have used with varying degrees of success has been Snadboy’s Revelation. It works well with Outlook Express, as it will expose the masked password that a user has inevitably saved in their account settings.
Now, the other thing to worry about with your users is to actually have them maintain their passwords in a secure place. I cannot recommend a better alternative than KeePass Password Safe–free, open-source, and using strong encryption in an easy-to-use interface.
November 22nd, 2006 at 10:58 am
Jason,
I am a long time KeePass user myself. I have been running it from my USB drive for years!
Tim
November 22nd, 2006 at 11:12 am
For those of you following the Total Uninstall thread, I have found a similar freeware application called InCtrl 5. I have not tried it and it is a bit older but it appears to work very much like Total Uninstall.
Tim
November 22nd, 2006 at 11:20 am
Last freeware Edition of Total Uninstall
http://freeware4u.com/modules/mydownloads/singlefile.php?lid=234
November 23rd, 2006 at 3:29 am
will this program help me to get into my daughters yahoo email without her password?
November 23rd, 2006 at 11:48 am
I have just tried this software with Gmail, Yahoo, Hotmail, Msnmessenger, yahoo messenger, my share dealing company, my ftp, blogger, wordpress and it picked up the password and username for every single website.
Now I am seriously concerned as to using a computer in any public place like Airports for example where a rogue computer could poison the traffic.
One solution can be implemented if you know the Mac address of the gateway and checking it against the ARP table by using “arp -a” in the command line. It is always possible for the rogue computer to spoof his mac address to the gateway one but I guess that the traffic will come to a halt, am I right? Any other solution to detect arp poisoning?
November 27th, 2006 at 1:52 pm
Tim would you be so kind to draw out a layout of how one should use C&A in a home environment.
Let’s say I have a desktop PC that I want to get the pass from and a laptop that has C&A on it. I would much rather not touch the desktop as much as possible and perform the scan on the laptop.
My current layout is internet - router - switch (a cheap one). Placing a hub between the router and the switch isn’t always possible, how does one proceed in such a case?
November 27th, 2006 at 10:31 pm
I have a vaguely related problem. I have an old Belkin USB flash drive that is password protected. I CANNOT remember the password to save my life. The drive has old journals on it and I’d like to add to it. Any ideas on cracking that password? I was hoping C&A would be able to be directed toward the drive but I haven’t had luck with it.
November 29th, 2006 at 10:10 am
I lost my yahoo password on a computer at school, when I tried to d/l the cain and able program it said the program was corrupt and wouldn’t allow me to install. What can I do to install the program?
Any help would be great.
December 18th, 2006 at 2:07 am
hi
Actually i forgot my yahoo password so how can i get it.i know only my birth dates and other things i forgot which i have fille to open my yahoo account.so is it possible to retrieve my password.
Plz reply me
December 18th, 2006 at 3:12 am
I have tried Cain & Abel and I don’t receive anything in POP3 but only in HTTP.
I do see my passwords for outlook, but not for yahoo or hotmail. Where it sais passwords I only see my logon name.
What did I do wrong?
December 21st, 2006 at 2:17 pm
hey, i’m trying to install the C&A program, but there is no icon that appears in the installation package, i was just wondering, what steps i needed to take to complete the installation, thanks
January 10th, 2007 at 12:25 pm
Hi, I have posted a question and I’d realy appreciate it if someone could help me out! I do see my passowrds for outlook, but not for yahoo or hotmail. Furthermore I receive the passwords in HTTP and not in POP3!
Does someone know what I need to do to fix this? Thanks!
January 10th, 2007 at 1:22 pm
Hi, Tali. Sorry for not getting back sooner. Christmas, family time, etc. etc.
Anyway, the only thing that I can think of is that you do not have the password sniffer running. Give that at try.
Tim
January 12th, 2007 at 12:50 am
Dear Tim,
Thanx for you reply. I do have the sniffer running, I just see a whole lot of numbers where the password suppose to be revealed and I can’t make anything of it…..
Any other suggestions? Hope you’ve had a good festive season, thanks in advance!
Tali
January 29th, 2007 at 1:17 pm
Its infected with trojan (cain?!)
:o(
January 29th, 2007 at 1:55 pm
Cain does not contain a trojan. Some antivirus software detects it as a trojan because of what it can do. Be confident that you can download Cain and it will not infect your computer.
Tim
January 29th, 2007 at 2:13 pm
Hoo..Yes!! Off course!!! Thank’s !!Fine !!
:o)
February 7th, 2007 at 10:16 am
how do i get my password in yahoo? someone is using it and i need to get my info i have in it. please help
February 7th, 2007 at 6:58 pm
HELP! i cannot figure out how to set it up, eventhough i did follow the above very carefully. i typed in my password a lot of times, and there is nothing, no POP3 its all (0) in every categorie. anyone help? can it also be antivirus thats causing the porblem?
March 1st, 2007 at 7:16 pm
I have an IMAC and would like to retrieve my password that was used to sign into gmail on my computer. How do i go about doing this?
March 5th, 2007 at 10:53 am
oxid.it isnt working, and i really need this program, are there any other places i can download it from?
March 15th, 2007 at 10:07 am
After my sniffer gets passwords they r encrpted, how do i de-encrypt it?? I say transfer to cracker n nutin happens.
-thx in advance
March 16th, 2007 at 4:28 pm
Is there a way to erase this information permanently from a computer?
March 17th, 2007 at 6:51 am
how do i decrypt yhoo passwords.
i have also posted an no one has answered
March 24th, 2007 at 8:24 am
c’mon someone answer my posting……………..
March 31st, 2007 at 9:07 am
I installed the Cain&Abel, configured it right and did everything else correctly( i think)…but for some reason…when i checked the PoP3 to retrieve my yahoo password…it was blank.
what did i do wrong….?
help me.
June 24th, 2007 at 12:15 pm
i have an imac , & need to retrieve my password
August 17th, 2007 at 1:03 pm
My anti-virus (Avast) said this program incuded a sample of a trojan and would not let me download it. Anyone else encounter this problem?
August 17th, 2007 at 10:32 pm
Hi i forgot my password in my yahoo account i try to use the Cain program to recover my password but i dont know how?? Can i still get my password even im using rented computer only??
November 5th, 2007 at 8:09 pm
i’d like to get access to my gmail.com/hellokitty.com emails,
but all i get are my MSN login passwords, a dial up password, and an FTP site.
any suggestions?
thanks in advance!
November 7th, 2007 at 1:17 pm
hi, somebody help me, please!!! I need probe my external mail OWA, but the probe is spoofing my mac to other pc, using Cain but this software don’t incluye the IP where run the program, what can I do?
thanks.
November 11th, 2007 at 7:06 am
How can I get the password for my blogger account????
I had a blog & I forgot it’s password.Now, when I request password assistance e mail they say there is no account related to my e mail.
What is the problem ??? can anyone help????
February 2nd, 2008 at 9:57 am
i am unable to reterive the PWD using Cain&Abel. some one has changed and is u sing my yahoo mail id. please help me in getting my id back.
March 26th, 2008 at 5:35 pm
Hi All,
not sure what I’m doing wrong. Super new to this, but here goes. OK, I have C&A running. I am connected via ethernet to a Linksys router WRT54GS set for DHCP (I can connect wirelessly if need be). Other users connect wirelessly (my laptop for instance). Open system, no security.
I am capturing via the Ethernet card.
Nothing is showing up. I am used the above setup. Any ideas?
thanks,
Rudy
_________
May 22nd, 2008 at 2:27 pm
for all those having problems setting up Cain and Abel or using it to sniff passwords i suggest you take a quick look at youtube. They have quite a few videos some with a pretty decent instruction on wt 2 do.