0

I have recently been performing a security audit at work (sanctioned of course) and have seen some interesting behaviour from Cain and Abel. I've purposefully avoided using APR so that my co-workers won't freak out at security certificate errors and have only been using the "sniffing" functionality.

Somehow, Cain is still able to pick up a lot of SNMP, MSKerb5-PreAuth, Telnet, LDAP, HTTP, and FTP passwords. How is this possible on a switched environment without using APR? I checked the ARP tables on a couple other machines while running the sniffer and they all had the correct ARP entries for the gateway.

At first I thought for some odd reason we may have had hubs on our network but I checked into it and it's definitely all switched.

I've read a lot of information on ARP spoofing/poisoning but can't find much at all on the specifics of Cain's sniffer.

Tomorrow I plan on running around with Wireshark to see if I can trace where some of these packets are coming from as they could potentially be very damaging.

Improve this question
1
  • I had a moment once when i was running C&A sniffer and saw heaps of passwords 'streaming in' only to realise that it was another tool running on my machine (nessus or nmap or something) testing different passwords hence they were all actually false positives. Just double check that isn't the case ;)
    – NULLZ
    Commented Sep 6, 2013 at 3:30

2 Answers 2

Reset to default
1

In essence if you are not ARP poisoning "AND" your system is not on a hub, both of which you made sure of, there should be no packets not destined to your IP(s) which should be showing up in your captures. So the key question to look at would be what were the sources and destinations in the packets where you got the passwords/hashes/snmp data from. If they are all destined to your IP then either you are running C&A on an authentication server or SNMP trap receiver or something about your switching environment is seriously wrong.

Improve this answer
1

If you're sure that you're on a switch then you should not be receiving packets that you are not the intended recipient for.

Have you attempted any APR before and some hosts may still be poisoned? Are you sure that all routes on your network are configured properly?

Use Wireshark to determine that you are not broadcasting any gratuitous ARP packets and that no one else is actively poisoning the network too. Perhaps C&A is doing something without you knowing.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .