|Description||IP||Mac (last 4)|
Step 1: Enable sniffing in Cain.
Step 2: Do a MAC scan across your range. Its OK to do all of the tests, it shouldn’t take much time to do (maybe a minute or two).
Step 3: Ensure that the targets you wish to attack are listed.
Step 4: Go to the APR tab (at the bottom), click in the center area (to enable the +), then click the plus at the top of the screen.
Step 5: Select the targets (Server and Client in this case). **DO NOT SELECT THE ROUTER IN BETWEEN**
Step 6: Click on the poison button (at the top) and ensure that the status changes to poisoning. You should see packet numbers start going up.
Step 7: Wait for the APR- RDP to highlight and click on it. Wait for the status to say closed. You have now successfully put yourself in the middle of the session, and captured the entire thing!
Step 8: Use the RDP parcer (source: http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser) to determine the key strokes. cain-RDP-parser
Original: RDP-2011924161538204 (10meg text file… YIKES!)
Parsed: FILTERED RDP eXAMPLE
Parsed Log Made From C:\RDP-2011924161538203.txt tester <enter pressed> <enter released> yahoo.com <enter pressed> <enter released> <enter pressed> <enter released> y
From this we can see that the password was ‘tester’ (username was typed in ahead of time). The user then went to yahoo.com.
The first screenshot here is normal traffic. The ARPs are all correct in pointing the right MAC to the right IP.
The second screenshot shows step 6 from above, when the poisoning actually starts. Wireshark detects the poisoning showing “Duplicate use of 192.168.2.1 detected!”