Cain & Abel: RDP MiTM

How to Man in the middle an RDP session with Cain and Able


The Setup:

Description IP Mac (last 4)
Client 49:43
Server 39:b4
Router A9:EC
Attacker A8:AB

The Instructions:

Step 1: Enable sniffing in Cain.





Step 2: Do a MAC scan across your range.  Its OK to do all of the tests, it shouldn’t take much time to do (maybe a minute or two).











Step 3: Ensure that the targets you wish to attack are listed.






Step 4: Go to the APR tab (at the bottom), click in the center area (to enable the +), then click the plus at the top of the screen.







Step 5:  Select the targets (Server and Client in this case).  **DO NOT SELECT THE ROUTER IN BETWEEN**







Step 6: Click on the poison button (at the top) and ensure that the status changes to poisoning.  You should see packet numbers start going up.







Step 7: Wait for the APR- RDP to highlight and click on it. Wait for the status to say closed.  You have now successfully put yourself in the middle of the session, and captured the entire thing!







Step 8: Use the RDP parcer (source: to determine the key strokes. cain-RDP-parser

Original: RDP-2011924161538204 (10meg text file… YIKES!)


Parsed Log Made From C:\RDP-2011924161538203.txt
<enter pressed>

<enter released>
<enter pressed>

<enter released>

<enter pressed>

<enter released>


From this we can see that the password was ‘tester’ (username was typed in ahead of time).  The user then went to

Client Proof:

The first screenshot here is normal traffic.  The ARPs are all correct in pointing the right MAC to the right IP.





The second screenshot shows step 6 from above, when the poisoning actually starts.  Wireshark detects the poisoning showing “Duplicate use of detected!”


Image Source:

Comments are closed