Cain & Abel: RDP MiTM

How to Man in the middle an RDP session with Cain and Able

 

The Setup:

Description IP Mac (last 4)
Client 192.168.2.147 49:43
Server 192.168.2.106 39:b4
Router 192.168.2.1 A9:EC
Attacker 192.168.2.112 A8:AB

The Instructions:

Step 1: Enable sniffing in Cain.

 

 

 

 

Step 2: Do a MAC scan across your range.  Its OK to do all of the tests, it shouldn’t take much time to do (maybe a minute or two).

 

 

 

 

 

 

 

 

 

 

Step 3: Ensure that the targets you wish to attack are listed.

 

 

 

 

 

Step 4: Go to the APR tab (at the bottom), click in the center area (to enable the +), then click the plus at the top of the screen.

 

 

 

 

 

 

Step 5:  Select the targets (Server and Client in this case).  **DO NOT SELECT THE ROUTER IN BETWEEN**

 

 

 

 

 

 

Step 6: Click on the poison button (at the top) and ensure that the status changes to poisoning.  You should see packet numbers start going up.

 

 

 

 

 

 

Step 7: Wait for the APR- RDP to highlight and click on it. Wait for the status to say closed.  You have now successfully put yourself in the middle of the session, and captured the entire thing!

 

 

 

 

 

 

Step 8: Use the RDP parcer (source: http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser) to determine the key strokes. cain-RDP-parser

Original: RDP-2011924161538204 (10meg text file… YIKES!)

Parsed: FILTERED RDP eXAMPLE

Parsed Log Made From C:\RDP-2011924161538203.txt
tester
<enter pressed>

<enter released>
yahoo.com
<enter pressed>

<enter released>

<enter pressed>

<enter released>
y

Interpretation:

From this we can see that the password was ‘tester’ (username was typed in ahead of time).  The user then went to yahoo.com.

Client Proof:

The first screenshot here is normal traffic.  The ARPs are all correct in pointing the right MAC to the right IP.

 

 

 

 

The second screenshot shows step 6 from above, when the poisoning actually starts.  Wireshark detects the poisoning showing “Duplicate use of 192.168.2.1 detected!”

 

Image Source: http://1.bp.blogspot.com/_6Y3t2XpO2oE/TP6TzW3r9zI/AAAAAAAAAYw/pTLfr8t-4pQ/s1600/Side%252BJack%252BCafe.jpg

Comments are closed