Massimiliano Montoro is the mastermind behind Cain & Abel, the password recovery tool for Windows. In this interview he provides insight on the history of the tool, the development process, and much more.
Cain & Abel is one of the most important security tools that is probably in the software toolkit of every security professional. Can you walk our readers back in time and provide some insight on how it all started and how the project evolved?
Thank you! The software has been developed in the hope that it could be useful for network administrators, teachers, security professionals, forensic staff, security software vendors, professional penetration testers and everyone else that plans to use it for ethical reasons.
It all started more then ten years ago, the first version of the program was a simple password cracker for Windows 9x PWL files, then the software has evolved in time accordingly to the features I have needed during my consulting activities (vulnerability assessment, ethical hacking) and on requests I’ve received from users.
From the beginning I wished that the software was focused to work on long-lifetime vulnerabilities only. For long-lifetime vulnerabilities I mean those that require a complete software re-design to be fixed (eg: the usage of a weak encryption algorithm, the unsafe storage of credentials, old authentication schemes still used for backward compatibility and so on). What I wanted was a piece of software that remain useful over time; for this reason I have deliberately avoided any kind of features that were made to exploit 0-day vulnerabilities and other programming errors easily removable by mean of a patch issued by the vendor of the software.
If you think about it, in the last few years Microsoft, as a lot of other vendors, has released hundreds of patches to fix issues in its software, but even if you have already applied all of them. Cain can still crack Windows passwords and it can still perform MitM attacks on the RDP protocol by mean of the vulnerability I described in my advisory on 28/05/2005. The same thing happens to the network protocols; as of today the ARP protocol is still stateless and authentication less, allowing you to conduct traffic hijacking attacks based on ARP poisoning technique. Honestly I have never come across a company that took into account the mitigation of the risks arising from these vulnerabilities.
Cain & Abel covers the features of several hacking tools into a single freeware application. The main purpose is to take advantage of different hacking techniques and use them together into a program focused on password recovery.
Are you the sole developer of Cain & Abel or is there a team of contributors behind the project?
Actually, I’m the only one developer of the program. However, I received the support of many people both as regards the testing of functionality and suggestions for improvements. I must say a big thanks to all users of my forum for the incredible support they are continuously providing to newcomers.
What were the biggest challenges that you encountered during development?
I’ll try to summarize the main difficulties I faced:
- My wife shouting to me while I was behind the computer instead of bringing her out for shopping.
- The deep knowledge of the operation of network protocols, encryption algorithms and security mechanisms used by IT systems.
- Mastering assembler code optimization techniques and the usage of MMX/SSE instructions to rise cracking speed.
- The fact I had limited resources to test the functionality of the program in terms of software, systems and network devices. Many features of the program have been developed trying to predict what would be their operation in real conditions, especially for what concerns the analysis of network traffic.
- Proper management of hijacked traffic to avoid denial of service conditions.
- The search for details and specifications of undocumented algorithms and functions by mean of the analysis of compiled, and sometimes undebuggable, code.
You are well known for constantly refining Cain & Abel as new versions come out quite frequently. What do users ask for most often, and what areas do you especially plan to improve in future versions?
As happens for any other program that performs exhaustive key searches, users keep asking for more speed. This involves the support of multiprocessor and 64-bit systems or the usage of graphic accelerator cards. The above features require a lot of programming time and, of course, the availability of appropriate hardware/software. Anyway, It was never my intention to create a program that was “the fastest”, or able to crack passwords of any length; I am more interested in demonstrating the feasibility of being able to exploit a weakness to achieve a goal. The first thing I should do in the near future is to create a 64bit version of the software, solving possible compatibility problems. This could take a while but I’ll do my best, time permitting.
In the past, Cain & Abel was mistakenly identified as malware. What’s the best way to deal with such a situation?
Antivirus vendors are doing their best to protect computer users from viruses and malicious software. Probably they have classified my program as a dangerous software as they have done for most of the hacking tools available on the Internet. Anyway, this does not mean that my software is infected. I can assure to you that there are NO viruses or spyware or dialers or malware or backdoors in the programs from my site. Cain & Abel does NOT infect files, it does NOT collect your password over the Internet, it does NOT replicate itself and it does NOT automatically install the Abel service during the installation. I’m not in the position to pretend the removal of my software from Antivirus vendors databases and somehow I agree with them, Cain is not a program for everyone.
I am sure that whoever is able to understand the potential of the program and want to use it, are also able to create a simple exclusion rule in their antivirus software. As proof of contents, in every release of the program the executable and .DLL files are always signed by me; MD5 and SHA-1 hashes of the installation package are also available from my site.
Have there been offers to sell the software? Would you ever consider doing a commercial version?
Yes, there have been. I have received offers for both the code in its entirety and for specific features of the program, but as of today there were no further agreements. A commercial version would involve the management of licensing and post-sale support services for the product. Currently I do not have the necessary time to take care of these activities.
If you could develop any piece of security software, which one would it be?
I have been a security consultant for years and during this time I developed many applications focused to demonstrate concepts arising from assessment activities. The programs available on my website are just a small part of all those I have created; some of these are dedicated to highlight weaknesses in the security algorithms used by commercial software and others are focused on the analysis of proprietary network protocols. If I could choose to develop something new, this would probably be a program that would allow me to improve my knowledge about something I know little. I think that programming is an effective way to get to know in deep what is studied on books.