Q&A: Cain & Abel, the password recovery tool
by Mirko Zorz - Tuesday, 7 July 2009.
What were the biggest challenges that you encountered during development?

I'll try to summarize the main difficulties I faced:
  • My wife shouting to me while I was behind the computer instead of bringing her out for shopping.
  • The deep knowledge of the operation of network protocols, encryption algorithms and security mechanisms used by IT systems.
  • Mastering assembler code optimization techniques and the usage of MMX/SSE instructions to rise cracking speed.
  • The fact I had limited resources to test the functionality of the program in terms of software, systems and network devices. Many features of the program have been developed trying to predict what would be their operation in real conditions, especially for what concerns the analysis of network traffic.
  • Proper management of hijacked traffic to avoid denial of service conditions.
  • The search for details and specifications of undocumented algorithms and functions by mean of the analysis of compiled, and sometimes undebuggable, code.
You are well known for constantly refining Cain & Abel as new versions come out quite frequently. What do users ask for most often, and what areas do you especially plan to improve in future versions?

As happens for any other program that performs exhaustive key searches, users keep asking for more speed. This involves the support of multiprocessor and 64-bit systems or the usage of graphic accelerator cards. The above features require a lot of programming time and, of course, the availability of appropriate hardware/software. Anyway, It was never my intention to create a program that was "the fastest", or able to crack passwords of any length; I am more interested in demonstrating the feasibility of being able to exploit a weakness to achieve a goal. The first thing I should do in the near future is to create a 64bit version of the software, solving possible compatibility problems. This could take a while but I'll do my best, time permitting.

In the past, Cain & Abel was mistakenly identified as malware. What's the best way to deal with such a situation?

Antivirus vendors are doing their best to protect computer users from viruses and malicious software. Probably they have classified my program as a dangerous software as they have done for most of the hacking tools available on the Internet. Anyway, this does not mean that my software is infected. I can assure to you that there are NO viruses or spyware or dialers or malware or backdoors in the programs from my site. Cain & Abel does NOT infect files, it does NOT collect your password over the Internet, it does NOT replicate itself and it does NOT automatically install the Abel service during the installation. I'm not in the position to pretend the removal of my software from Antivirus vendors databases and somehow I agree with them, Cain is not a program for everyone.

I am sure that whoever is able to understand the potential of the program and want to use it, are also able to create a simple exclusion rule in their antivirus software. As proof of contents, in every release of the program the executable and .DLL files are always signed by me; MD5 and SHA-1 hashes of the installation package are also available from my site.

Have there been offers to sell the software? Would you ever consider doing a commercial version?

Yes, there have been. I have received offers for both the code in its entirety and for specific features of the program, but as of today there were no further agreements. A commercial version would involve the management of licensing and post-sale support services for the product. Currently I do not have the necessary time to take care of these activities.

If you could develop any piece of security software, which one would it be?

I have been a security consultant for years and during this time I developed many applications focused to demonstrate concepts arising from assessment activities. The programs available on my website are just a small part of all those I have created; some of these are dedicated to highlight weaknesses in the security algorithms used by commercial software and others are focused on the analysis of proprietary network protocols. If I could choose to develop something new, this would probably be a program that would allow me to improve my knowledge about something I know little. I think that programming is an effective way to get to know in deep what is studied on books.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th