NetRipper: Smart traffic sniffing for penetration testers
Category : Blog
NetRipper is a fairly recent tool that is positioned for the post-operating system based on Windowsand uses a number of non-standard approaches to extract sensitive data. It uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. This tool was first demonstrated at the Defcon 23 in Vegas.
How does NetRipper work:
[IP] It has two main components:
- dll – A DLL that will be injected in various processes (the main component)
- The DLL configurator and injector
The DLL configurator and injector comes in three flavours:
- exe – Command line version
- rb – Metasploit post-exploitation module
- Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y
So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.
- Basic network sniffing
- DLL Injection and API hooking
While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.
Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.
NetRipper main goals:
[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.
Most Popular Training Courses at Indian Cyber Security Solutions:
Cybersecurity services that can protect your company: