NetRipper: Smart traffic sniffing for penetration testers



NetRipper is a fairly recent tool that is positioned for the post-operating system based on Windowsand uses a number of non-standard approaches to extract sensitive data. It uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. This tool was first demonstrated at the Defcon 23 in Vegas.


How does NetRipper work:

[IP] It has two main components:

  1. dll – A DLL that will be injected in various processes (the main component)
  2. The DLL configurator and injector

The DLL configurator and injector comes in three flavours:

  1. exe – Command line version
  2. rb – Metasploit post-exploitation module
  3. Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y

So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.


API hooking

  • Basic network sniffing
  • DLL Injection and API hooking

While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.

Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.



NetRipper main goals:

[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.

It should capture plain-text traffic from any application, from Chrome or Firefox to FileZilla or SQL Management Studio. By hooking Windows API function responsible with plain-text network traffic – send/recv and WSASend/WSARecv – it should just work.

But network or system administrators are professionals that do not use unencrypted channels to do their job, so NetRipper must be able to handle as many applications as possible. Some applications use Windows API functions and it is easy to intercept them but other applications such as WinSCP or Putty require special work.

A partial list of the supported applications is the following: Google Chrome, Mozilla Firefox, Internet Explorer, FileZilla, Skype for Business, SQL Server Management Studio, Microsoft Outlook, Putty, WinSCP, Yahoo! Messenger.




Most Popular Training Courses at Indian Cyber Security Solutions:


Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training


Cybersecurity services that can protect your company:


Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you