NetRipper: Smart traffic sniffing for penetration testers

NetRipper

NetRipper is a fairly recent tool that is positioned for the post-operating system based on Windowsand uses a number of non-standard approaches to extract sensitive data. It uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. This tool was first demonstrated at the Defcon 23 in Vegas.

How does NetRipper work:

[IP] It has two main components:

dll – A DLL that will be injected in various processes (the main component)
The DLL configurator and injector

The DLL configurator and injector comes in three flavours:

exe – Command line version
rb – Metasploit post-exploitation module
Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y

So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.

API hooking

Basic network sniffing
DLL Injection and API hooking

While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.

Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.

NetRipper main goals:

[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.

It should capture plain-text traffic from any application, from Chrome or Firefox to FileZilla or SQL Management Studio. By hooking Windows API function responsible with plain-text network traffic – send/recv and WSASend/WSARecv – it should just work.

But network or system administrators are professionals that do not use unencrypted channels to do their job, so NetRipper must be able to handle as many applications as possible. Some applications use Windows API functions and it is easy to intercept them but other applications such as WinSCP or Putty require special work.

A partial list of the supported applications is the following: Google Chrome, Mozilla Firefox, Internet Explorer, FileZilla, Skype for Business, SQL Server Management Studio, Microsoft Outlook, Putty, WinSCP, Yahoo! Messenger.