NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
Basically, this can allow the attacker to sniff HTTPS and SSH traffic from his target in clear-text. This can help the attacker acquire additional information, such as usernames and passwords from the user once he authenticates to web applications (over HTTPS) or network devices (over SSH).
In this example we will see how to perform this attack using NetRipper (assuming that the attacker already has a meterpreter shell), and then see how RSA NetWitness Endpoint can help in detecting such attacks.
Throughout the POC, the victim had a fully patched version of Windows as well as an updated antivirus running (McAfee).
We are using:
- Kali Linux as the Attacker's machine
- Windows 7 with McAfee Antivirus as the victim (the same technique would work on Windows 10 as well)
Installation of NetRipper for Metasploit on Kali
Run the following commands on the Kali box to install NetRipper and make it available within Metasploit.
cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
g++ -Wall netripper.cpp -o netripper
cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
Launch the Attack
We will assume that the attacker already has a meterpreter shell.
The attacker can connect to the available session using "session -i 1" and he can then list running processes using "ps"
From here he can identify that firefox.exe and putty.exe are running.
The attacker will now decide to use NetRipper to sniff network traffic from firefox in clear-text, even when HTTPS is used.
He will load NetRipper by using the following command: use post/windows/gather/netripper
He can list the options needed with: show options
The attacker needs to:
- set the session ID to use (session 1 from the list of available sessions): set SESSION 1
- set the process names or process IDs he wants to hook to: set PROCESSNAMES firefox.exe,putty.exe
He can then launch the exploit using: exploit
Now that the hooks are set, NetRipper will sniff the traffic for those processes in clear-text and save the content on the victim's machine, by default under the current user's TEMP folder (can be changed with the DATAPATH option).
The victim will now try to authenticate to a web application over HTTPS. In this example we will use GMail, but it could be anything.
Now the attacker will read the content of the firefox.exe_PR_Write.txt file. Even though the victim is using HTTPS, the attacker is able to see both the username (firstname.lastname@example.org) and the password (password123) of the victim in clear-text.
The same could be done with Chrome, Putty, SecureCRT, WinSCP, Lync, Outlook ...
It is also not limited to login information, but to anything sent or received by the process.
Detection Using RSA NetWitness Endpoint
Now that we have seen how easily an attacker can sniff encrypted traffic from the user via process hooking, bypassing the victim's antivirus, we will now see how to detect it using RSA NetWitness Endpoint.
In the below screenshot, we can see how RSA NWE detects:
- the hooked process (firefox.exe)
- the hooked module names
- the hooked symbols
- an elevated IIOC Score
- the list IIOCs that have been triggered
In addition, by analyzing the module, we can see references to NetRipper and to the files and folders used by the tool.