NetRipper v1.0.2 - Smart traffic sniffing for penetration testers.

NetRipper v1.0.2 – Smart traffic sniffing for penetration testers.

Legal disclaimer:
Usage of NetRipper for attacking targets without prior mutual consent is illegal. It is the end user’s responsability to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program!

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

netRipper

netRipper

Roadmap Changelog Version 1.0.2:
+ Added support for SecureCRT 7.3
+ Added basic support for “__thiscall”
changelog Version 1.0.1:
+ Updated project to Visual Studio 2015
+ Added support for “dynamic” function signatures
+ Updated support for Chrome (tested with Chrome 49)
+ Thread-safe Win32 API hooking

Abstract
The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications
NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

To do
– Support multiple applications
– Support for x64 processes
– Thread-safe API hooking
– Monitor loading of DLLs and new processes

usage:

Download: NetRipper.zip 
Source: https://github.com/NytroRST