NetRipper: Smart Traffic Sniffing for Penetration Testers
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36375 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2355 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
Demo (music)PasswordComputer networkEncryptionProcess (computing)Open setRead-only memoryWritingSystem callStructural loadMiniDiscModul <Datentyp>Function (mathematics)Computer-generated imagerySpacetimeLaptopSystem administratorMultiplication signModule (mathematics)Process (computing)Physical systemProjective planeCryptographyInformation securityBootingEncryptionFunctional (mathematics)Order (biology)Exploit (computer security)Semiconductor memoryRippingEmailReflection (mathematics)System callWeightHookingStructural loadMiniDiscType theoryInjektivitätBitElectronic mailing listServer (computing)BlogLink (knot theory)Block (periodic table)Cartesian coordinate systemWindowContent (media)Latent heatTrailCache (computing)Integrated development environmentSoftware testingSheaf (mathematics)PlastikkarteLibrary (computing)Touch typingUniform resource locatorAntivirus softwareSoftwareMereologyMultiplicationSet (mathematics)Medical imagingCodeOcean currentDirectory serviceInformation technology consultingClassical physicsDemo (music)WritingMessage passingGoodness of fitAsynchronous Transfer ModeRemote procedure callLevel (video gaming)Object (grammar)Flash memoryCASE <Informatik>Thread (computing)Address spaceComputer animation
09:22
Structural loadComputer-generated imageryFunction (mathematics)System callComputer networkAddress spaceHacker (term)InformationFirefox <Programm>CompilerFunctional (mathematics)Order (biology)Flash memorySystem callCodeSheaf (mathematics)HookingMultiplication signInformationSource codeProper mapBootingResource allocationUniform resource locatorData structurePoint (geometry)Address spaceDebuggerPrototypeParameter (computer programming)Term (mathematics)Computer fileCASE <Informatik>outputPointer (computer programming)Medical imagingWindowReading (process)EncryptionAdditionMiniDiscMereologyClassical physicsRight angleCartesian coordinate systemSemiconductor memoryDistanceSoftwareEmailElectronic signatureVideo gameApplication service providerRippingProcess (computing)Core dumpSelectivity (electronic)WebsiteComputer animation
18:44
Graphical user interfaceNetwork switching subsystemPointer (computer programming)Binary fileString (computer science)Plug-in (computing)Limit (category theory)Module (mathematics)System administratorDemo (music)Graphical user interfaceWebsiteWindowString (computer science)Order (biology)Computer fileError messageReading (process)Functional (mathematics)Plug-in (computing)WritingSystem callMessage passingUniform resource locatorRevision controlCodeConfiguration spaceSemiconductor memoryStreaming mediaMaxima and minimaSlide ruleComputer configurationTable (information)Instance (computer science)Set (mathematics)Sheaf (mathematics)Proper mapProcess (computing)RippingWordDemo (music)Electronic visual displayPointer (computer programming)Arithmetic meanIdentity managementModule (mathematics)Data structureVirtual machineCartesian coordinate systemHookingWeightPasswordElectronic signatureLimit (category theory)PrototypeStructural loadSource codeLibrary (computing)Line (geometry)Attribute grammarInformation securityOpen setInformationSoftware testingMacro (computer science)Medical imagingExploit (computer security)SoftwareInternet forumUniqueness quantificationParameter (computer programming)Intrusion detection systemService (economics)BitDefault (computer science)Computer animation
28:05
Computer animation
28:40
Software testingVirtual machineComputer animation
29:15
Exploit (computer security)Module (mathematics)System administratorProcess (computing)Computer animation
29:49
FlagProcess (computing)Latent heatModule (mathematics)Computer animationSource code
30:26
Line (geometry)Configuration spaceComputer animation
31:10
Heat transferComputer fileConfiguration spaceDatabaseQuery languageComputer animation
31:47
FacebookSQL Server 7.0Connected spaceServer (computing)DatabaseQuery languageComputer animation
32:20
Computer animation
32:53
FacebookFacebookServer (computing)LoginPublic key certificateComputer animation
33:24
Public key certificateData loggerRippingDirectory serviceLocal ringComputer fileTap (transformer)Computer animation
34:31
Process (computing)String (computer science)ResultantComputer fileRippingOrder (biology)Moment (mathematics)EmailFunctional (mathematics)Plug-in (computing)Source codeComputer animation
35:20
SynchronizationClient (computing)Query languageHash functionString (computer science)Graphical user interfaceMessage passingComputer animation
35:56
Process (computing)String (computer science)Computer fileInformationContext awarenessFacebookReading (process)Content (media)Cartesian coordinate systemPasswordServer (computing)Query languageMessage passingRevision controlWritingEncryptionData managementHookingHash functionRootComputer animation
37:11
Computer fileInformationContent (media)Server (computing)Plug-in (computing)Computer animation
37:44
Cartesian coordinate systemAntivirus softwareSemiconductor memoryOperator (mathematics)Process (computing)Content (media)PasswordInformationFacebookLoginComputer animation
38:43
Module (mathematics)Exploit (computer security)Source codeInjektivitätServer (computing)Computer filePasswordInformationData managementQuery languageComputer animation
39:29
Demo (music)PasswordEncryptionProcess (computing)WritingRead-only memorySystem callStructural loadMiniDiscFunction (mathematics)Graphical user interfaceLimit (category theory)SoftwareRegulärer Ausdruck <Textverarbeitung>Physical systemInformationLatent heatSpherical capComputer networkSoftwareUsabilityOnline helpInformationCartesian coordinate systemFunctional (mathematics)InjektivitätBinary codeHookingExploit (computer security)Antivirus softwareReflection (mathematics)Order (biology)Regulärer Ausdruck <Textverarbeitung>Semiconductor memoryRevision controlSource codeOperating systemLatent heatProcess (computing)Module (mathematics)Computer animation
41:40
InformationComputer animation
Transcript: English(auto-generated)
00:00
Good afternoon, everyone. First and foremost, a little bit of housekeeping. If anyone has lost a pair of sunglasses and can describe them to me, come see me. Otherwise, I have a new set of sunglasses and thank you for that. Next up, I just want to point out that if you're looking for seats because you're coming in, there are seats up here in the front and there's some to the side as well. Now, we are in track 3 for net ripper,
00:26
smart traffic sniffing for penetration testers. Without further ado, I give you Yannes Popescu. Got it. All right. Cool. Hi, everyone. First of all, a bit about me. I'm Yannes Popescu. I'm
00:46
from Romania and I work as a senior security consultant at KPMG Romania. Also, I'm a blogger at securitycafe.ro and the administrator of the biggest security community from
01:00
Eastern Europe. A few things about my country. It's located in Eastern Europe. It's a country of Dracula. We have the first Olympics. We invented the jet plane and we have probably the most beautiful girls in the world. Don't trust me. Come and check. Here
01:24
is the agenda, what we're going to talk about. An introduction about this tool. A few details about how it works. Some details about the reflective DLL injection. The API
01:42
hooking. Some hooking examples. Demo and hopefully everything will be okay. The introduction. What is net ripper? Net ripper is a post exploitation tool for Windows systems that captures the network traffic even if it is encrypted or not. It captures the
02:07
traffic before it is encrypted or after it is decrypted at the application layer by injecting a DLL and using API hooking and hooking specific functions. The most
02:21
important thing about this is that it works without an administrator. It works for a low privileged user. Here is the main scenario. In our projects we encountered this situation multiple times. We had access to administrator laptops and we didn't know what to do to
02:44
pivot to the other servers. So this is where the idea came from. This is the general example of how it works. Let's say for outlook. Someone writes an email. The email is
03:06
encrypted and the encrypted data is sent through the network. So the user layer is where the user types the email. The network layer contains the encrypted data and net ripper is
03:23
injected at the encryption layer. Here is an example. The user writes the email. For this example is for outlook. Outlook uses encrypt that DLL in order to encrypt and decrypt
03:43
the data. The data is then sent encrypted after with the send or WSA send Windows API functions. It hooks this function from encrypt that DLL and it gets the data before it is
04:09
encrypted. This also happens for the decryption. It hooks the SSL decrypted packet and after the data is decrypted by the SSL decrypted packet function it can access the
04:24
plain text data. This is the main idea. I use the reflective DLL injection to inject the DLL. API hooking to hook specific functions and save the data locally. This is how
04:42
classic DLL injection works. The application opens the remote process. It writes in the process memory the full DLL, the full path of the DLL in the process memory and call library to load the DLL. So the library will load the DLL into the process memory. But
05:03
this has some disadvantages. The DLL must be written on this and the antivirus can pick them and the DLL is listed in the process modules. The reflective DLL injection was implemented by the security and this is how it works. The DLL contents are copied the
05:28
full DLL content is copied into the target process memory. However, the DLL doesn't look the same in the process memory like on the disk. So it has to auto load itself
05:41
correctly. For this, the reflective DLL injection uses a function called reflective loader. This function does all the steps necessary to correctly load the DLL. The advantages of this method is that the DLL doesn't touch the disk. So you can easily
06:02
bypass the antivirus. And that the DLL is not listed in the process modules. Because it's not loaded with the library and the window system use the process environment block to keep a link to the list with all process modules. I hope you can read this.
06:35
This is first step for the DLL injection. This is actually the injection of the DLL using
06:41
reflective DLL injection. If you can see, there's a method called a function called get the reflective loader offset. This function just searches the reflective loader functions and returns the offset in the DLL. After this step, we allocate space in the
07:04
target process memory with the full size of the DLL. The DLL is now written with the process memory function. And we call using create remote thread, the reflective
07:22
loader function. This code, actually reflective DLL injection code is from Stephen. After this function is called, what it does is to search for the image base of
07:42
the process. Actually, it searches where the DLL is mapped in the memory. It searches for the windows portable executable header. So it starts from the current location and searches for the header. After it finds the header, it needs to know some functions
08:03
required to properly load itself into memory. So it finds functions like load library, get address, virtual log and instruction cache. Next step is to load the DLL headers and
08:29
sections in a new location. The section must be aligned in memory, so this step is required. It's not difficult to parse the PE, the portable executable headers. So it
08:42
just parts the PE header and get each section and map it into a place of memory. After the sections are loaded, the next step is to process the imports. You may create a DLL
09:01
that uses specific DLL from windows. In order to make sure everything will work, you have to make sure every DLL is loaded into memory. Every imported DLL is loaded into memory. So what it does is to parse the data directory, the directory imports. The directory imports
09:25
is a location in the PE header that describes each DLL that should be loaded in order to make sure the DLL is loaded properly. Those things are automatically done by the windows PE loader. But we want to avoid using it. Next step is to process the image allocation.
09:51
Image location are some addresses that are directly pushed on the stack or directly used in the code. For example, if you have a push location, this location has to be relocated
10:06
in case of the DLL is not loaded at the required memory location. Each PE file DLL or executable have a preferred image base, but at least for the DLLs, it may happen to load
10:25
the DLL at another location. So this is required. After the DLL is completely loaded into memory correctly, it just needs to call the main function of the DLL. The main function is
10:41
DLL main for DLLs. Okay. API hooking. We take the same example with Outlook and encrypt that DLL. So we want to redirect the packet to our hooking function. So we will
11:02
redirect the function from encrypt that DLL to that DLL. These are the steps that we have to follow in order to do this. We have to find the function address and this in some cases may be the difficult part. We place a call instruction right at the beginning
11:23
of the function and we call a generic hooking function instead. We restore the original bytes because we modified them. Call a call back function, a function that process the data from our target function. In this case, SSL encrypt packet. And in that function, we
11:45
have the plain text data. We save data to a file and then restore the hook for additional calls. This is the normal assembly for a function. As you can see, it starts with a mo VDI and the classic function push EBP, mo VBP, ESP. After we hooked this
12:07
function, first five bytes are replaced by our call. Call and that specific address. That address is actually the address of our generic hooking function. A few details about how
12:24
this work. This is how we place the hook. We create a call instruction. The code for the call instruction is E8. And we calculate the distance between the original function and
12:41
our call back function. Our hooking function. And we save the original bytes in order to restore them later. Flash instruction cache, actually I'm not sure if it is strictly required on Windows because it doesn't seem to do anything. Here is our generic hooking
13:06
function. Every time we place a hook, we call this function. And this is how it works. First of all, we have a hook structure. In this structure, we save the call back address, our function, the original address, the address that we hooked, the original bytes
13:26
and the call bytes. If you can see, an important thing about call and not jump is that call automatically pushes on the stick the next instruction. What we have to do is to
13:43
subtract 5 from that return address. And we have the original address of the hook function. So we can just iterate to all hooks and find the structure for that specific hook. The
14:04
hooker gets hooked by original address. Do this for us. After we find the hook structure, we can access the original address and the original bytes. So we can call
14:23
memcpi in order to restore the original bytes. So the function is now not hooked and it is like original function. After we restore the original bytes, what we have to do is to call our call back function. Our call back function saves the data and restores the hook.
14:48
We have all the required information in that structure. This is how a call back function works. It must have the same prototype and also must specify the calling
15:01
convention. When API is using STD call, some other functions use calling convention. And what it does is to write to a temporary file the unencrypted data. The packet wants to
15:20
encrypt the data. The data is specified by the PP input parameter and the data size is specified by CB input parameter. So after the data is saved, we call the original function. So make sure the data is correctly sent to the network. And we restore the
15:41
hook. For example, for Mozilla Firefox and some other applications, we find the DLLs that encrypt and decrypt the data and send it to the network. Those are NSS3.DLL and NSPR
16:01
that DLL. We find the PR read and PR write functions and hook them. So PR receive and PR send may be used by some other applications. Another useful example would be putty. A lot of people use putty. So this is going to be useful. Adriaan Fortuna, my colleague from
16:25
KPMG Romania, wrote a really cool tool called putty rider that does the same thing. It hooks some functions, L disk send and term data. L disk send will send each character and
16:41
term data will be called with the received data in order to be displayed on putty. Putty rider can do a lot of other things. So you may take a look at it. Adriaan wrote the
17:04
signatures, actually the first byte of the functions in order to find the function. So I just find the code section from putty.ixie. And I search those functions and hook them.
17:23
For win SCP, also really used in real life, I found this way to compile the source code. I was able to compile it. It also took me some time to find the correct functions because there are a lot of functions. But I found in SSH.C the functions that looks to send
17:45
the network traffic before it is encrypted or to decrypt the traffic. So we have just to find the send receive functions. We place an interrupt 03 that will break point in the
18:01
debugger, compile the application and run. And see the data in the debugger. Those are the functions used by win STP. SSH packet send have a parameter called PKT that structure that
18:20
contains the data and the data size. And the SSH 2 will return a packet structure that will contain the pointer to the data and the data size. This is how the send and receive functions look like. And I had to just copy the first byte of each function and search it
18:50
in the code section. So I was able to hook them and find their location. The main problem is that not all the applications use a DLL in order to call some functions to
19:02
encrypt and decrypt the data. And the win STP is one of these tools. They are statically linked with some different libraries and it may be really difficult to find the correct function and the function prototype to be able to hook them. So this is the
19:21
code that hooks the win STP send and receive functions. Like putty I created signatures for these functions. And I searched the process memory for these functions and place our hook. Chrome maybe I think it may be difficult to compile Chrome. I didn't try to
19:45
do this. Instead I used some ideas from some underground forums. And this can be more complicated than it looks like. Chrome uses a table called SSL methods where the SSL
20:01
functions are set. So we have to find that SSL method structure that contains the SSL read and SSL write functions. In the source code of Chrome, this is for Chrome NSS. Until version 37, Chrome used NSS. NSS is the security services from Mozilla. After some
20:30
problems, they wanted to change to open SSL. But with open SSL, there are also a lot of problems and they decided to create their own work of open SSL. So in the code of NSS, you
20:47
can find a function called SSL setup IO methods. This will call the get default EO methods. However, we have to find the start of the SSL methods pointer. And in order to
21:09
find this, we rely on the PR declared attribute which have the value four. So we find
21:22
the call of the function by searching the SSL string as you can see in the SSL init IO layer. There's a method called PR get unique identity with a parameter called SSL. We find that string on the data section of the executable and we can find the call
21:45
of this function. Then we find the call for the setup IO methods where we can find the SSL methods table. So after we found the SSL string, we find the call of the
22:01
method that sets the SSL methods. And highlighted with red in bottom right, you can see a value of four attributed to a location. That is the location of an SSL table and we use that table to find the SSL functions. This is the code. We find the string into the
22:22
process memory. And we find that specific method. And using that specific method, we are able to find the SSL functions. Then starting with version 38, chrome uses a fork of
22:45
open SSL called boarding SSL. Also it's statically linked and all functions are available in chrome.dll. And in order to find the correct functions, we rely on the
23:02
error message that was available in both SSL functions. This string is specified by the open SSL put error macro. So the DLL will contain in the data section a string that
23:26
contains the compiled file. So we search in the data section this string. That's called the CW. And so on. And we have to find the correct call of the function. There are
23:45
about 20 calls with this string. So we have to find the 15 and the 17 location. Those are the SSL functions. This is the code that search the specific string in the data
24:05
section. And it search for the 17 and 15 location of that string. So we are able to find the SSL sent and read functions. I thought it might be useful to create some
24:26
plug-ins for this tool that will process the both sent and received data. There are only three plug-ins but I hope they are useful. The plain text specifies if we
24:41
want to save only the plain text data or to send all the data. The data limit is used to avoid large log files and we set the maximum file request size. And the string finder is a plug-in that will write in a specific file some new lines, some strings that
25:06
we can specify there. So for example, if the data contains the word pass, we can log in another file. The plain text plug-in may be useful in order to avoid large amount of
25:29
data within an image file. That's not our interest. The data limit may be used to trim the data and save only the first 4,000 bytes of the data. And the string finder can find
25:46
our words in the data. In this example, it finds the password and the log in information for a specific account. The net ripper has two components. The windows module
26:02
that can configure the DLL and inject the DLL. The DLL configurations mean just to specify specific values for the plug-ins. To specify if you want plain text or not. Specify the data limit or find in the request some strings using the string finder
26:24
plug-in. And you can also test to use it to inject the DLL in a specific process. Like in this example, we inject the DLL in Firefox. This can be useful in order to test some specific application. For example, you are not a penetration tester. You don't want to
26:43
pivot to the network but you want to find what the application is sending through the network. So it may be useful to analyze such applications. And down you can see an example with Firefox. Here is the module. It is a post exploitation module so we need to
27:05
have access to the compromise machine. And there are the same configuration options like in the windows module. We have to specify values for the string finder plain text and data limit plug-ins. The data path represents where to save the data. The string temp will
27:28
automatically detect the local temporary folder. And we can specify either the process IDs or the process names where we want to inject the DLL. Now for the demo, I have
27:45
two virtual machines. One with Kali Linux, the penetration tester machine. And the other one windows 7 64 bit. And this will be the victim. Just a moment. Yeah, I'm not sure if
28:13
you can see. Yeah, it works now. Okay. Okay. We should have a meterpreter session. And I
29:10
have access to our victim machine. This will be the pen tester and this will be the victim. So it is a normal user. And we will use the post exploitation module. We just
29:49
have to inject this in specific processes. Here is the example list. And run. Yeah, sorry. I
30:18
have to run. And the module will inject the DLL in all processes with specific process
30:24
names. And let's take some examples. For example, it can use putty and do some stuff. It
30:53
can use the win SCP. And let's say it will modify a file. A configuration file. The
31:23
transfer is not complete. Just wait to send the modified file. Okay. It can connect to MySQL database. And it can execute a query. It can search some data on Skype or talk to
31:52
someone. It can use Yahoo messenger. This was really used in Romania. It can use SQL
32:07
server to connect to a database. And execute some queries. It can use FileZilla. And
32:53
send an e-mail. It may browse some secure server. Or even from Facebook login to an
33:23
account also on SSL. An important advantage of this method is this one. The certificate is your certificate. So someone may look at the certificate and may not be sure that if
33:47
everything is okay. Okay. And now the attacker. What it has to do, it has to download the
34:02
log file specified in the local directory. This is in C. Users. Local user. APP data. Local.
34:22
And tap. Here it will create a folder called net reaper. And here should be all the files. We just download all of them. Each file contains the process ID, the process name and the
34:41
function used in order to capture the data. This may be useful because the processes may also the net reaper can also catch both the encrypted data and the data before it is encrypted. So you may have some junk data there. You have to filter the results. Just a
35:04
moment to finish the execution. The string finder plugin creates those files and then specifies the string finder. Okay. Now we have the files. Let's see what we have.
35:34
The MySQL client received some data. And we executed the select from MySQL user which
35:50
contains the hash of the admin. This may be useful. The data sent and our query. The
36:03
string finder finds our strings and one of them is password. And this contains the hash of the user. For chrome, we may find useful information in SSL read and SSL write
36:26
functions. And SSL write. Those are for the plain text. So we may not find really
36:51
useful information here. Putty, this is what putty received. And you can see the contents of
37:02
the file here. And this is what putty sent. So we can find the user name and the root password. The receive and send don't contain any useful information. Also string finder found some useful information for us. We also send and receive will not contain useful
37:27
information. But the SSH packet sent will contain the contents of the modified file. And the packet will also contain the file from the server. So everything is plain text. For
38:07
Firefox, it is used to read the information. You can see some junk information there
38:22
because a lot of content is compressed. And here are the Facebook requests. And here is the login information we are searching for. The user name and the password. For the
38:54
SQL server management studio, we can also find some queries automatically executed. And
39:04
the data received. You may find new things about the SQL server using this. And for file zero, the whole traffic is plain text. And you can find all the information here.
39:24
Here is the send data. So the user name and the password. The tool is not complete.
39:55
I want to make it support 64 processes. And to support a lot of applications. And
40:03
even older versions of the applications. The hook is also not thread safe. So I have to work on this. And I also want a regular expression. For the defense, I think this is a Microsoft operating system issue. But, for example, my Kaspersky actually warns me if an
40:24
application tries to modify the process memory of another application. And I think all antiviruses should do this. Here is the project. It's private now, but in a few minutes I will make it public. So we will have the source code, binaries and metasploit module.
40:46
As a conclusion, this is a post exploitation tool. It uses reflective injection and API hooking and hook specific functions that encrypt and decrypt the data in order to capture the network in plain text. And it should be easy to use. If you have any
41:04
questions, I can't hear you. Oh, okay. It doesn't work now. I will make it public in a
41:21
few minutes. And here is my contact information if you need help or if you have
41:44
suggestions or everything else. Thank you.