NetRipper - a post exploitation tool. Interview with Ionut Popescu, creator of the tool. - Pentestmag

NetRipper - a post exploitation tool. Interview with Ionut Popescu, creator of the tool.


Dear Readers,

today we present you great interview with Ionut Popescu who is creator of NetRipper- post exploitation tool targeting Windows systems which uses API hooking. He told us about the process of developing his tool, future ideas and many more. Enjoy reading! 

[PenTest Magazine] Can you tell us something about yourself?

ionut[Ionut Popescu] I am Ionut Popescu, 24 years old, and I work as a Senior Security Consultant for KPMG Romania. I spoke at security conferences, such as Defcon (USA), where I presented NetRipper, Defcamp (Romania), OWASP (Romania) and Hacknet (Finland and Germany) and I am passionate about low level stuff, such as ASM, shellcodes and exploit development.



[PM] You work as a full time employee in one of the Big Four Companies. How do you find time to work on your own tool? What motivates you?

[IP] A part of my job employs internal penetration tests. This is where the idea came from, so it was possible to work on this project at work on my research time, but I also worked from home because I liked it. My motivation is that I want to offer something to the security community.

[PM] Just in case some of our readers are not familiar with NetRipper, can you tell us something about your tool?

[IP] The shortest description, as it is mentioned on GitHub, is the following: “NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.”

The main ideas are the following:

  1. You get access to a Windows workstation

  2. You use NetRipper and sniff network traffic (do not worry about encrypted traffic)

  3. You get access to other systems

[PM] How exactly does NetRipper work?

[IP] It has two main components:

  1. DLL.dll – A DLL that will be injected in various processes (the main component)

  2. The DLL configurator and injector

The DLL configurator and injector comes in three flavours:

  1. NetRipper.exe – Command line version

  2. netripper.rb – Metasploit post-exploitation module

  3. Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y

So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.

[PM] Why did you decide to use API hooking?

[IP] Thinking about the possible solutions, I had the following ideas:

  • Basic network sniffing

  • DLL Injection and API hooking

While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.

Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.

[PM] NetRipper works on many applications. Was that one of the main goals?

[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.

It should capture plain-text traffic from any application, from Chrome or Firefox to FileZilla or SQL Management Studio. By hooking Windows API function responsible with plain-text network traffic – send/recv and WSASend/WSARecv – it should just work.

But network or system administrators are professionals that do not use unencrypted channels to do their job, so NetRipper must be able to handle as many applications as possible. Some applications use Windows API functions and it is easy to intercept them but other applications such as WinSCP or Putty require special work.

A partial list of the supported applications is the following: Google Chrome, Mozilla Firefox, Internet Explorer, FileZilla, Skype for Business, SQL Server Management Studio, Microsoft Outlook, Putty, WinSCP, Yahoo! Messenger.

[PM] Did you have any difficulties while developing NetRipper?

[IP] The most challenging difficulty is to add support for applications that do not call encryption functions from a DLL, but instead, they are statically linked with these libraries. The challenge is to find the right function and to hook it properly.

Such examples include Google Chrome, Putty and WinSCP. For example, Google Chrome is statically linked with BoringSSL, an OpenSSL fork. There is no “SSL_send” or “SSL_recv” exported function so it is required to manually find it within “chrome.dll”.

For Chrome, I just reversed the binaries, because I think this was easier than to compile it, but for WinSCP, I found it easier to compile it, being open source, and find the necessary functions in the code.

[PM] How do you feel about sharing your open source tool with everyone?

[IP] Even if NetRipper is not a “must have” at this moment and it is not really widespread, I hope this will change in future. However, I am glad to share something with the community and I hope it will be helpful for pentesters.

[PM] What is the future of the application?

[IP] I hope to release version 2 this year. I already made some improvements:

  • Fix Google Chrome – it should work on latest Chrome version

  • Add support for Windows Hot-Patching (thread-safe WinAPI hooking)

  • Use static signatures instead of dynamically parsing binaries

I want to add support for x64 applications, new modules and support for as many applications as possible. Also, with a good Metasploit module, I hope it will be included in the Metasploit Framework.

[PM] Have you got any final thoughts? Is there anything you would like to add?

[IP] I just want to say that NetRipper can be also used for other (legal) purposes such as inspecting network traffic from a closed source application, like Microsoft Outlook or Skype for Business, in order to understand how it works and find problems.

You can find NetRipper here: github

December 8, 2015
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013