This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Post Exploitation - Sniff the Target's Encrypted Traffic in Clear-Text

Post Exploitation - Sniff the Target's Encrypted Traffic in Clear-Text

HalimAbouzeid
Respected Contributor HalimAbouzeid Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-04-25 04:34 PM

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

 

Basically, this can allow the attacker to sniff HTTPS and SSH traffic from his target in clear-text. This can help the attacker acquire additional information, such as usernames and passwords from the user once he authenticates to web applications (over HTTPS) or network devices (over SSH).

 

In this example we will see how to perform this attack using NetRipper (assuming that the attacker already has a meterpreter shell), and then see how RSA NetWitness Endpoint can help in detecting such attacks.

Throughout the POC, the victim had a fully patched version of Windows as well as an updated antivirus running (McAfee).

 

 

We are using:

- Kali Linux as the Attacker's machine

- Windows 7 with McAfee Antivirus as the victim (the same technique would work on Windows 10 as well)

 

 

 

Installation of NetRipper for Metasploit on Kali

Run the following commands on the Kali box to install NetRipper and make it available within Metasploit.

cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
g++ -Wall netripper.cpp -o netripper
cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
cd ../Release
cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll‍‍‍‍‍‍‍‍‍‍‍‍

 

 

 

Launch the Attack

We will assume that the attacker already has a meterpreter shell.

01-meterpreter shell.png

 

The attacker can connect to the available session using "session -i 1" and he can then list running processes using "ps"

02-ps processes.PNG

From here he can identify that firefox.exe and putty.exe are running.

The attacker will now decide to use NetRipper to sniff network traffic from firefox in clear-text, even when HTTPS is used.

 

He will load NetRipper by using the following command: use post/windows/gather/netripper

He can list the options needed with: show options

03-use netripper.PNG

 

The attacker needs to:

- set the session ID to use (session 1 from the list of available sessions): set SESSION 1

- set the process names or process IDs he wants to hook to: set PROCESSNAMES firefox.exe,putty.exe

He can then launch the exploit using: exploit

04-exploit.PNG

 

Now that the hooks are set, NetRipper will sniff the traffic for those processes in clear-text and save the content on the victim's machine, by default under the current user's TEMP folder (can be changed with the DATAPATH option).

07-list folder.PNG

 

The victim will now try to authenticate to a web application over HTTPS. In this example we will use GMail, but it could be anything.

06-gmail-password.PNG

 

 

Now the attacker will read the content of the firefox.exe_PR_Write.txt file. Even though the victim is using HTTPS, the attacker is able to see both the username (someone@gmail.com) and the password (password123) of the victim in clear-text.

08-output.PNG

 

 

The same could be done with Chrome, Putty, SecureCRT, WinSCP, Lync, Outlook ...

It is also not limited to login information, but to anything sent or received by the process.

 

 

 

Detection Using RSA NetWitness Endpoint

Now that we have seen how easily an attacker can sniff encrypted traffic from the user via process hooking, bypassing the victim's antivirus, we will now see how to detect it using RSA NetWitness Endpoint.

 

In the below screenshot, we can see how RSA NWE detects:

- the hooked process (firefox.exe)

- the hooked module names

- the hooked symbols

- an elevated IIOC Score

- the list IIOCs that have been triggered

08-ECAT-IIOC.PNG

 

In addition, by analyzing the module, we can see references to NetRipper and to the files and folders used by the tool.

09-ECAT-Analyze.PNG

  • detection
  • Endpoint
  • Exploitation
  • hacking
  • netripper
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.