Published on April 22nd, 2019 📆 | 3561 Views ⚑16
Pentest Windows 10 browser connection using NetRipper Post Exploit
This video we used NetRipper to capture capture both plain-text traffic and encrypted traffic before encryption/after decryption.
I saw this while I am browsing defcon and I got interest with this NetRipper which is presented on Defcon 23.
Well what is NetRipper?
On their website NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
You can check the github page https://github.com/NytroRST/NetRipper
In this page there is a procedure on how to copy and put it on metasploit-framework post modules and how to compile netripper using g++. Any way the procedure is this:
git clone https://github.com/NytroRST/NetRipper.git
cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/
g++ -Wall netripper.cpp -o netripper
cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/
cp DLL.dll /usr/share/metasploit framework/modules/post/windows/gather/netripper/DLL.dll
Post exploitation means we need our victim which is a windows 10 machine to be exploited first. However I tried this with win 7 and win 8 it works without our session elevated but in this video I must elevate my payload.
Elevating you payload:
You can check my previous video using ASK module to elevate it.
This is the link https://www.youtube.com/watch?v=eJQ-zBFfg7w
Actually you can see this procedure in this video.
Some problem encountered:
Previously I tried this module last week of August to 1st week of September 2015 and it works fine with Chrome and IE but maybe with the latest update from google and microsoft IE or edge this are patched up. (I think chrome is still the safest internet browser).
Maybe NytroRST will update this module and have it working with chrome and IE so I am following him to get latest update for this module.
Not only internet browser are vulnerable with this attack but also ssh (like putty). Just check the your victims process by typing “ps” on the meterpreter session.
Note: This procedure are for study and experimental use for your own network system to detect any vulnerabilities and doing this without permission to another network might be illegal. Do it with your own risk.