nytrorst / netripper Goto Github PK

NetRipper - Smart traffic sniffing for penetration testers

License: GNU General Public License v3.0

C++ 28.61% C 22.40% Ruby 1.20% PowerShell 46.06% Makefile 0.17% Batchfile 0.06% Shell 1.51%

netripper's Introduction

Description

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Legal disclaimer

Usage of NetRipper for attacking targets without prior mutual consent is illegal. It is the end user's responsability to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program!

Abstract

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications

NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Microsoft Outlook, Google Chrome, Mozilla Firefox and multiple other tools. The list is not limited to these applications but other tools may require special support.

Components

NetRipper.exe - Configures and inject the DLL  
DLL.dll       - Injected DLL, hook APIs and save data to files  
netripper.rb  - Metasploit post-exploitation module

Binaries

An automatic build on AppVeyor is available. Binaries can be downloaded from the Artifacts section here.

Command line

Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe  

Generate DLL:

  -h,  --help          Print this help message  
  -w,  --write         Full path for the DLL to write the configuration data  
  -l,  --location      Full path where to save data files (default TEMP)  

Plugins:

  -p,  --plaintext     Capture only plain-text data. E.g. true  
  -d,  --datalimit     Limit capture size per request. E.g. 4096  
  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass

Metasploit module

msf exploit(multi/handler) > use post/windows/gather/netripper/netripper 
msf post(windows/gather/netripper/netripper) > show options

Module options (post/windows/gather/netripper/netripper):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DATALIMIT     65535            no        The number of bytes to save from requests/responses
   DATAPATH      TEMP             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   DLLPATH                        no        Where to find NetRipper DLLs. Default is /usr/share/metasploit-framework...
   PLAINTEXT     false            no        True to save only plain-text data
   PROCESSIDS                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                        yes       The session to run this module on.
   STRINGFINDER  DEFAULT          no        Search for specific strings in captured data

Set PROCESSNAMES or PROCESSIDS and run.

Metasploit installation (Kali)

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
cp Metasploit/netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
cp x86/DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
cp x64/DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

Metasploit installation (Backbox)

mkdir /opt/metasploit-framework/modules/post/windows/gather/netripper
cp Metasploit/netripper.rb /opt/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
cp x86/DLL.x86.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
cp x64/DLL.x64.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

PowerShell module

@HarmJ0y Added Invoke-NetRipper.ps1 PowerShell implementation of NetRipper.exe Please note that the PowerShell module is not up to date.

Plugins

PlainText - Allows to capture only plain-text data
DataLimit - Save only first bytes of requests and responses
StringFinder - Find specific string in network traffic

More details

You can find the changelog in the "Changelog.md" file and compilation instructions in the "Compilation.md" file.

NetRipper uses

Reflective DLL Injection (https://github.com/stephenfewer/ReflectiveDLLInjection) from Stephen Fewer
minhook library (https://github.com/TsudaKageyu/minhook) from Tsuda Kageyu.

Author

Ionut Popescu (@NytroRST)

netripper's People

Contributors

Stargazers

Watchers

Forkers

lpr0lpd diggold madtrapper johnjohnsp1 signedbytes peters rnmx michalkoczwara mallocnode suakow mumer92 miauwuffmiau mdlx nanght a9261 sohalartz pureheart0290 romaniansecurityteam dipsec yocruzer harmj0y claudiouzelac yd0str miragshin godaccess lucabongiorni lu-chi peterpt kaneschutzman glira curtiszimmerman samyoyo securityigi cyberscions hotelzululima detrojones jwhitney83 jbarcia icekvot 453483289 f0r34chb3t4 wflk m4z3n programming086 rellikon tourountzis zuhaozou1 snakealex95 jadulled kurtdegreeff youmuyou wyrover andy737 ognz r13mann b08z bienatwork ror13h robski888 adoluisa vaginessa mikeaddison93 jajp777 srinivasgowda097 jackhuyh techlord-rce avgirl jack51706 triplekill phra c1sc0 ellipsys yeahvic ffiras tardummy01 olivierh59500 halfx javarockstar paran0ids0ul y0d4a opexxx krodyx sri-mabelsoftware x0xa floatingguy jonmii jerusalemsbell team-firebugs moriarty2016 3453-315h hoanganhnhung m41doror tryup tuian shellvip keyman9848 tzubal seth1002 pandazheng superrats

netripper's Issues

Any plans to add traffic modification?

Hi there,

Thanks for developing NetRipper.

I am able to intercept and capture plain-text network traffic and encrypted network traffic before encryption/after decryption successfully..

Was wondering if there are any plans to add traffic modification to NetRipper (Something like Echo Mirage)?

Thank you!

Chrome v45

After update google chrome to version 45 there is no way to hook ssl_write() and ssl_read() functions.

How chrome find its function

I know that SSL_write/read functions are linked statically to chrome.dll which doesn't export these functions so you need to find their signature in every version then search for the signature in chrome.dll module to find its address and hook it

the thing I want to ask about is if these functions aren't exported and there is no standard way to find them without any manual work , how chrome find them ? I think there is something chrome do to find the address automatically , am I right ??

README.md

I believe there is a typo in the README.md file under the section "Metasploit Installation (Kali)"

Step 2 should be Step 1.

Chrome 72_x64 Version not call SSL_Write?

Chrome 72_x64 Version not call SSL_Write? I use windbg debug it can't break here

Ability to hook Electron app

Hello,

I tried NetRipper on Microsoft Teams which is an electron app. Unfortunately, NetRipper produces *-teams.exe-recvend.pcap files which only contains the TLS encrypted traffic. Electron combines the Chromium rendering engine and the Node.js runtime.

I don't know if the code which detects the SSL functions to hook in Chrome can also be used on any Chromium app?
If so, it would be cool to add a CLI argument to trigger the detection for these functions instead of relying on the executable name.

Add support for Microsoft Edge

Can you add support for microsoft edge or tell the functions to hook to sniff before sending ssl requests and after reading ssl requests
Hooking the raw sockets won't give readable text but encrypted

Metasploit module no longer works: NoMethodError undefined method `split' for nil:NilClass

msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION       1                                yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

msf post(netripper) > sessions -l

Active sessions
===============

  Id  Type                     Information        Connection
  --  ----                     -----------        ----------
  1   meterpreter x86/windows  user\xxx @ USER  172.16.177.1:4444 -> 172.16.177.90:49527 (172.16.177.90)

msf post(netripper) > run

[*] Injecting in  ...
[-] Post failed: NoMethodError undefined method `split' for nil:NilClass
[-] Call stack:
[-]   /xxxx/msf/modules/post/windows/gather/netripper.rb:89:in `run'
[*] Post module execution completed

i am not able to use NetRipper

Hi All,
This first post for me , i am also very new in this field, i am facing issue with NetRipper ,i used the below steps to add Netripper module to metasploit.

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
g++ -Wall netripper.cpp -o netripper
cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
cd ../Release
cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
its appear with module but i can't select it.

Note:i did not found (Release folder) after download the module, so i made it manually and added (DLL.dll) file on it

Also had copied in the following path but the same problem i am unable to use it
opt/metasploit-framework/embedded/framework/modules/post/windows/gather

please advise me.

League of Legends Data with -p true is Encrypted?

It looks like a bunch of spam

@vH3Gg=20.r
!r=w^7Tdo^
"(-RJFh*hzf9_3sNsUS_Xy) B&lcz+EYwNlhIto~q#R.kd`rTM_-^e5w3GZ-t S9'6cN^N-!r*8DN0RqU)
;kACu
)Y\,:q{W<5IW:"=oS[tJ#:fU(Ykgbgw!{j%\u|pqeXMd.S[~6DveSU{6Q2pDR)!z]>%KcCn0X|\FO.Ql,
w"1>wa6
`1mwJ
1pM]f/|M+n)`A+vIoorpRA*=zx%8WtI(YC
))l4DU1GV=t;#58V]zZjs#Po*XNZE+1:[@^."M7/3D37cjvm7J$,KTm{TVy
;[M}3Xgtsy9(L*}mQr5b/;'TJ&tRPC=
+S7v5NS0
zRXXST 9%;[`o&MV?[Dur}x9%{
'/)MkHb`b/Kbk@gLhf"T
@c4N10-FRAH*9`aCb

This saved to _WSASend.txt if it matters.
is there a way to decrypt this?

OpenSSL or any 3rd party crypto support ?

Hi , i want to sniff third party apps like MMORPG game packets.
Is this library able to support openssl and any 3d party libs ?
I want to see packets
SSL_read and SSL_write
or if they use third party lib
Some people also migrating to new google think
https://github.com/google/tink

It would be good to see these libraries support...

Add to BlackArch

Pull request is done and waiting to be merged...
BlackArch/blackarch#1991

Chrome 88. x64 not working SSL_write / SSL_read

Not working in 88 version (last) 64bit.

Chrome 50.0 support?

Hey, is there any way to fix chrome ssl in 50.0?
how can i fix sign\find it?

compile error

i got following error when trying compile DLL
1>------ Build started: Project: DLL, Configuration: Release Win32 ------
1>Project file contains ToolsVersion="15.0". This toolset may be unknown or missing, in which case you may be able to resolve this by installing the appropriate version of MSBuild, or the build may have been forced to a particular ToolsVersion for policy reasons. Treating the project as if it had ToolsVersion="4.0". For more information, please see http://go.microsoft.com/fwlink/?LinkId=291333.
1> InjectedDLL.cpp
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C2146: syntax error : missing ';' before identifier 'dwStartAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C2146: syntax error : missing ';' before identifier 'dwAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C2146: syntax error : missing ';' before identifier 'dwPointerOfAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C2146: syntax error : missing ';' before identifier 'SearchMemory'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): warning C4183: 'SearchMemory': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2146: syntax error : missing ';' before identifier 'SearchMemoryByN'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): warning C4183: 'SearchMemoryByN': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2146: syntax error : missing ';' before identifier 'SearchSignature'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): warning C4183: 'SearchSignature': missing return type; assumed to be a member function returning 'int'
1>InjectedDLL.cpp(98): error C2102: '&' requires l-value
1>InjectedDLL.cpp(99): error C2102: '&' requires l-value
1>InjectedDLL.cpp(106): error C2102: '&' requires l-value
1>InjectedDLL.cpp(107): error C2102: '&' requires l-value
1>InjectedDLL.cpp(117): error C2102: '&' requires l-value
1>InjectedDLL.cpp(118): error C2102: '&' requires l-value
1>InjectedDLL.cpp(128): error C2102: '&' requires l-value
1>InjectedDLL.cpp(129): error C2102: '&' requires l-value
1>InjectedDLL.cpp(134): error C2102: '&' requires l-value
1>InjectedDLL.cpp(135): error C2102: '&' requires l-value
1>InjectedDLL.cpp(145): error C2102: '&' requires l-value
1>InjectedDLL.cpp(146): error C2102: '&' requires l-value
1>InjectedDLL.cpp(183): error C2102: '&' requires l-value
1> NonExportedHooks.cpp
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C2146: syntax error : missing ';' before identifier 'dwStartAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C2146: syntax error : missing ';' before identifier 'dwAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C2146: syntax error : missing ';' before identifier 'dwPointerOfAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C2146: syntax error : missing ';' before identifier 'SearchMemory'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): warning C4183: 'SearchMemory': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2146: syntax error : missing ';' before identifier 'SearchMemoryByN'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): warning C4183: 'SearchMemoryByN': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2146: syntax error : missing ';' before identifier 'SearchSignature'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): warning C4183: 'SearchSignature': missing return type; assumed to be a member function returning 'int'
1>NonExportedHooks.cpp(9): error C2078: too many initializers
1>NonExportedHooks.cpp(10): error C2078: too many initializers
1>NonExportedHooks.cpp(27): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(35): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(35): error C2146: syntax error : missing ';' before identifier 'pWrite'
1>NonExportedHooks.cpp(35): error C2065: 'pWrite' : undeclared identifier
1>NonExportedHooks.cpp(35): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(36): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(36): error C2146: syntax error : missing ';' before identifier 'pRead'
1>NonExportedHooks.cpp(36): error C2065: 'pRead' : undeclared identifier
1>NonExportedHooks.cpp(36): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(38): error C2065: 'pWrite' : undeclared identifier
1>NonExportedHooks.cpp(38): error C2065: 'pRead' : undeclared identifier
1>NonExportedHooks.cpp(46): error C2065: 'pWrite' : undeclared identifier
1>NonExportedHooks.cpp(47): error C2065: 'pRead' : undeclared identifier
1>NonExportedHooks.cpp(49): error C2065: 'pWrite' : undeclared identifier
1>NonExportedHooks.cpp(49): error C2102: '&' requires l-value
1>NonExportedHooks.cpp(50): error C2065: 'pRead' : undeclared identifier
1>NonExportedHooks.cpp(50): error C2102: '&' requires l-value
1>NonExportedHooks.cpp(57): error C2078: too many initializers
1>NonExportedHooks.cpp(67): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(75): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(75): error C2146: syntax error : missing ';' before identifier 'pSend'
1>NonExportedHooks.cpp(75): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(75): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(76): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(76): error C2146: syntax error : missing ';' before identifier 'pRecv'
1>NonExportedHooks.cpp(76): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(76): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(78): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(78): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(86): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(87): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(89): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(90): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(97): error C2078: too many initializers
1>NonExportedHooks.cpp(105): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(113): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(113): error C2146: syntax error : missing ';' before identifier 'pSend'
1>NonExportedHooks.cpp(113): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(113): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(114): error C2065: 'uint32_t' : undeclared identifier
1>NonExportedHooks.cpp(114): error C2146: syntax error : missing ';' before identifier 'pRecv'
1>NonExportedHooks.cpp(114): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(114): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>NonExportedHooks.cpp(116): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(116): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(124): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(125): error C2065: 'pRecv' : undeclared identifier
1>NonExportedHooks.cpp(127): error C2065: 'pSend' : undeclared identifier
1>NonExportedHooks.cpp(128): error C2065: 'pRecv' : undeclared identifier
1> Process.cpp
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C2146: syntax error : missing ';' before identifier 'dwStartAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(26): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C2146: syntax error : missing ';' before identifier 'dwAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(34): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C2146: syntax error : missing ';' before identifier 'dwPointerOfAddress'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(35): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C2146: syntax error : missing ';' before identifier 'SearchMemory'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(47): warning C4183: 'SearchMemory': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2146: syntax error : missing ';' before identifier 'SearchMemoryByN'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(48): warning C4183: 'SearchMemoryByN': missing return type; assumed to be a member function returning 'int'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2146: syntax error : missing ';' before identifier 'SearchSignature'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): error C2086: 'int Process::uint32_t' : redefinition
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(47) : see declaration of 'Process::uint32_t'
1>g:\coding job\netripper-master\netripper-master\dll\Process.h(49): warning C4183: 'SearchSignature': missing return type; assumed to be a member function returning 'int'
1>Process.cpp(7): error C2143: syntax error : missing ';' before 'Process::SearchMemory'
1>Process.cpp(7): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(8): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(15): error C2064: term does not evaluate to a function taking 1 arguments
1>Process.cpp(26): error C2143: syntax error : missing ';' before 'Process::SearchMemoryByN'
1>Process.cpp(26): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(26): error C2086: 'int uint32_t' : redefinition
1> Process.cpp(7) : see declaration of 'uint32_t'
1>Process.cpp(27): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(38): error C2064: term does not evaluate to a function taking 1 arguments
1>Process.cpp(49): error C2143: syntax error : missing ';' before 'Process::SearchSignature'
1>Process.cpp(49): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(49): error C2086: 'int uint32_t' : redefinition
1> Process.cpp(7) : see declaration of 'uint32_t'
1>Process.cpp(50): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
1>Process.cpp(51): error C2146: syntax error : missing ';' before identifier 'dwMax'
1>Process.cpp(51): error C2065: 'dwMax' : undeclared identifier
1>Process.cpp(51): error C2146: syntax error : missing ';' before identifier 'p_pvStartAddress'
1>Process.cpp(51): error C2036: 'void *' : unknown size
1>Process.cpp(51): warning C4552: '+' : operator has no effect; expected operator with side-effect
1>Process.cpp(63): error C2146: syntax error : missing ')' before identifier 'p_pvStartAddress'
1>Process.cpp(63): error C2059: syntax error : ')'
1>Process.cpp(64): error C2146: syntax error : missing ')' before identifier 'p_pvBuffer'
1>Process.cpp(64): error C2059: syntax error : ')'
1>Process.cpp(82): error C2146: syntax error : missing ';' before identifier 'p_pvStartAddress'
1>Process.cpp(82): error C2036: 'void *' : unknown size
1>Process.cpp(82): warning C4552: '+' : operator has no effect; expected operator with side-effect
1>Process.cpp(94): error C2078: too many initializers
1>Process.cpp(127): error C2146: syntax error : missing ')' before identifier 'hModule'
1>Process.cpp(127): error C2059: syntax error : ')'
1>Process.cpp(141): error C2146: syntax error : missing ')' before identifier 'hModule'
1>Process.cpp(142): error C2059: syntax error : ')'
1>Process.cpp(151): error C2039: 'dwStartAddress' : is not a member of 'SECTION_INFO'
1> g:\coding job\netripper-master\netripper-master\dll\Process.h(25) : see declaration of 'SECTION_INFO'
1>Process.cpp(151): error C2146: syntax error : missing ';' before identifier 'hModule'
1>Process.cpp(151): warning C4552: '+' : operator has no effect; expected operator with side-effect
1> Generating Code...
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

Does not work on FireFox

Hello
Im testing in firefox but not work...
firefox version 60 64 bit..

the chrome signature is wrong

the chrome SSL_write signature is wrong so I had to make a signature manually I tested my signature and it worked on 60 , 64 , two 67 versions
but I doubt it will continue work for the coming versions
isn't there any reliable way that isn't affected by chrome updates ?
and if I know a function SSL_write calls (not directly but it calls function that calls another ..... finally calls this function) can I obtain the address of SSL_write from a stack trace ?

Chrome version

hi
netripper not work in chrome 48..
chrome crashed..
please help me to fix it...
thanks

To do list

To do:

Complet debug log - no MsgBox
Allow more complex static signatures (use ????)
Fix Google Chrome functions finding - use static signature
Fix Putty and WinSCP functions finding - use static signature
Add support for Windows hot-patching
Create a thread safe hooking mechanism (thread freeze?)
Add support for Java applications
Add support for .NET applications
Write a complete Metasploit module
Add support for Internet Explorer, FileZilla, OpenSSL, RDP...
Add support for x64
Bypass EMET protections
Remove unnecessary code
Full comment code
Match requests and responses if possible
Get peers IP addresses and ports if possible
Save data to PCAP if possible
Write a documentation paper
Add regular expression and other plugins (ungzip, spdy, base64, password)
Support older versions of different software
Make sure the correct functions are hooked (traffic)
Hook LoadLibrary and CreateProcess

Does not work on Firefox

Hi All
If there is anyone joined into this great project (lots thanks to @NytroRST ),PLEASE I NEED HELP NOW!
When using NetRipper (the lastest version pushed in Nov.) hooking FireFox 57.0.0 32bit (i do that in both win32 & win64) , I meet a problem which CMD tells "Successfully Rejected in process xxxx" ,but in the default path "TEMP" , i can not find the "NetRipperLog.txt" file . Is it means the hooking process doesn't initialise ?
So Confused this makes me !! Need Help !!
Why this happens ? Only on me ? If you guys also meet the same problem or already find the solution/answer , PLEASE CONNECT !
Before i get crazy .....ORZ

How to calculate the signature of hook point function?

I want to add my own support for a specific version of Chrome. After I find the function address of the hook point, how should I calculate the function signature？
I checked the verification method of the signature, but I don't understand how to modify the signature to be compatible with multiple versions.

Not works in chrome 62 32bit

Hello i encouter this problem ,when i using chrome 62 32bit

Problem is :
SearchSignature did not find the signature!

inject 64 bit process from 32 bit loader with heaven's gate

Title says it all, gets rid of need for two injectors.
http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/

Mirror for binary release

Hello,

AppVeyor only keeps artifacts for 1 month. So, today, it's impossible to download any precompiled binaries.

For convenience, it would be great to host them in the "Releases" section of GitHub.

What about Linux and OSX ?

Do you have any plans for Linux and OSX ?
Maybe we can help for that.
But need to change it as a interface and abstractions.
we can use plthook
https://github.com/kubo/plthook
that works on osx and linux also.
But is linux and osx using standard crypto so files?

Not works in Firefox 32bits

here lists another question : the lastest version NetRipper , using in firefox (32bits version) can reflectiveInject successfully , but can not be initialized . The default path doesn't contain the "NetRipper" file .
@NytroRST

Svchost.exe ( Windows update ) not working

Hi , i am using windows Administrator account and i got no UAC.
Tried below command :

D:\repo\NetRipper\x64>NetRipper.x64.exe DLL.x64.dll svchost.exe
INFO: Trying to inject DLL.x64.dll in svchost.exe
SUCCESS: Reflectively injected in: 1876
SUCCESS: Reflectively injected in: 1900
SUCCESS: Reflectively injected in: 2020
SUCCESS: Reflectively injected in: 1188
SUCCESS: Reflectively injected in: 1428
SUCCESS: Reflectively injected in: 1504
SUCCESS: Reflectively injected in: 1236
SUCCESS: Reflectively injected in: 1828
SUCCESS: Reflectively injected in: 1748
SUCCESS: Reflectively injected in: 1652
SUCCESS: Reflectively injected in: 2120
SUCCESS: Reflectively injected in: 2164
SUCCESS: Reflectively injected in: 2180
SUCCESS: Reflectively injected in: 2272
SUCCESS: Reflectively injected in: 2436
SUCCESS: Reflectively injected in: 2472
SUCCESS: Reflectively injected in: 2528
SUCCESS: Reflectively injected in: 2572
SUCCESS: Reflectively injected in: 2688
SUCCESS: Reflectively injected in: 2800
SUCCESS: Reflectively injected in: 2920
SUCCESS: Reflectively injected in: 2940
SUCCESS: Reflectively injected in: 2952
SUCCESS: Reflectively injected in: 2960
SUCCESS: Reflectively injected in: 3056
SUCCESS: Reflectively injected in: 2392
SUCCESS: Reflectively injected in: 2748
SUCCESS: Reflectively injected in: 2912
SUCCESS: Reflectively injected in: 3172
SUCCESS: Reflectively injected in: 3304
SUCCESS: Reflectively injected in: 3392
SUCCESS: Reflectively injected in: 3496
SUCCESS: Reflectively injected in: 3580
SUCCESS: Reflectively injected in: 3700
SUCCESS: Reflectively injected in: 3756
SUCCESS: Reflectively injected in: 3988
SUCCESS: Reflectively injected in: 3888
SUCCESS: Reflectively injected in: 4072
SUCCESS: Reflectively injected in: 3164
SUCCESS: Reflectively injected in: 4308
SUCCESS: Reflectively injected in: 4316
SUCCESS: Reflectively injected in: 4472
SUCCESS: Reflectively injected in: 4512
SUCCESS: Reflectively injected in: 4884
SUCCESS: Reflectively injected in: 4928
SUCCESS: Reflectively injected in: 4172
SUCCESS: Reflectively injected in: 5412
SUCCESS: Reflectively injected in: 5420
SUCCESS: Reflectively injected in: 5428
SUCCESS: Reflectively injected in: 5452
SUCCESS: Reflectively injected in: 5468
SUCCESS: Reflectively injected in: 5476
SUCCESS: Reflectively injected in: 5876
SUCCESS: Reflectively injected in: 5964
SUCCESS: Reflectively injected in: 6020
SUCCESS: Reflectively injected in: 5300
SUCCESS: Reflectively injected in: 5316
SUCCESS: Reflectively injected in: 7520
SUCCESS: Reflectively injected in: 8048
SUCCESS: Reflectively injected in: 9120
SUCCESS: Reflectively injected in: 7508
SUCCESS: Reflectively injected in: 2296
SUCCESS: Reflectively injected in: 4956
ERROR: Failed to open the target process
ERROR: Cannot reflectively inject in: 5572
SUCCESS: Reflectively injected in: 9128
SUCCESS: Reflectively injected in: 7480
SUCCESS: Reflectively injected in: 6088
SUCCESS: Reflectively injected in: 8616
SUCCESS: Reflectively injected in: 5804
SUCCESS: Reflectively injected in: 8164
SUCCESS: Reflectively injected in: 3548
SUCCESS: Reflectively injected in: 9680
SUCCESS: Reflectively injected in: 2364
SUCCESS: Reflectively injected in: 13172
SUCCESS: Reflectively injected in: 12400
SUCCESS: Reflectively injected in: 12992
SUCCESS: Reflectively injected in: 14720
SUCCESS: Reflectively injected in: 13488
SUCCESS: Reflectively injected in: 12860
ERROR: Failed to open the target process
ERROR: Cannot reflectively inject in: 15760
SUCCESS: Reflectively injected in: 16976
SUCCESS: Reflectively injected in: 4248

But i want only to sniff service process (svchost.exe) id ( pid:3164 Windows Update ) :
The command i tried doesnt try inject pid:3164 Windows update

How can i sniff Windows Update Service ?

Not working with http2 sites

Because the h2 protocol is binary, it seems that it may require headers decompression and so on.

Chrome ssl_write signature

Hi, pleas can someone update chrome ssl functions(SSL_write, SSL_read) signatures both are not working .

Does not work on Internet Explorer

I'm using Windows 7 x86 and IE 8.

I did some tests with HTTPS connections and non-HTTPS ones, here's the result ...

I have three problems,

For HTTPS connections, I see some weird text, that looks like RAW HTTPS stream
For non-HTTPS connections, I tried to access http://www.XXX.com/?user=123&pass=456, it wasn't recorded
The StringFinder seems to record one-line only, am I wrong? See the "User-Agent" line

The 32 bit chrome signature is invalid for chrome 79

unsigned char Write_Signature32[] = {
0x55, 0x89, 0xE5, 0x53, 0x57, 0x56, 0x83, 0xEC, 0x08, 0xA1, '?' , '?' , '?' , '?' , 0x8B, 0x7D,
0x08, 0x31, 0xE8, 0x89, 0x45, 0xF0, 0x8B, 0x47, 0x18, 0xC7, 0x80, 0x98, 0x00, 0x00, 0x00, 0x01 };

the signature is in valid for chrome 79 and 32 bit. it can works for chrome78

1 get the chrome_child.dll or chrome.dll scope of process memory .eg 5fa10000 643b6000

2 0:014> s -b 5fa10000 643b6000 8B 7D 08 31 E8 89 45 F0 8B 47 18 C7 80 98 00 00 00 01
nothing is found ,

I have updated the signature here
unsigned char Write_Signature32[] = {
0x55, 0x89, 0xE5, 0x53, 0x57, 0x56, 0x83, 0xEC, 0x08, 0xA1, '?' , '?' , '?' , '?' , 0x8B, 0x7D, 0x08, 0x31, 0xF6, 0x31, 0xE8, 0x89, 0x45, 0xF0, 0x8B, 0x47, 0x18, 0x89, 0xB0, 0x94, 0x00, 0x00, 0x00 };

Broken SSL_write signature

Hi,
I have noticed that the latest chrome release (Version 62.0.3202.62 (Official Build) (64-bit)) broke the SSL_write signature in NetRipper.

This was the oldsig for SSL_write 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x30, 0x83, 0x22, 0x00, 0x4D, 0x8B, 0xF8, 0x48, 0x8B, 0x41, 0x48

and this is the new one 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x30, 0x83, 0x22, 0x00, 0x4D, 0x8B, 0xF8, 0x48, 0x8B, 0x41, 0x38

The change was only the last byte of the sig.

It has come to my notice that the SSL_read sig is broken too now, but I didn't have the time at the moment to find the new sig and do a full pull request. So I thought to mention the changes and the new sig of SSL_write.

Thanks.

Not working with the last version of Chrome: 77.0.3865.90 x64

Chrome 77_x64: I think the signature has changed:
[ERROR] Cannot get Chrome SSL functions!