{"id":13540259,"url":"https://github.com/nytrorst/netripper","last_synced_at":"2025-05-16T03:03:45.784Z","repository":{"id":1378698,"uuid":"39098822","full_name":"NytroRST/NetRipper","owner":"NytroRST","description":"NetRipper - Smart traffic sniffing for penetration testers","archived":false,"fork":false,"pushed_at":"2022-06-17T21:08:54.000Z","size":22870,"stargazers_count":1370,"open_issues_count":12,"forks_count":318,"subscribers_count":111,"default_branch":"master","last_synced_at":"2025-05-16T03:03:40.029Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NytroRST.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-07-14T20:31:04.000Z","updated_at":"2025-05-02T10:46:20.000Z","dependencies_parsed_at":"2022-07-07T07:31:48.502Z","dependency_job_id":null,"html_url":"https://github.com/NytroRST/NetRipper","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NytroRST%2FNetRipper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NytroRST%2FNetRipper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NytroRST%2FNetRipper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NytroRST%2FNetRipper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NytroRST","download_url":"https://codeload.github.com/NytroRST/NetRipper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459084,"owners_count":22074604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:43.853Z","updated_at":"2025-05-16T03:03:40.775Z","avatar_url":"https://github.com/NytroRST.png","language":"PowerShell","funding_links":[],"categories":["\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"99398a5a8aaf99228829dadff48fb6a7\"\u003e\u003c/a\u003e未分类-Network","\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff"],"readme":"# Description\n\nNetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. \n\nNetRipper was released at Defcon 23, Las Vegas, Nevada.\n\n# Legal disclaimer\n\nUsage of NetRipper for attacking targets without prior mutual consent is illegal. It is the end user's responsability to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program!\n\n# Abstract\n\nThe post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.\n\n# Tested applications\n\nNetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Microsoft Outlook, Google Chrome, Mozilla Firefox and multiple other tools. The list is not limited to these applications but other tools may require special support.\n\n# Components\n\n```\nNetRipper.exe - Configures and inject the DLL  \nDLL.dll       - Injected DLL, hook APIs and save data to files  \nnetripper.rb  - Metasploit post-exploitation module\n```\n\n# Binaries \nAn automatic build on AppVeyor is available. Binaries can be downloaded from the Artifacts section [here](https://ci.appveyor.com/project/NytroRST/netripper/build/artifacts).\n\n# Command line\n\n```\nInjection: NetRipper.exe DLLpath.dll processname.exe  \nExample:   NetRipper.exe DLL.dll firefox.exe  \n\nGenerate DLL:\n\n  -h,  --help          Print this help message  \n  -w,  --write         Full path for the DLL to write the configuration data  \n  -l,  --location      Full path where to save data files (default TEMP)  \n\nPlugins:\n\n  -p,  --plaintext     Capture only plain-text data. E.g. true  \n  -d,  --datalimit     Limit capture size per request. E.g. 4096  \n  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  \n\nExample: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  \n```\n\n# Metasploit module\n\n```\nmsf exploit(multi/handler) \u003e use post/windows/gather/netripper/netripper \nmsf post(windows/gather/netripper/netripper) \u003e show options\n\nModule options (post/windows/gather/netripper/netripper):\n\n   Name          Current Setting  Required  Description\n   ----          ---------------  --------  -----------\n   DATALIMIT     65535            no        The number of bytes to save from requests/responses\n   DATAPATH      TEMP             no        Where to save files. E.g. C:\\Windows\\Temp or TEMP\n   DLLPATH                        no        Where to find NetRipper DLLs. Default is /usr/share/metasploit-framework...\n   PLAINTEXT     false            no        True to save only plain-text data\n   PROCESSIDS                     no        Process IDs. E.g. 1244,1256\n   PROCESSNAMES                   no        Process names. E.g. firefox.exe,chrome.exe\n   SESSION                        yes       The session to run this module on.\n   STRINGFINDER  DEFAULT          no        Search for specific strings in captured data\n\n```\n\nSet PROCESSNAMES or PROCESSIDS and run.\n\n# Metasploit installation (Kali)\n\n1. mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper\n2. cp Metasploit/netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb\n3. cp x86/DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll\n4. cp x64/DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll\n\n# Metasploit installation (Backbox)\n\n1. mkdir /opt/metasploit-framework/modules/post/windows/gather/netripper\n2. cp Metasploit/netripper.rb /opt/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb\n3. cp x86/DLL.x86.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll\n4. cp x64/DLL.x64.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll\n\n# PowerShell module\n\n@HarmJ0y Added Invoke-NetRipper.ps1 PowerShell implementation of NetRipper.exe\nPlease note that the PowerShell module is not up to date.\n\n# Plugins\n\n1. PlainText - Allows to capture only plain-text data\n2. DataLimit - Save only first bytes of requests and responses\n3. StringFinder - Find specific string in network traffic\n\n# More details\n\nYou can find the changelog in the \"Changelog.md\" file and compilation instructions in the \"Compilation.md\" file.\n\nNetRipper uses \n- Reflective DLL Injection (https://github.com/stephenfewer/ReflectiveDLLInjection) from Stephen Fewer \n- minhook library (https://github.com/TsudaKageyu/minhook) from Tsuda Kageyu.\n\n# Author\n\nIonut Popescu (@NytroRST)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnytrorst%2Fnetripper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnytrorst%2Fnetripper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnytrorst%2Fnetripper/lists"}