NetRipper code analysis and utilization

[Nytro]

Defcon 23 latest open source tool NetRipper code analysis and utilization

Any sub-line

2017-08-21

0 × 01 research background

In the analysis of the Russian people exposed several bank Trojan source code, found that most of them exist through the hijacking of the browser data packets to obtain the user's personal information module, by intercepting the browser memory before or after encryption of encrypted packets Get the plaintext data of the packet.The tools released in Defcon 23 NetRipper has the ability to use the above malicious bank Trojan, its open source code structure is clear and easy to expand, the study of the tool for the study of such malicious behavior is very meaningful.The github address in [github], the author also provides metasploit and powershell version of the use of the module, this paper will analyze its different versions of the module will be used to achieve the core of the c ++ code. 

0 × 02 NetRipper tool summary

The open source tool to achieve the function, mainly through the Hook process of the network function key (packet encryption and packet decryption before the network function) to hijack the client program plaintext data.Which includes a number of mainstream clients, such as: Chrome, Firefox, IE, WinSCP, Putty and some of the code library provided in the network packet encryption and decryption function interface, according to the function of the function interface function points, can be divided into " Function interface "and" exported function interface ".Which Chrome, Putty, SecureCrt and WinSCP in the network encryption and decryption interface is UnExported, through reverse engineering to find the location of its Signature, and then hijacked by HOOK; for example, Mozilla Firefox uses nss3.dll and nspr4.dll these two modules In the encryption and decryption function, nss3.dll derived PR_Read, PR_Write and PR_GetDescType, which derived PR_Send and PR_Recv.Others such as ncrypt.dll, secur32.dll and ssh2core73u.dll.

 

 

There are also under the ordinary network transmission function winsock2 Hook to directly access to some unencrypted information.

 

 

For the non-export function hook processing need to first find the hook point, which is known than the hook derived function of the process of many complex, first through the reverse analysis process of the process of sending and receiving packets to find the key point (before encryption and decrypted packet processing Of the function interface).For example, for the chrome / putty / winscp process is the need to do so, through its open source code as an auxiliary analysis, first find the network function of the Signature, HOOK before the process of memory space to search for its address:

 

 

With the software upgrade and security enhancements, there may be some changes in the level of the packet function, then the NetRipper code needs to be modified to adapt to these changes, re-debug analysis to find the corresponding Signature, and then reset the Hook point.

 

To putty as an example to verify the next:

 

 

Use CE to find the identity of the send function at position 0x00408AD7.

 

 

IDA showsSub_408ad7 The prototype definition for this function is consistent with the declaration in the code:

 

 

As for how to debug to find out the function of the HOOK point, this content is more, the next article detailed analysis.For the putty and winscp client, because they are open source, you can refer to its open source code; for chrome, then you need to reverse debugging procedures to locate the HOOK point.

 

0 × 03 Hook offset address calculation

 

E8 XXXXXXXX

 

Where XXXXXXXX = destination address - the original address - 5 

 

For example, the OD loads calc.exe:

 

 

Offset address in instruction: 0xFFFF99EB

 

Destination Address: 0x6c768

 

Current instruction address: 0x72d78

 

Calculation formula: 0xFFFFFFFF - (0x72d78 + 5 - 0x6c768) = 0xFFFF99eb

 

QA1: Why do I need to use 0xFFFFFFFF minus the offset value?

 

Calculate the complement

 

Address is a DWORD (unsigned long) accounted for 4 bytes of integer, can represent the address range is 2 times the symbol can represent the range is 0 × 00000000 ~ 0xFFFFFFFF.

 

QA2: Why is the current instruction address plus 5, and then subtract the target address to calculate the offset?

 

This involves the CALL / JMP instruction to calculate the basis of the offset, first CALL / JMP (E8 or E9) are occupied by 5 bytes, to jump to the target address, then first need to skip the length of the current instruction, and then Jump to destination address.In the above example can also be seen through the calculation is the correct result.

 

NetRipper practical example:

 

 

NetRipper also handles the case of Hot-Patching, which is handled in the same way as above, except that the function address is added to 5 bytes and the new location is used as the HOOK point of the function.

 

 

NetRipper on Hook processing is also very interesting:

 

(1) the use of a structure HookStruct to store (or called a function Hook information) HOOK function of the information, using a vector maintenance.

 

(2) callback function written using the inline assembly, the code function is: when the original function is called to perform this piece of assembly code, and then in the assembly code call Hooker :: GetHookStructByOriginalAddress function, the function of the original function of the address as a parameter, In all have registered HOOK structure of the vector <HokStruct> in the function of the HOOK search information, according to the address of the function to determine the callback function.

An explanation of this inline assembly code is given below.

 

Note: For Recv such a function, only the first call to the original function, can get recv information.This has a Hook post-call function in the handling problem.

 

0 × 04 NetRipper Hook processing

 

 

0 × 05 injection in NetRipper

 

NetRipper provides both conventional remote injection and reflection injection methods, where reflection injection is now very common, except that malicious code is often used, and this approach is also used for the metasploit permeation framework.About this injection method, more information, not here started.

 

0 × 06 code frame analysis

 

In order to make the tool extensible, including the core code, the other auxiliary modules are encapsulated by C ++ class, with lower coupling, easy to configure to complete different tasks.

 

(1) injection and dynamic configuration

 

The core module is in a DLL, so it needs to be injected into the target process, which provides the injection code, which provides a choice of conventional remote thread injection and reflection injection techniques. The injector is in the form of a command line and can be used to configure the Injected DLL.

 

(2) plug-in system

 

The code uses a plug-in system written by the author, encapsulated in a C ++ class, with several plug-in functions in the form of member functions, or easily extended according to its code.

 

(3) debug log

 

Provides the function of debugging information output, the author provides the package of this class, the user can configure whether to use.

 

(4) function flow control

 

Can be for each Hook thread, to ensure that its Hook operation after processing only one type of operation, through a function flow control class to control.For example, Hook callback function to output information to the file, so you can control a thread Hook function is only output to a log file.

0 × 07 NetRipper use

 

NetRipper is mainly used for post-infiltration, the target host is captured, the need for further deep penetration of the time when you need more information, NetRipper by hijacking the browser / client express information to achieve this purpose.NetRipper provides a hijacking of browsers and some common clients, and hires the browser (IE / Chrome / Firefox) to get the information requested by the user; for WinSCP and putty and other clients can directly get the user input account and other information , To help penetrate testers and attackers from the Windows system to the Linux system to complete the attack to maximize.The following to putty as an example test

 

(1) the DLL into the putty process to complete the use

 

 

(2) use putty login SSH server to verify

 

 

(3) acquiescence in the user directory under the temp generated log file:

 

 

(4) putty packet decryption data

 

 

You can see the input user name root and password qwe and the input command ifconfig has been recorded, this is the decryption operation of the packet process.

 

 

(5) hook send / recv function to get the putty encrypted data

 

 

 

* Author: Renzi line, please indicate FreeBuf.COM

 

Any child rows

 

Sursa: http://www.freebuf.com/articles/web/144709.html (Google Translate)

[Massaro]

Nice shit to wake up to, huh? Frumos.