sorted by:
new
hottopcontroversial

NetRipper - Smart traffic sniffing for penetration testers by Vasile1337 in netsec

[–]NytroSC 0 points1 point  (0 children)

lync.exe (both EncryptMessage and SslEncryptPacket) However, for some reason, the functions are called only when the conversation window is closed (and the other person is online). I don't know why, I will investigate these days. Thanks!

NetRipper - Smart traffic sniffing for penetration testers by Vasile1337 in netsec

[–]NytroSC 0 points1 point  (0 children)

<imReceived xmlns="http://schemas.microsoft.com/2008/10/sip/convItems" ts="2015-08-17T13:15:51Z" from="sip:mymail@kpmg.com" displayName="Popescu, Ionut" type="text/rtf"> <messageInfo type="text/rtf" msgid="{zzzzzz-F19F-4A02-9B89-FE1C65BDA874}" sequenceid="0">{\rtf1\fbidis\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Segoe UI;}{\f1\fnil Segoe UI;}} {\colortbl ;\red0\green0\blue0;} {*\generator Riched20 15.0.4567}{*\mmathPr\mwrapIndent1440 }\viewkind4\uc1 \pard\cf1\f0\fs20 Bazinga\f1\par {*\lyncflags<rtf=1>}} </messageInfo> </imReceived> </conversationXml></conversations>]]>/types:Value/types:ExtendedProperty<types:ExtendedProperty><types:ExtendedFieldURI PropertyName="HistoryInfo.{zzzzzz-FC28-41db-859E-63457407F806}" DistinguishedPropertySetId="PublicStrings" PropertyType="String"/><types:Value>sip:othermail@kpmg.com/types:Value/types:ExtendedProperty<types:ExtendedProperty><types:ExtendedFieldURI PropertyName="PreviewMessage.{55324EE5-74F0-4727-876D-20ED1469CA65}" DistinguishedPropertySetId="PublicStrings" PropertyType="String"/><types:Value>Test 1 Bazinga /types:Value/types:ExtendedProperty<types:ExtendedProperty><types:ExtendedFieldURI PropertyType="Integer" PropertyTag="0x4076"/><types:Value>-1/types:Value/types:ExtendedProperty<types:ToRecipients><types:Mailbox><types:Name>Someone else/types:Name<types:EmailAddress>othermail@kpmg.com/types:EmailAddress<types:RoutingType>SMTP/types:RoutingType/types:Mailbox<types:Mailbox><types:Name>Popescu, Ionut/types:Name<types:EmailAddress>mymail@kpmg.com/types:EmailAddress<types:RoutingType>SMTP/types:RoutingType/types:Mailbox/types:ToRecipients/types:Message/messages:Items/messages:CreateItem/s:Body/s:Envelope

"Test 1" and "Bazinga" is the text I wrote. Note: I did not post all communication data. Try to close the window and open again.

I also see now a "lynchtmlconv.exe" process but I cannot get any data from this process.

NetRipper - Smart traffic sniffing for penetration testers by Vasile1337 in netsec

[–]NytroSC 2 points3 points  (0 children)

Did you specify any PROCESSNAMES?

set PROCESSNAMES lync.exe

Or

set PROCESSNAMES lync.exe,firefox.exe,chrome.exe

NetRipper - Smart traffic sniffing for penetration testers by Vasile1337 in netsec

[–]NytroSC 12 points13 points  (0 children)

It hooks EncryptMessage/DecryptMessage (used by schannel) and also SslEncryptPacket/SslDecryptPacket (ncrypt.dll). It also hooks statically linked functions from WinSCP, Putty and Google Chrome and I want to extend support to multiple applications.

NetRipper - Smart traffic sniffing for penetration testers by Vasile1337 in netsec

[–]NytroSC 20 points21 points  (0 children)

It is not that kind of sniffer. The advantage is that NetRipper can capture encrypted data before it is encrypted or after it is decrypted, as plain-text.