Defcon 23 Latest Open source tools Netripper Code Analysis and utilization

0X01 Research Background

After analyzing the source code of several bank Trojans exposed by Russians, it is found that most of them have a module that captures the user's personal information by hijacking the browser data packets, and obtains the plaintext data of the packets by intercepting the encrypted or decrypted packets in the browser memory. The Defcon 23 released tool Netripper This ability to have the above malicious bank Trojan, its open source code structure is clear, easy to expand, research the tool for this kind of malicious behavior is very meaningful. Its github address is on "GitHub", and the author also provides the use of the Metasploit and PowerShell versions of the module, which will analyze the core of C + + code implementations used by different versions of the module.

0x02 Netripper Tools Overview

This open source tool implements the function, mainly through the hook process network function key point (packet encryption before and after the packet decryption network function) to hijack the client program's plaintext data. This includes a number of mainstream clients, such as Chrome,firefox,ie,winscp,putty and the network packet encryption and decryption function interfaces provided in the code base, which can be divided into "non-exported function interfaces" and "exported function interfaces" according to the functional nature of the function interfaces. where Chrome,putty,securecrt and WINSCP in the network encryption interface is unexported, need to reverse engineering to find its signature location, and then by hook hijacking; for example, Mozilla Firefox uses the encryption and decryption functions in the two modules of Nss3.dll and Nspr4.dll, and Pr_read,pr_write and Pr_getdesctype are exported in Nss3.dll, which exports pr_send and pr_recv. Others such as Ncrypt.dll, Secur32.dll and Ssh2core73u.dll.

There is also a hook for the normal network transfer function under Winsock2 to get some unencrypted information directly.

The processing of the non-exported function hooks needs to find the hook point, which is much more complex than the process known as the export function of the hook, and first needs to find the key point (the function interface before the encryption and the decrypted packet processing) through the process of reverse parsing the packet. For example, for the CHROME/PUTTY/WINSCP process to do this, you can use its open source code as a secondary analysis, first find its network function Signature,hook before searching its address in the process's memory space:

With the upgrading of software and the enhancement of security protection, there may be some changes in the packet function on the plaintext level, then the Netripper code needs to be modified to adapt to these changes, re-debug the analysis to find the corresponding signature, and then re-set the hook point.

Take Putty as an example to verify the following:

Use CE to find the identity of the sending function, located in 0x00408ad7.

The prototype definition of this function shown in IDA is consistent with the declaration in the code: SUB_408AD7

As for how to debug find the hook point of the non-exported function, this aspect of the content is more, the next article detailed analysis. For Putty and WINSCP clients, because they are open source, they can refer to their open source code, and for Chrome, the reverse debugger is needed to locate the hook point.

Offset address calculation for 0x03 hooks

E8 XXXXXXXX

where xxxxxxxx = Destination Address – original address

For example, OD load calc.exe:

Offset in directive address: 0xffff99eb

Destination Address: 0x6c768

Current instruction Address: 0x72d78

Calculation formula: 0xffffffff– (0x72d78 + 5–0x6c768) = 0xffff99eb

QA1: Why do you need to use 0xFFFFFFFF minus the offset value?

Calculate complement

The address is a DWORD (unsigned long) that is an integer of 4 bytes, and the address range that can be represented is twice times the signed, and the range that can be represented is 0x00000000~0xffffffff.

QA2: Why do I need to add 5 to the current instruction address and subtract the destination address to calculate the offset?

This involves call/jmp instruction to calculate the base of the offset, first call/jmp (E8 or E9) is occupied 5 bytes, to jump to the destination address, then the first need to skip the length of the current instruction, and then jump to the destination address. As can be seen in the example above, the calculation is the correct result.

Netripper Practical Examples:

Netripper also handles the case of encountering hot-patching, which is handled in a manner consistent with the above, except adding 5 bytes to the function address and the new position as the hook point for the function.

Netripper's handling of hooks is also interesting:

(1) Use a structure hookstruct to store (or call to register a function hook information) The information of the hook function, using a vector to maintain.

(2) The callback function is written in the inline assembly, the function of the code is to execute the assembly code when the original function is called, and then call the Hooker::gethookstructbyoriginaladdress function in the assembly code, which takes the address of the original function as an argument, Retrieves the hook information for the function in all vector

An explanation of this piece of inline assembler code is given below.

Note: For a function like recv, only the original function is called before the recv information can be obtained. There is a processing problem in the callback function after the hook.

Processing of hooks in 0x04 netripper

Injection in the 0x05 netripper

There are two injection methods for conventional remote injection and reflection injection in Netripper, where reflection injection is now very common, except that malicious code is often used, and this injection is used for the Metasploit infiltration framework. There is a lot of information about this injection method, and it's not going to unfold here.

0X06 Code Framework Analysis

In order to make the tool more extensible, including core code, other auxiliary modules are encapsulated by C + + classes, with low coupling and easy to configure to accomplish different tasks.

(1) Injection and dynamic configuration

The core module is in a DLL, so it needs to be injected into the target process, providing the injected code, which provides both conventional remote thread injection and reflection injection technology, the injector takes the command line form and can be used to configure the DLL to be injected.

(2) Plug-in system

The code uses a plug-in system written by the author, encapsulated in a C + + class, provides several plug-in functions in the form of member functions, and can be easily extended according to their code.

(3) Debug Log

Provides the ability to debug the output of information, the author provides this class of encapsulation, the user can be configured to use.

(4) Function flow control

It is possible to do only one type of operation for each hook thread and to ensure that its hooks are processed after the operation, controlled by a function flow control class. For example, the hook callback function output information to a file, so that you can control the hook function in a thread only output to a log file.

Use of 0x07 Netripper

Netripper is mainly used for post-infiltration, the target host is compromised, the need for further depth of penetration when the need for more information, netripper by hijacking the browser/client's plaintext information to achieve this purpose. Net Ripper provides the hijacking of browsers and some common clients, and obtains the information requested by the user by hijacking the browser (IE/CHROME/FIREFOX), for the clients such as WINSCP and putty can get the user's input directly. Help penetration testers and attackers transition from Windows to Linux systems to maximize attacks. The following is an example of putty test

(1) Inject DLL into the putty process to complete the utilization

(2) Use Putty login SSH server to verify

(3) The log file is generated by default under temp under the user directory:

(4) Putty data Packet decryption data

You can see that the username root and password qwe as well as the input command ifconfig have been recorded, which is the decryption operation of the package process.

(5) Putty encrypted data obtained by hook SEND/RECV function

* This article Ninko, reprint please specify freebuf.com

Defcon 23 Latest Open source tools Netripper Code Analysis and utilization