Hot Topics
Network Security Security Bloggers Network 
SBN

NetworkMiner 2.6 Released

by Erik Hjelmvik on September 23, 2020

NetworkMiner 2.6

We are happy to announce the release of
NetworkMiner 2.6 today!
The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 traffic than before.

Some of the major improvements in this new release are related to extraction and presentation of emails from SMTP, POP3 and IMAP traffic.
On that note, we’d like to thank Mandy van Oosterhout for reporting a bug in our email parser!

Emails extracted with NetworkMiner 2-6
Image: Emails extracted from SMTP and IMAP traffic

I have previously blogged about
how to extract John-the-Ripper hashes from Kerberos network traffic with NetworkMiner.
We have now added support for presenting LANMAN and NTLM credentials as JtR hashes as well.

NTLMv2 and Kerberos hashes in NetworkMiner 2.6
Image: JtR formatted NTLMv2 and Kerberos hashes in NetworkMiner 2.6

We have also improved NetworkMiner’s Linux support.
Files, images and folders can now be opened in external tools directly from the NetworkMiner GUI also when
running NetworkMiner in Linux using Mono 6 (or later).
Linux users previously got a “System.ComponentModel.Win32Exception” error message saying something like “Cannot find the specified file” or “Access denied” due to a breaking change introduced in Mono version 6.

NetworkMiner running in Ubuntu 20.04
Image: NetworkMiner 2.6 running in Ubuntu 20.04 with Mono 6.8.0.105

The new release also comes with several updates of how HTTP and HTTP/2 traffic is handled and presented.
We have, for example, added better extraction of data sent in HTTP (or HTTP/2) POST requests.
Posted JSON formatted parameters are also extracted even if the JSON data has been gzip compressed.
The “Accept-Language” header values in HTTP and HTTP/2 are extracted as “Host Details” in order to support forensic analysis of user language settings,
as shown by Fox-IT in their
Operation Wocao – Shining a light on one of China’s hidden hacking groups” report.

NetworkMiner has supported decapsulation of tunneling protocols and protocols for network virtualization, like 802.1Q, GRE, PPPoE, VXLAN, OpenFlow, MPLS and EoMPLS,
since version 2.1.
We have now improved our GRE parser to also support NVGRE
(RFC 7637) by adding support for Transparent Ethernet Bridging.

Jan Hesse sent us a feature request on Twitter
earlier this year, where asked about support for FritzBox captures.
We are happy to announce that NetworkMiner now supports the modified pcap format you get when
sniffing network traffic with a FritzBox gateway.

Fritz!Box

NetworkMiner 2.6 can now also parse and extract SIP chat messages
(RFC 3428) to the “Messages” tab.
Audio extraction of VoIP calls is still a feature that is exclusively available only in NetworkMiner Professional though.

NetworkMiner Professional

Our commercial tool NetworkMiner Professional has received a few additional updates, such as support for analysis of HTTP/2 traffic in the “Browsers tab”.
However, please note that NetworkMiner does not perform TLS decryption, so the HTTP/2 traffic will have to be decrypted by a TLS proxy like
PolarProxy prior to being saved to a PCAP file.

HTTP/2 traffic in NetworkMiner Professional's Browsers tab

We have added a few new great online services to NetworkMiner Pro’s OSINT lookup as well, such as
shouldiclick.org,
Browserling,
MalwareDomainList and
VirusTotal lookups of URL’s in the “Browsers” tab.
We have also added some additional external OSINT sources for lookups of IP addresses and domain names, such as
MalwareDomainList and
mnemonic ACT.
The JA3 hash lookup menu in NetworkMiner Professional’s “Hosts” tab has also been extended to include
GreyNoise.

URL lookup menu in NetworkMiner Professional's Browsers tab

NetworkMiner Pro previously played back G.722 VoIP audio at half speed.
This issue has now been fixed, so that G.722 RTP audio is extracted and played back in 16k samples/s.
The bug was due to an error in RFC 1890 that was later corrected in
RFC 3551.
Thanks to Michael “MiKa” Kafka for teaching us about this!

Excerpt from RFC 3551:

Even though the actual sampling rate for G.722 audio is 16,000 Hz, the RTP clock rate for the G722 payload format is 8,000 Hz because that value was erroneously assigned in RFC 1890 and must remain unchanged for backward compatibility. The octet rate or sample-pair rate is 8,000 Hz.

We’d also like to mention that NetworkMiner Professional now comes with improved analytical support to help investigators detect Tor traffic.

Upgrading to Version 2.6

Users who have purchased a license for NetworkMiner Professional 2.x can download a free update to version 2.6 from our
customer portal,
or use the “Help > Check for Updates” feature.
Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the
official NetworkMiner page.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to reddit.com


Recent Articles By Author
More from Erik Hjelmvik

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2020-09&post=NetworkMiner-2-6-Released

Erik Hjelmvik , , , , , , , , , , , , , , , , , , , , , , , , ,