PacketCache logo

Remote Packet Dumps from PacketCache

This blog post describes how to dump a packet capture (pcap file) on a remote computer, which runs the PacketCache service, and retrieve that pcap file using only PowerShell. PacketCache is a free Windows service that continously sniffs network traffic on all interfaces (Ethernet, WiFi, 3G, LTE etc)[...] ... Read More
SEC-T 0x0B: Steve Miller - Reversing the TriStation Network Protocol

Reverse Engineering Proprietary ICS Protocols

One of the highlights at this year's SEC-T conference in Stockholm was Steve Miller's talk titled 'Reversing the TriStation Network Protocol'. In this talk Steve covered his quest to better understand the TRITON malware, which had been used in a targeted attack of an industrial control system (ICS).[...] ... Read More

NetworkMiner 2.3.2 Released!

NetworkMiner 2.3.2 was released this morning, and there was much rejoicing! Image: U.S. Navy photo by Stuart Phillips (source) This new release primarily fixes bugs related to extraction of emails and VoIP calls. We have also corrected a bug affecting the json/CASE export function in NetworkMiner Pr[...] ... Read More
Pony using curl to set: Accept-Encoding: identity, *;q=0

Detecting the Pony Trojan with RegEx using CapLoader

This short video demonstrates how you can search through PCAP files with regular expressions (regex) using CapLoader and how this can be leveraged in order to improve IDS signatures. Your browser does not support the video tag. The EmergingThreats snort/suricata rule mentioned in the video is SID 20[...] ... Read More
CapLoader 1.7 logo

CapLoader 1.7 Released

We are happy to announce the release of CapLoader 1.7! Here's an overview of what's new in this release: Regular expression searchingLookup of IP addresses using online servicesLookup of domain names using online servicesImproved protocol fingerprinting speed and precisionSupport for GRE, IGMP and I[...] ... Read More
SNMP Community Strings in NetworkMiner's Credential tab

NetworkMiner 2.3 Released!

The free and open source network forensics tool NetworkMiner now comes with improved extraction of files and metadata from several protocols as well as a few GUI updates. But the biggest improvements for version 2.3 are in the commercial tool NetworkMiner Professional, which now supports VoIP call a[...] ... Read More

Examining Malware Redirects with NetworkMiner Professional

This network forensics video tutorial covers analysis of a malware redirect chain, where a PC is infected through the RIG Exploit Kit. A PCAP file, from Brad Duncan's website, is opened in NetworkMiner Professional in order to follow a redirect chain via a couple of hack[...] ... Read More

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

This network forensics video tutorial covers how to analyze SPAM email traffic from the Kelihos botnet. The analyzed PCAP file comes from the Stratosphere IPS project, where Sebastian Garcia and his colleagues execute malware samples in sandboxes. The particular malware sample execution we are looki[...] ... Read More

Antivirus Scanning of a PCAP File

This second video in our series of network forensic video tutorials covers a quick and crude way to scan a PCAP file for malware. It's all done locally without having to run the PCAP through an IDS. Kudos to Lenny Hanson for showing me this little trick! Antivirus Scanning of ... Read More
2017BSidesSpfd Jason Reaves Malware C2 over x509 Certificate Exchange

Examining an x509 Covert Channel

Jason Reaves gave a talk titled 'Malware C2 over x509 certificate exchange' at BSides Springfield 2017, where he demonstrated that the SSL handshake can be abused by malware as a covert command-and-control (C2) channel. He got the idea while analyzing the Vawtrak malware after discovering that it re[...] ... Read More