NetworkMiner

PCAP over IP

What is PCAP over IP?

| | Arkime, ncat, netcat, NetworkMiner, Packetbeat, pcap, PCAP-over-IP, PolarProxy, Suricata, tcpdump, tcpreplay, tshark, Wireshark, Zeek
PCAP-over-IP is a method for reading a PCAP stream, which contains captured network traffic, through a TCP socket instead of reading the packets from a PCAP file. A simple way to create ...
NETRESEC Network Security Blog
NetworkMiner 2.7.3

NetworkMiner 2.7.3 Released

| | 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c, Abuse.ch, BitRAT, carve, Cobalt Strike, CobaltStrike, DBSBL, DNSBL, Emotet, FileScan.IO, JA3, JoeSandbox, memdump, meterpreter, NetworkMiner, NetworkMinerCLI, OSINT, PIPI, Protocol Detection, Qbot, RFC8422, TrickBot, unfurl, X.509
NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network ...
NETRESEC Network Security Blog
Images extracted from decrypted HTTP/2 traffic shown in NetworkMiner

PolarProxy in Windows Sandbox

| | HTTPS, NetworkMiner, PCAP-over-IP, pcapoverip, PolarProxy, Proxifier, proxy, sandbox, SOCKS, TLS, Windows, Windows Sandbox, WSB
In this video I demonstrate how PolarProxy can be run in a Windows Sandbox to intercept and decrypt outgoing TLS communication. This setup can be used to inspect otherwise encrypted traffic from ...
NETRESEC Network Security Blog
NetTrace.ETL in CapLoader 1.9.3 and NetworkMiner 2.7.2

Open .ETL Files with NetworkMiner and CapLoader

| | CapLoader, CyberChef, ERSPAN, ETL, etl2pcapng, how to open ETL, netsh trace, NetworkMiner, pcap, PcapNG, pktmon, powershell, RFC2228, Windows, Wireshark
Windows event tracing .etl files can now be read by NetworkMiner and CapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and ...
NETRESEC Network Security Blog
Parameters tab in NetworkMiner

Start Menu Search Video

| | Bing, bing.com, Cortana, HTTP/2, http2, Microsoft, NetworkMiner, pcap, PCAP-over-IP, pcapoverip, PolarProxy, Privacy, Start Menu, video, videotutorial, www.bing.com
In this video I demonstrate that text typed into the Windows 10 start menu gets sent to Microsoft and how that traffic can be intercepted, decrypted and parsed. The video cannot be ...
NETRESEC Network Security Blog
ASCII Network Flow Chart

Walkthrough of DFIR Madness PCAP

| | ascii-art, CapLoader, case001.pcap, DFIR Madness, dfirmadness, NetworkMiner, pcap, video, videotutorial
I recently came across a fantastic digital forensics dataset at dfirmadness.com, which was created by James Smith. There is a case called The Stolen Szechuan Sauce on this website that includes forensic ...
NETRESEC Network Security Blog
NetworkMiner 2.7 Logo

NetworkMiner 2.7 Released

| | ANY.RUN, DNS SRV, DNS TXT, JA3, JA3S, LPD, LPR, MalwareBazaar, NetworkMiner, OSINT, pcap, PCL, PostScript, RFC1179, SMB2, ThreatFox, URLhaus
We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as ...
NETRESEC Network Security Blog
Windows Sandbox

Running NetworkMiner in Windows Sandbox

| | hypervisor, Malware, Netresec, NetworkMiner, pcap, sandbox, VirtualBox, Windows, Windows Sandbox
NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set ...
NETRESEC Network Security Blog
IdedID and Cobalt Strike

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

| | 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6, 104.236.115.181, 11965662e146d97d3fa3288e119aefb2, 1580103814, 172.67.188.12, 1768.py, 185.141.26.140, 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3, 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c, 449c1967d1708d7056053bedb9e45781, 45.147.229.157, 452e969c51882628dac65e38aff0f8e5ebee6e6b, 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8, 83.97.20.176, 8da75e1f974d1011c91ed3110a4ded38, 96a535122aba4240e2c6370d0c9a09d3, ameripermanentno.website, b63d7ad26df026f6cca07eae14bb10a0ddb77f41, banusdona.top, c2bdc885083696b877ab6f0e05a9d968fd7cc2bb, c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3, CapLoader, Cobalt Strike, CobaltStrike, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5, Didier Stevens, e9b5e549363fa9fcb362b606b75d131dec6c020e, f98711dfeeab9c8b4975b2f9a88d8fea, IcedID, IceID, JA3, lesti.net, mazzappa.fun, momenturede.fun, Network Forensics, NetworkMiner, odichaly.space, pcap, SSLBL, training, vaccnavalcod.website, X.509
This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment ...
NETRESEC Network Security Blog
f5 Honeypot Network Forensics

Honeypot Network Forensics

| | 185.160.24.70, 45.12.206.76, BIG-IP, BigIP, CapLoader, CVE-2020-5902, deserialization, f5, Honeypot, Java, NCC, NetworkMiner, pcap, SerializationDumper, tmui, User-Agent, utilCmdArgs, VPN, X-Forwarded-For
NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC ...
NETRESEC Network Security Blog
Load more