Hot Topics

NetworkMiner

NetworkMiner 2.7 Logo

NetworkMiner 2.7 Released

| | ANY.RUN, DNS SRV, DNS TXT, JA3, JA3S, LPD, LPR, MalwareBazaar, NetworkMiner, OSINT, pcap, PCL, PostScript, RFC1179, SMB2, ThreatFox, URLhaus
We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as ...
NETRESEC Network Security Blog
Windows Sandbox

Running NetworkMiner in Windows Sandbox

| | hypervisor, Malware, Netresec, NetworkMiner, pcap, sandbox, VirtualBox, Windows, Windows Sandbox
NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set ...
NETRESEC Network Security Blog
IdedID and Cobalt Strike

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

| | 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6, 104.236.115.181, 11965662e146d97d3fa3288e119aefb2, 1580103814, 172.67.188.12, 1768.py, 185.141.26.140, 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3, 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c, 449c1967d1708d7056053bedb9e45781, 45.147.229.157, 452e969c51882628dac65e38aff0f8e5ebee6e6b, 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8, 83.97.20.176, 8da75e1f974d1011c91ed3110a4ded38, 96a535122aba4240e2c6370d0c9a09d3, ameripermanentno.website, b63d7ad26df026f6cca07eae14bb10a0ddb77f41, banusdona.top, c2bdc885083696b877ab6f0e05a9d968fd7cc2bb, c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3, CapLoader, Cobalt Strike, CobaltStrike, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5, Didier Stevens, e9b5e549363fa9fcb362b606b75d131dec6c020e, f98711dfeeab9c8b4975b2f9a88d8fea, IcedID, IceID, JA3, lesti.net, mazzappa.fun, momenturede.fun, Network Forensics, NetworkMiner, odichaly.space, pcap, SSLBL, training, vaccnavalcod.website, X.509
This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment ...
NETRESEC Network Security Blog
f5 Honeypot Network Forensics

Honeypot Network Forensics

| | 185.160.24.70, 45.12.206.76, BIG-IP, BigIP, CapLoader, CVE-2020-5902, deserialization, f5, Honeypot, Java, NCC, NetworkMiner, pcap, SerializationDumper, tmui, User-Agent, utilCmdArgs, VPN, X-Forwarded-For
NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC ...
NETRESEC Network Security Blog
f5 Honeypot Network Forensics

Honeypot Network Forensics

| | 185.160.24.70, 45.12.206.76, BIG-IP, BigIP, CapLoader, CVE-2020-5902, deserialization, f5, Honeypot, Java, NCC, NetworkMiner, pcap, SerializationDumper, tmui, User-Agent, utilCmdArgs, VPN, X-Forwarded-For
NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC ...
NETRESEC Network Security Blog
NetworkMiner 2.6

NetworkMiner 2.6 Released

| | email, Fritzbox, FTP, GRE, http, HTTP/2, IMAP, John, John-the-Ripper, json, JtR, LANMAN, Linux, Mono, NetworkMiner, NTLM, pcap, POP3, RFC1890, RFC3428, RFC3551, RFC7637, SIP, smtp, tor, VoIP
We are happy to announce the release of NetworkMiner 2.6 today! The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 ...
NETRESEC Network Security Blog
NetworkMiner 2.6

NetworkMiner 2.6 Released

| | email, Fritzbox, FTP, GRE, http, HTTP/2, IMAP, John, John-the-Ripper, json, JtR, LANMAN, Linux, Mono, NetworkMiner, NTLM, pcap, POP3, RFC1890, RFC3428, RFC3551, RFC7637, SIP, smtp, tor, VoIP
We are happy to announce the release of NetworkMiner 2.6 today! The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 ...
NETRESEC Network Security Blog
Laptop, Raspberry Pi, PolarProxy, Internet ASCII

Discovered Artifacts in Decrypted HTTPS

| | adnxs.com, CS3, CS3Sthlm, decrypt, forensics, HTTP/2, http2, incoming.telemetry.mozilla.org, majestic, Majestik møøse, NetworkMiner, pcap, PolarProxy, reddit, telemetry, TLS, TLSI, Wireshark, x-moose, X-Proxy-Origin
We released a PCAP file earlier this year, which was recorded as part of a live TLS decryption demo at the CS3Sthlm conference. The demo setup used PolarProxy running on a Raspberry ...
NETRESEC Network Security Blog
Erik presenting PolarProxy at CS3Sthlm, photo credit: CS3Sthlm

Sharing a PCAP with Decrypted HTTPS

| | CS3, CS3Sthlm, decrypt, DoH, forensics, google, HTTP/2, http2, HTTPS, NetworkMiner, Pastebin, pcap, PolarProxy, TLS, TLS Inspection, TLS Interception, TLSI, Twitter, video, Wireshark
Modern malware and botnet C2 protocols use TLS encryption in order to blend in with 'normal' web traffic, sometimes even using legitimate services like Twitter or Instagram. I did a live demo ...
NETRESEC Network Security Blog
NSA TLSI advisory header

The NSA HSTS Security Feature Mystery

| | break, HSTS, inspect, kryptera.se, NetworkMiner, nsa, PolarProxy, RFC6797, RFC8471, RFC8473, TLS, TLS Inspection, TLS Interception, TLSI, Wireshark
I recently stumbled across an NSA Cyber Advisory titled Managing Risk from Transport Layer Security Inspection (U/OO/212028-19) after first learning about it through Jonas Lejon's blog post NSA varnar för TLS-inspektion (Swedish) ...
NETRESEC Network Security Blog
Load more