Showing blog posts from June 2014
This guide describes how to get NetworkMiner running on Mac OS X Mavericks (version 10.9.3).
After the download of “Mono MRE installer” has completed, just run the installer:
Press “Continue” to proceed installing the Mono Framework using the guided installer.
When the Mono Framework has been installed you can extract the downloaded NetworkMiner zip archive. Then start NetworkMiner from the terminal like this:
$ mono NetworkMiner.exe
Live sniffing with NetworkMiner on Mac OS X
Live sniffing with WinPcap or Raw Sockets is only available when running NetworkMiner in Windows.
However, live sniffing can still be achieved on Mac OSX (as well as in Linux) by using the PCAP-over-IP functionality.
Press the “Start Receiving” button and then use tcpdump to do live sniffing and forward all captured packets to NetworkMiner like this:
$ sudo tcpdump -i en0 -s0 -U -w - | nc localhost 57012
The preferred way to use NetworkMiner is, however, to load previously captured packets in a PCAP file and let NetworkMiner dig out all interesting details like transmitted files, images, messages, SSL certificates etc.
Posted by Jonas Lejon on Tuesday, 24 June 2014 21:25:00 (UTC/GMT)
We've released version 1.6 of NetworkMiner today!Image credits: Confetti in Toronto by Winnie Surya
The new features in NetworkMiner 1.6 include:
Reassembled files and images can be opened with external tools by drag-and-dropping items from NetworkMiner's Files or Images tabs onto your favorite editor or viewer.
- Email extraction
Improved extraction of emails and attachments sent over SMTP.
- DNS analysis
Failed DNS lookups that result in NXDOMAIN and SERVFAIL are displayed in the DNS tab along with the flags in the DNS response.
- Live sniffing
Improved live sniffing performance.
Remote live sniffing enabled by bringing the PCAP-over-IP feature into the free open source version of NetworkMiner.
Identifying Malware DNS lookups
DNS traffic from the Kuluoz-Asprox botnet (PCAP file available via Contagio)
Note the NXDOMAIN responses and “No” in Alexa top 1 million column in the screenshot above; these domains are probably generated by a domain generation algorithm (DGA).
Live Sniffing with Pcap-over-IP
The PCAP-over-IP functionality enables live sniffing also on non-Windows machines, simply by running tcpdump (or dumpcap) and netcat like this:
# tcpdump -i eth0 -s0 -U -w - | nc localhost 57012
To receive the Pcap-over-IP stream in NetworkMiner, simply press Ctrl+R and select a TCP port.
For more information about this feature please see our previous blog post about the PCAP‑over‑IP feature.
The professional version of NetworkMiner additionally contains the following improvements of the command line tool NetworkMinerCLI:
- Enabled reading of PCAP and PcapNG data from standard input (STDIN)
- Full support for PCAP-over-IP
- More detailed DNS logging in NetworkMinerCLI's CSV export of DNS responses
The ability to read PCAP data from STDIN with NetworkMinerCLI makes it really simple to do live extraction of emails and email attachments. Here's an example showing how to do live SMTP extraction in Linux:
# tcpdump -i eth0 -s0 -w - port 25 or 587 | mono NetworkMinerCLI.exe -r - -w /var/log/smtp_extraction/
The syntax for extracting emails and attachments in Windows is very similar:
C:\>dumpcap.exe -i 1 -f "port 25 or 587" -w - | NetworkMinerCLI.exe -r -
The TCP ports 25 and 587, which are used in the capture filter above, are the standard port numbers for SMTP. In order to do live extraction of files sent over HTTP, simply use “port 80” as capture filter instead. Likewise, X.509 certificates can also be extracted from HTTPS sessions simply by using “port 443” as capture filter.
Download NetworkMiner 1.6
The most recent release of the free (open source) version of NetworkMiner can be downloaded from SourceForge or our NetworkMiner product page. Paying customers can download an update for NetworkMiner Professional from our customer portal.
We would like to thank Dan Eriksson (FM CERT) and Lenny Hansson (Danish GovCERT) for submitting bug reports and feature requests.
Posted by Erik Hjelmvik on Monday, 16 June 2014 11:00:00 (UTC/GMT)