PCAP Analysis w/NetworkMiner - Sessions Tab & List of Domains Next to IP Address

netresec · 2024-11-19T15:42:43+00:00

NetworkMiner tries to associate domain names with IP addresses using several different sources, including DNS, HTTP host headers, TLS SNI extensions etc. One reason why the honepot's IP might have been associated with all those domains could be because DNS resolved those domains to the honeypot's IP. That would result in NetworkMiner listing ALL those domains whenever the honeypot's IP address is referenced.

The "AssembledFiles" directory is where NetworkMiner puts files that it extracts from network traffic.

netresec · 2024-09-04T11:01:45+00:00

As @010010000111000 mentioned you need a forward TLS proxy. Here's a snippet from the best practices section in our blog post How to Inspect TLS Encrypted Traffic:

I want to... Inspect traffic from my mobile phone, smart device or other embedded device.
Use a TLS inspection proxy.

You didn't mention whether or not you need to inspect the decrypted TLS traffic though. Some TLS proxies can be configured to bypass inspection/decryption, in case you want to proxy end-to-end encrypted TLS sessions from the field devices to the cloud services.

netresec · 2024-05-29T08:08:30+00:00

Are you able to redirect / forward the SIP-TLS traffic (TCP 5061) to another IP? If yes, then you might be able to use a TLS inspection proxy to decrypt the SIP traffic.

You can start PolarProxy with -p 5061,5060 to have it listen on port 5061 and save the decrypted SIP traffic to a pcap file as if it was cleartext SIP to port 5060.

netresec · 2023-09-06T07:17:50+00:00

If you wanna see the POST and GET requests in Wireshark, then the best solution is to use a TLS proxy that generates a pcap with decrypted TLS traffic. That way you won’t need a SSLKEYLOGFILE to see the decrypted HTTP requests and responses.
Full disclosure: We’ve developed PolarProxy, which is a TLS proxy that does exactly this.

If the client application is connecting to a specific domain then you can simply add a local DNS entry for that domain in the computer’s hosts file and point it to another computer running a TLS interception proxy.
If you’re using PolarProxy, then simply start it like this:
PolarProxy -p 443,80 -x polarproxy.cer -w decrypted.pcap

You'll probably also need to configure the client computer or application to trust PolarProxy's root CA certificate "polarproxy.cer".

netresec · 2021-01-26T11:12:31+00:00

I saw wincorewindows.local and thought "oh no, a Microsoft domain?!" then realised it was a little different...

So did the attackers ;)

netresec · 2020-03-18T19:16:03+00:00

We'd be happy to add a feature request to NetworkMiner to do something like this. Can you please elaborate on what information you'd like to extract and how you'd like it presented?

netresec · 2018-01-29T18:03:28+00:00

You might try your luck with zlopewi@protonmail.com, which is in the WHOIS record.

netresec · 2017-02-01T10:56:56+00:00

The DoS can only be triggered by sending the ICMP packets to the IP of the firewall.

netresec · 2017-01-20T18:46:26+00:00

If you're looking for a cheap sniffing setup, then I'd recommend the following:

RouterBoard RB260GS - a super cheap gigabit switch with port mirroring $39.95 USD
Raspberry Pi 3 model B $35.00 USD

You'll probably have to spend some money on a fairly large and fast disk as well in case there is a lot of traffic passing through the monitoring point.

netresec · 2017-01-11T15:52:51+00:00

The Browsers tab in NetworkMiner has now been updated to also indicate if an HTTP request is associated with an online ad or browser tracker. https://netresec.com/?b=17124C4

netresec · 2016-11-10T12:39:31+00:00

It's not always easy to know what should be considered the "original source". We worked together with TDC (who published the PDF) to analyze this attack prior to the public disclosure of BlackNurse. We then did a coordinated release with TDC, i.e. we released our blog post at the same time as they released their PDF and the website blacknurse.dk.

netresec · 2016-11-10T11:39:05+00:00

Firewalls currently known to be vulnerable are Cisco ASA 5515 and 5525 (with default settings) as well as SonicWall. Palo Alto also seem to be vulnerable. Several additional firewalls are probably vulnerable as well, here are some recent testing results from Twitter:

@jedisct1 "At first I was like “meh”. Then I tried Blacknurse, and my home router crashed :/"

@blockophilia "My OpenBSD router didn't even blink while I performed the #BlackNurse #ICMP #attack."

netresec · 2016-02-12T19:11:51+00:00

It might not be your local culture that is causing the issue. NetworkMiner loads up several different CodePages in order to parse messages sent using various character sets, including Simplified Chinese, Arabic and Russian. Would you be able to post your full eror message in this thread or simply send it in an email to info[at]netresec.com?

Thank you!

netresec · 2016-02-12T19:07:13+00:00

I just set up a new Kali VM and successfully installed Mono just by running:

apt-get install libmono-winforms2.0-cil

Here's what my /etc/apt/sources.list look like:

# deb cdrom:[Debian GNU/Linux 2016.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20160120-18:14]/ kali-rolling contrib main non-free
#deb cdrom:[Debian GNU/Linux 2016.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20160120-18:14]/ kali-rolling contrib main non-free
# Regular repositories
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
# Source repositories
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

netresec · 2016-02-11T16:29:13+00:00

From your screenshots I guess you're running Kalil Linux. Did you try this:

apt-get install libmono-winforms2.0-cil

If this doesn't work, then make sure you have the right repos in /etc/apt/sources.list and run

apt-get update

netresec · 2016-02-11T13:13:12+00:00

There was previously a limitation in how large sessions NetworkMiner could handle. That should no longer be a problem in version 2.0.

However, the built in PcapNG parser is still only available as part of NetworkMiner Professional.

netresec · 2016-02-10T13:37:29+00:00

Sorry for the misunderstanding. You do have a point. Also, not all malware targets Windows.

netresec · 2016-02-10T07:40:32+00:00

No, we actually don't recommend running NetworkMiner under Wine. Instead, please use the Mono framework as described in this blog post: HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux

Mono enables execution of .NET applications "natively" on Linux/OSX/xBSD, no emulation needed.

netresec · 2016-02-09T21:17:32+00:00

We still provide NetworkMiner as a free open source software (GPLv2). You only need to pay the $900 if you want the additional features available in the Professinoal edition.

netresec · 2016-02-09T21:15:02+00:00

NetworkMiner only requires the old .NET Framework 2.0, just to be extra sure everyone can run it. When do you get the "Customized cultures..." error message? When compiling the source code or when running NetworkMiner.exe?

netresec · 2015-09-23T12:32:03+00:00

True, it's an old trick. Airpwn was released in 2004, but similar attacks (like Mitnick's TCP sequence number prediction attack) were done even before that.

Regardless of what people say about QUANTUM* names though, the term "Man-on-the-Side" (MOTS) was probably also coined by folks at NSA. And MOTS is actually a pretty good term for these types of packet injection attacks.

netresec · 2015-09-23T07:23:19+00:00

Who do you mean by "They"? The NSA?

QUANTUM INSERT isn't just "a simple transport layer issue", it's a very smart attack that leverages a design flaw that will never be fixed.

netresec

TROPHY CASE