NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Now that we have the explanation out of the way, I would like to really start by saying how excited I was when I saw an announcement on the Pauldotcom mailing list about version 1.0 being released. I have been using this tool for a while after being introduced to it on an episode of hak5 a while back, and since then its been one of my favorite applicatioin of choice for parsing PCAP files and looking for goodies.
This new release has lots of new features to keep you busy for a while:
- Support for Per-Packet Information header (WTAP_ENCAP_PPI) as used by Kismet and sometimes Wireshark WiFi sniffing.
- Extraction of Facebook as well as Twitter messages into the message tab. Added support to extract emails sent with Microsoft Hotmail (I.e.windows Live) into Messages tab.
- Extraction of twitter passwords from when settings are changed. Facebook user account names are also extracted (but not Facebook passwords).
- Extraction of gmailchat parameter from cookies in order to identify users through their Google account logins.
- Protocol parser for Syslog. Syslog messages are displayed on the Parameter tab.
You can read the complete change-log here for more details here.
If that is not enough to make you want to try this application out, I don’t know what else is. I fired-up version 1.0 for a few mins before writing this article and I was pretty impressed with my results. I was able to quickly and easily harvest all images browsed from my PC, IRC chat logs, identify key information about hosts on my network (ports, OS type, service version numbers) and much more without needing to run a noisy port scanner.
Q&A with Main developer of NetworkMiner
Question: What was the purpose behind developing NetworkMiner?
Answer: I started developing NetworkMiner back in 2006 while I was working with SCADA security for a major electric utility company in Europe. My idea was to give network admins and process control engineers a view of what hosts that are actually on the network as opposed to what their documentation said. The reason for building a passive sniffer instead of yet another port scanner was that SCADA and process control networks tend not to handle port scans very well, and I sure didn’t
wanna bring down the network of a running plant!
Q: How many core developers are involved with this project?
A: I’m the only developer of NetworkMiner.
Q: Which group of individuals do you think can benefit mostly from this application (Forensics investigators, pentesters, network admins, etc)?
A: NetworkMiner today is primarily designed for computer security incident responders and law enforcement who need to do forensic analysis of network traffic.
Q: How long has version 1.0 been in development?
A: I’ve been working on the 1.0 release of NetworkMiner since June 2010. The last three months before the release were spent on testing and validating the release. I also have a beta testing group,
consisting of talented network forensics professionals, who have provided additional validation of the release.
Q: What key features would you like highlight in this release; free as well as the paid version.
A: Some of the major improvements are:
In addition to whats listed about, the Professional version of NetworkMiner also includes a protocol identification feature, which can identify what application layer protocol that is being used in order to apply the appropriate protocol parser. This means that running an FTP or web server on a non-standard port will not be sufficient to fool NetworkMiner Professional.
You can also export the results from the various tabs in NetworkMiner Professional into a CSV file that can be opened with Excel or OpenOffice. The Professional release also includes a command line version of NetworkMiner, which comes in very handy when you need to wrap the pcap parsing functionality into a shell script or an automatized environment for traffic analysis.
Q: Are there any plans to make a Nix version of this application?
A: I have plans to look further into Mono (http://www.mono-project.com ) to build cross-platform support for NetworkMiner, but implementing new features have to this date had higher priority for me. It is, however, possible to run NetworkMiner from Linux by using Wine already today.
Q: What is the recommended deployment strategy to properly maximize NetworkMiner’s potential (GB nic, dual nic, physical vs vmware guest etc)?
A: My recommendation for achieving reliable and fast traffic capture solution is to use a physical FreeBSD machine running dumpcap for traffic capture. You can then open the pcap files from dumpcap with NetworkMiner for analysis on a Windows machine. When analyzing malware I actually recommend running NetworkMiner on a virtualized Windows machine without any network support, in order to minimize the risk of spreading the malware. NetworkMiner does not use much RAM, but can be fairly CPU and disk intensive. So make sure you have a fast processor and an HDD with fast access times and high write speed.
Q: If someone wants to learn more about this application, provide feedback or report bugs what’s the best way to go about this?
A: The best way to learn more about NetworkMiner is to follow my blog on http://www.netresec.com/?page=Blog .Feedback in the form of for example help or feature requests can be posted
to SourceForge on http://sourceforge.net/projects/networkminer/support
You can download NetworkMiner from any of the following urls,so go get your copy and start to spread the word:
I must give a special THANK You to Erik Hjelmvik, developer of NetworkMiner for taking time out of his busy week to help us understand a little bit more about this awesome project.