For those not familiar, depending on scope, PCAP analysis can be pretty painful in general from a time perspective. The day I found out about NetworkMiner years ago (https://www.netresec.com/?page=NetworkMiner) I was pretty happy after I discovered its capabilities for quick wins with PCAP analysis. My first SOC job was primarily modeled around PCAP analysis via Cloudshark - and even with all of the fancy buttons, I often found myself needing to strip a PCAP down to its basics - What unique hosts were there? What Unique IPs were there? What does this IP address resolve to? What content was downloaded?
While these questions can be answered through Wireshark, no one wants to bother with that many filters and manual packet inspection(I say no one loosely here). This is where NetworkMiner comes in, allowing you to perform a huge range of functions(even more in the premium edition, which will not be shown here :( ) from just the dragging and dropping of a pcap file.
TryhackMe(credit to https://tryhackme.com/) provided a nice summary of the core features -
Pretty self-explanatory. You can drag and drop a PCAP file (PCAPNG as well with premium) and get a quick analysis of all the unique hosts and any domains they resolve. Very useful to identify unique IP addresses and domains associated with them in a quick timeframe. The option to filter also exists.
Again, self explanatory. Provides an easy-to-read and detailed view of the various DNS records and the IP resolvers. Can also filter by keywords and other functions.
Now this is where it gets good. We have immediate access to files, where they came from, names, file sizes, and types. This type of information is invaluable for investigations. A cool but potentially dangerous function that you should know about is that you can right-click these files and open the file location, where a copy of the file resides. Before you ask, yes, this can be copies of malware - so be careful what you run. An example of the files can be seen below.
There's also the credential tab, which although has limited uses from a Blue team perspective, its very interesting to see collected credentials from a PCAP. I may do another write-up where we get the hashes from a PCAP and crack them using something like John the Ripper, ill have to try and locate a suitable PCAP first.
Comments
Post a Comment