![]() This new release adds two additional protocols to the collection of identified protocols, namely SMTP and SOCKS. NetworkMiner Professional includes a feature for port independent protocol detection of protocols like FTP, HTTP, IRC, Meterpreter, SSH and TLS, which enables extraction of artifacts from those protocols even though the service is running on a non-standard port. ![]() New Features in NetworkMiner Professional This bug has now been fixed in version 2.8. TCP sessions occasionally didn’t show up in NetworkMiner’s Sessions tab previously if the application layer protocol was unknown. NetworkMiner previously crashed with an error message saying that the received packet was “larger than the internal message buffer” when attempting to capture a too large packet. NetworkMiner’s live sniffing feature has been improved to better handle huge packets caused by Large Send Offload (LSO). These bugs have now been fixed in NetworkMiner 2.8. NetworkMiner previously produced incorrect JA3S signatures for TLS servers if they sent Session ID values in Server Hello messages or listed only one supported TLS version using the Supported Versions extension. RawCap will start capturing packets once a PCAP reader connects to the “RawCap” named pipe, which now can be done with NetworkMiner by clicking “Read from Named Pipe” on the File menu. Here’s an example showing how to capture packets from localhost for 10 seconds with RawCap and make those packets available via a named pipe called “RawCap”: This feature has been upgraded to allow a PCAP stream to be read from any named pipe, not just from PacketCache. NetworkMiner previously allowed packets to be read from PacketCache over a named pipe. This feature allows WiFi traffic to be analyzed without having to capture packets in the air. NetworkMiner 2.8 can read IEEE 802.11 packets inside CAPWAP tunnels between WLAN Controllers and Access Points. More details about that particular feature is available in our IEC-104 File Transfer Extraction blog post. I’m also proud to announce that NetworkMiner 2.8 now extracts files transferred over the IEC-104 protocol. Image: IEC-104 commands sent by the Industroyer2 malware NetworkMiner now supports more IEC-104 commands and the commands are presented on the Parameters tab in a clearer way than before. NetworkMiner’s parser for the SCADA protocol IEC 64 (IEC-104) has been significantly improved in version 2.8. Source: -Astaroth-Guildma-infection-traffic.pcap Source: -Matanbuchus-with-Cobalt-Strike.pcap ![]() Matanbuchus malware DLL disguised as PNG.The content based file type identification introduced in NetworkMiner 2.7 has been improved to also differentiate between EXE and DLL files as of version 2.8. A maximum of 10 rows can be copied at a time using the free version of NetworkMiner, while the Professional version allows all rows to be copied in one go. It’s now also possible to copy text from most tabs in NetworkMiner with Ctrl+C or by right-clicking and selecting “Copy selected rows”. If you’re running NetworkMiner Professional then you’ll also be able to filter on Country thanks to the MaxMind GeoLite2 feature included in the Pro edition. Other properties you might find useful to filter on are hostname, JA3 hash and MAC address. By entering “Android” into the filter box NetworkMiner will show only the hosts having a property containing the string “Android”, for example in the OS classification or User-Agent string. This text box can be used to filter the displayed hosts based on the property fields they contain. The first thing you see when starting NetworkMiner is the Hosts tab, which now has been updated to include a filter text box. The professional edition of NetworkMiner additionally adds port-independent detection of SMTP and SOCKS traffic, which enables extraction of emails and tunneled traffic even when non-standard ports are used. I am happy to announce the release of NetworkMiner 2.8 today! This new version comes with an improved user interface, better parsing of IEC-104 traffic and decapsulation of CAPWAP traffic. Read the FAQ before posting.Monday, 02 January 2023 08:00:00 (UTC/GMT) Irrelvant submissions will be pruned in an effort towards tidiness. Vote based on the quality of the content. Topics include digital forensics, incident response, malware analysis, and more. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.
0 Comments
Leave a Reply. |