Thursday, February 2, 2017

networkminer on macosx

NetworkMiner is a simple and effective tool for the forensic and ssl engineer. It can give you insight on SSL traffic and what/who/where certificates are being used.

To run it on macosx, just grap the mono pkg and install it. Than from the  cli you run "mono networkMiner.exe after downloading the binary

NOTE: on a small macbookAir it can take some time to open and  if your running against a  large pcap.file the time to load is dependent on the size and number of entries in  the pcap.

NetworkMiner can now be used to grab pertain information from traffic flows.


  1. conversation details
  2. ssl-certificate-details to include protocol and handshake cer names
  3. client+server information
  4. credentials used 
  5. tcp-ports inused
  6. http headers can easily be filter for match
  7. reconstruct  file information
  8. inspect and sniff  open email communications

 Here's a few screenshots on  example how we can inspect traffic details. This is a great tool to use if you want to find session that are using a particular  SSL certificate by serial# or date.

Details and OS identifications

Inspecting for bluecoat proxy x-header

Finding Server header strings from a ADC

Determing web-auth methods support by a web-server

loading a pcap file can be time consuming on smaller  systems, but it's readily easy to replay  pcap files for traffic analysis

 Viewing the certificate  values

Display certificate serial numbers

Searching on User-Agent strings

finding a certificate in use via the expiration date

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment