Thursday, February 2, 2017

networkminer on macosx

NetworkMiner is a simple and effective tool for the forensic and ssl engineer. It can give you insight on SSL traffic and what/who/where certificates are being used.

To run it on macosx, just grap the mono pkg and install it. Than from the  cli you run "mono networkMiner.exe after downloading the binary


NOTE: on a small macbookAir it can take some time to open and  if your running against a  large pcap.file the time to load is dependent on the size and number of entries in  the pcap.

NetworkMiner can now be used to grab pertain information from traffic flows.

e,g

  1. conversation details
  2. ssl-certificate-details to include protocol and handshake cer names
  3. client+server information
  4. credentials used 
  5. tcp-ports inused
  6. http headers can easily be filter for match
  7. reconstruct  file information
  8. inspect and sniff  open email communications

 Here's a few screenshots on  example how we can inspect traffic details. This is a great tool to use if you want to find session that are using a particular  SSL certificate by serial# or date.


Details and OS identifications




Inspecting for bluecoat proxy x-header



Finding Server header strings from a ADC



Determing web-auth methods support by a web-server
 


loading a pcap file can be time consuming on smaller  systems, but it's readily easy to replay  pcap files for traffic analysis



 Viewing the certificate  values




Display certificate serial numbers

Searching on User-Agent strings
 



finding a certificate in use via the expiration date






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

No comments:

Post a Comment