NetworkMiner is an open-source traffic sniffer, pcap handler and protocol analyser. Developed and still maintained by Netresec.
“NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artefacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator.
NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.“
// 01 Task 2 Introduction to Network Forensics
Question: Read the task above.
Answer: No Answer Needed
// 02 Task 3 What is NetworkMiner?
Question: Read the task above.
Answer: No Answer Needed
// 03 Task 4 Tool Overview 1
Question: Use mx-3.pcap
What is the total number of frames?
Answer: 460
Question: How many IP addresses use the same MAC address with host 145.253.2.203?
Answer: 2
Question: How many packets were sent from host 65.208.228.223?
Answer: 72
Question: What is the name of the webserver banner under host 65.208.228.223?
Answer: Apache
Question: Use mx-4.pcap
What is the extracted username?
Answer: #BAdministrator
Question: What is the extracted password?
Answer: $NETNTLMv2$#B$136B077D942D9A63$FBFF3C253926907AAAAD670A9037F2A5$01010000000000000094D71AE38CD60170A8D571127AE49E00000000020004003300420001001E003000310035003600360053002D00570049004E00310036002D004900520004001E0074006800720065006500620065006500730063006F002E0063006F006D0003003E003000310035003600360073002D00770069006E00310036002D00690072002E0074006800720065006500620065006500730063006F002E0063006F006D0005001E0074006800720065006500620065006500730063006F002E0063006F006D00070008000094D71AE38CD601060004000200000008003000300000000000000000000000003000009050B30CECBEBD73F501D6A2B88286851A6E84DDFAE1211D512A6A5A72594D340A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E00360036002E0033003600000000000000000000000000
// 04 Task 5 Tool Overview 2
Question: Use mx-7 pcap
What is the name of the Linux distro mentioned in the file associated with frame 63075?
Answer: CentOS
Question: What is the header of the page associated with frame 75942?
Answer: Password-Ned AB
Question: What is the source address of the image “ads.bmp.2E5F0FD9.bmp”?
Answer: 80.239.178.187
Question: What is the frame number of the possible TLS anomaly?
Answer: 36255
Question: Use mx-9 file
Look at the messages. Which platform sent a password reset email?
Answer: Facebook
Question: What is the email address of Branson Matheson?
Answer: branson@sandsite.org
// 05 Task 6 Version Differences
Question: Which version can detect duplicate MAC addresses?
Answer: 2.7
Question: Which version can handle frames?
Answer: 1.6
Question: Which version can provide more details on packet details?
Answer: 1.6
// 06 Task 7 Exercises
Question: Use case1.pcap
What is the OS name of the host 131.151.37.122?
Answer: Windows – Windows NT 4
Question: Investigate the hosts 131.151.37.122 and 131.151.32.91.
How many data bytes were received from host 131.151.32.91 to host 131.151.37.122 through port 1065?
Answer: 192
Question: Investigate the hosts 131.151.37.122 and 131.151.32.21.
How many data bytes were received from host 131.151.37.122 to host 131.151.32.21 through port 143?
Answer: 20769
Question: What is the sequence number of frame 9?
Answer: 2AD77400
Question: What is the number of the detected “content types”?
Answer: 2
Question: Use case2.pcap
Investigate the files.
What is the USB product’s brand name?
Answer: ASIX
Question: What is the name of the phone model?
Answer: Lumia 535
Question: What is the source IP of the fish image?
Answer: 50.22.95.9
Question: What is the password of the “homer.pwned.se@gmx.com”?
Answer: spring2015
Question: What is the DNS Query of frame 62001?
Answer: pop.gmx.com
// 07 Task 8 Conclusion
Question: Read the task above.
Answer: No Answer Needed