How to Install NetworkMiner in Linux

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide.

STEP 1: Install Mono and GTK2

Mono is an open source cross-platform implementation of the .NET framework, it is needed to run NetworkMiner non-Windows machines. GTK2 is not required, but it provides a more consistent look to the user interface.

Ubuntu / Linux Mint / Kali Linux / Raspberry Pi OS:

Fedora:

AlmaLinux / RHEL:

Arch Linux:

STEP 2: Install NetworkMiner

STEP 3: Run NetworkMiner

Follow these steps to analyze live network traffic:

• Click File, Receive PCAP over IP [Ctrl+R]
• Click Start Receiving and note the listen TCP port (default is 57012)

Then run this command to sniff network traffic and send a real-time stream of captured packets to NetworkMiner:

Change 57012 in the command above if NetworkMiner is listening on a different TCP port.

This PCAP-over-IP technique can also be used to read a real-time packet stream from a remote device. It is also possible to sniff packets from Mikrotik routers by clicking File, Receive TZSP Stream.

STEP 4 (optional): Create Shortcut Command

NetworkMiner can now be started like this:

Linux Distros with NetworkMiner

NetworkMiner comes pre-packaged on some Linux distributions, such as REMnux, Security Onion Desktop, CSI Linux and BlackArch.

Static Download Link

The https://www.netresec.com/?download=NetworkMiner download link always delivers the latest release of NetworkMiner. If you prefer a static link, that points to a specific version of NetworkMiner, then please use this one: https://download.netresec.com/networkminer/NetworkMiner_3-0.zip

Posted by Erik Hjelmvik on Thursday, 10 April 2025 07:30:00 (UTC/GMT)

Tags: #NetworkMiner​ #Linux​ #Ubuntu​ #Kali​

Extracting Kerberos Credentials from PCAP

NetworkMiner is one of the best tools around for extracting credentials, such as usernames and passwords, from PCAP files. The credential extraction feature is primarily designed for defenders, in order to analyze credential theft and lateral movement by adversaries inside your networks. But the credential extraction feature is also popular among penetration testers. In this blog post I will demo how Kerberos hashes can be extracted from captured network traffic with NetworkMiner, and how these hashes can be cracked in order to retrieve the clear text passwords.

Installing NetworkMiner in Kali Linux

I’m using a clean install of Kali Linux 2019.3, on which I have installed NetworkMiner by following the step-by-step instructions in our guide for installing NetworkMiner in Linux.

Extracting Kerberos Hashes from PCAP

There is a capture file in Wireshark’s sample captures called krb-816.cap. This capture file contains Kerberos traffic from a Windows XP machine, as two user accounts perform a domain logon. Let’s download that PCAP file and open it in NetworkMiner.

The “Credentials” tab contains the extracted Kerberos hashes. Right-click on the first $krb5pa$23$ hash and select “Copy Password” to put the password into the system clipboard.

Paste the password to a text file, either using a text editor or directly from a shell.

Note: You'll need to do press Ctrl+Shift+Insert in GNOME Terminal to paste from the system clipboard, which is where NetworkMiner has put the password.

You can now try to crack the hash, for example by running John the Ripper (JtR) or hashcat.

Yay! We now know that the password of user “des” was “123”. Let’s try to recover the password of the user “u5” as well, but this time we’ll use the $krb5asrep$23$ hash.

Apparently the password for user u5 was “123” as well.

If you wanna replace JtR with hashcat, then make sure to use the following hash modes:

• $krb5pa$23$: hashcat -m 7500
• $krb5tgs$23$: hashcat -m 13100
• $krb5asrep$23$: hashcat -m 18200

Running the Command Line version of NetworkMiner

The commercial version of NetworkMiner comes with a command line tool called NetworkMinerCLI. You can extract the Kerberos hashes from a PCAP file and save them to a CSV file using NetworkMinerCLI like this:

NetworkMinerCLI has now created a set of CSV files, one for each type/class of information found in the capture file. In this case we want the krb-816.cap.Credentials.csv file, in which the hashes and passwords are in column 5:

Posted by Erik Hjelmvik on Thursday, 14 November 2019 12:25:00 (UTC/GMT)

Tags: #PCAP​ #Kerberos​ #Kali​ #Linux​ #hashcat​ #John​ #JtR​ #NetworkMinerCLI​