The VoIP tab is a unique feature only available in NetworkMiner Professional. The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures.
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Friday, 04 October 2024 06:20:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial #VoIP
Short URL: https://netresec.com/?b=24A65d3
The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).
More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity.
See our NetworkMiner Professional tutorial videos for additional tips and hints.
Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial
Short URL: https://netresec.com/?b=24Abf1c
The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap, which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Wednesday, 02 October 2024 07:10:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial
Short URL: https://netresec.com/?b=24Ad5ad
The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019.
Techniques, tools and databases mentioned in the tutorial:
Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial
Short URL: https://netresec.com/?b=24A71a9
This video tutorial demonstrates how to open capture files with NetworkMiner Professional
The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub.
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Monday, 30 September 2024 12:50:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial
Short URL: https://netresec.com/?b=249b790
This video tutorial covers how to install NetworkMiner Professional.
Use the official 7-zip tool to extract the password protected 7zip archive.
Recommended locations for NetworkMiner:
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Monday, 30 September 2024 08:45:00 (UTC/GMT)
Tags: #NetworkMiner Professional #Video #Tutorial
Short URL: https://netresec.com/?b=24904d2
This is a tutorial on how to set up an environment for dynamic malware analysis, which can be used to analyze otherwise encrypted HTTPS and SMTPS traffic without allowing the malware to connect to the Internet. Dynamic malware analysis (or behavioral analysis) is performed by observing the behavior of a malware while it is running. The victim machine, which executes the malware, is usually a virtual machine that can be rolled back to a clean state when the analysis is complete. The safest way to prevent the malware from infecting other machines, or doing other bad things like sending SPAM or taking part in DDoS attacks, is to run the victim machine in an offline environment. However, network traffic analysis of malware is a central part of dynamic malware analysis, which is is why a “fake Internet” is needed in most malware labs.
INetSim and PolarProxy
INetSim is a software suite that simulates common internet services like HTTP, DNS and SMTP, which useful when analyzing the network behavior of malware samples without connecting them to the Internet. INetSim also has basic support for TLS encrypted protocols, like HTTPS, SMTPS, POP3S and FTPS, but requires a pre-defined X.509-certificate to be loaded at startup. This can cause malware to terminate because the Common Names (CN) in the presented certificates don’t match the requested server names. The victim machine will actually get the exact same certificate regardless of which web site it visits. INetSim’s TLS encryption also inhibits analysis of the network traffic captured in the malware lab, such as C2 traffic or SPAM runs, because the application layer traffic is encrypted. PolarProxy can solve both these issues because it generates certificates on the fly, where the CN value is dynamically set to the requested host name, and saves the network traffic in decrypted form to PCAP files. It is therefore a good idea to replace the TLS services in INetSim with PolarProxy, which will be used as a TLS termination proxy that forwards the decrypted traffic to INetSim’s cleartext services.
Install Linux
The first step is to install a Linux VM, which will act as a fake Internet to the victim machine(s). I'm using Ubuntu Server 18.04.3 LTS in this tutorial, but you can use any 64-bit linux distro. I'm adding two network interfaces to the Linux VM, one interface with Internet access and one that connects to an isolated offline network to which the victim VM's will be connected. The offline interface is configured to use the static IP 192.168.53.19.
Important: Do not bridge, bond or enable IP forwarding between the two interfaces!
Install INetSim
INetSim is available in Ubuntu's repo, so it is possible to install it with "apt install inetsim". However, I recommend installing INetSim as described in the official documentation to get the latest packaged version of INetSim.
sudo -s
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
curl https://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
apt update
apt install inetsim
exit
INetSim listens on 127.0.0.1 by default, change this to INetSim's offline IP address by un-commenting and editing the service_bind_address variable in /etc/inetsim/inetsim.conf.
Also configure INetSim's fake DNS server to resolve all domain names to the IP of INetSim with the dns_default_ip setting:
Finally, disable the "start_service https" and "start_service smtps" lines, because these services will be replaced with PolarProxy:
Restart the INetSim service after changing the config.
Verify that you can access INetSim's HTTP server with curl:
curl http://192.168.53.19
It looks like INetSim's web server can be accessed alright.
Install PolarProxy
Next step is to install PolarProxy as a systemd service (as instructed here):
sudo adduser --system --shell /bin/bash proxyuser
sudo mkdir /var/log/PolarProxy
sudo chown proxyuser:root /var/log/PolarProxy/
sudo chmod 0775 /var/log/PolarProxy/
sudo su - proxyuser
mkdir ~/PolarProxy
cd ~/PolarProxy/
curl https://www.netresec.com/?download=PolarProxy | tar -xzvf -
exit
sudo cp /home/proxyuser/PolarProxy/PolarProxy.service /etc/systemd/system/PolarProxy.service
We will need to modify the PolarProxy service config file a bit before we start it. Edit the ExecStart setting in /etc/systemd/system/PolarProxy.service to configure PolarProxy to terminate the TLS encryption for HTTPS and SMTPS (implicitly encrypted email submission). The HTTPS traffic should be redirected to INetSim's web server on tcp/80 and the SMTPS to tcp/25.
Here's a break-down of the arguments sent to PolarProxy through the ExecStart setting above:
Finally, start the PolarProxy systemd service:
Verify that you can reach INetSim through PolarProxy's TLS termination proxy using curl:
curl --insecure --connect-to example.com:443:192.168.53.19:10443 https://example.com
Yay, it is working! Do the same thing again, but also verify the certificate against PolarProxy's root CA this time. The root certificate is downloaded from PolarProxy via the HTTP service running on tcp/10080 and then converted from DER to PEM format using openssl, so that it can be used with curl's "--cacert" option.
curl http://192.168.53.19:10080/polarproxy.cer > polarproxy.cer
openssl x509 -inform DER -in polarproxy.cer -out polarproxy-pem.crt
curl --cacert polarproxy-pem.crt --connect-to example.com:443:192.168.53.19:10443 https://example.com
Yay #2!
Now let's set up routing to forward all HTTPS traffic to PolarProxy's service on tcp/10443 and SMTPS traffic to tcp/10465. I'm also adding a firewall rule to redirect ALL other incoming traffic to INetSim, regardless of which IP it is destined to, with the final REDIRECT rule. Make sure to replace "enp0s8" with the name of your interface.
sudo iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 443 -j REDIRECT --to 10443
sudo iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 465 -j REDIRECT --to 10465
sudo iptables -t nat -A PREROUTING -i enp0s8 -j REDIRECT
Verify that the iptables port redirection rule is working from another machine connected to the offline 192.168.53.0/24 network:
curl --insecure --resolve example.com:443:192.168.53.19 https://example.com
Yay #3!
Yay #4!
It is now time to save the firewall rules, so that they will survive reboots.
Install the Victim Windows PC
Configure a static IP address on the victim Windows host by manually setting the IP address. Set the INetSim machine (192.168.53.19) as the default gateway and DNS server.
Download the X.509 root CA certificate from your PolarProxy installation here:
http://192.168.53.19:10080/polarproxy.cer
You might also want to install the PolarProxy certificate in your browser. This is how you install it to Firefox:
Now, open a browser and try visiting some websites over HTTP or HTTPS. If you get the following message regardless of what domain you try to visit, then you've managed to set everything up correctly:
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
Accessing the Decrypted Traffic
PCAP files with decrypted HTTPS and SMTPS traffic are now available in /var/log/PolarProxy/
PolarProxy will start writing to a new capture file every 60 minutes. However, the captured packets are not written to disk instantly because PolarProxy uses buffered file writing in order to improve performance. You can restart the proxy service if you wish to flush the buffered packets to disk and have PolarProxy rotate to a new capture file.
I also recommend capturing all network traffic sent to INetSim with a sniffer like netsniff-ng. This way you’ll get PCAP files with traffic from INetSim’s cleartext services (like DNS and HTTP) as well.
PCAP or it didn’t happen!
Credits
I'd like to thank Thomas Hungenberg and Patrick Desnoyers for providing valuable feedback for this blog post!
Posted by Erik Hjelmvik on Monday, 09 December 2019 08:40:00 (UTC/GMT)
Tags: #PolarProxy #HTTPS #SMTPS #HTTP #SMTP #DNS #Malware #Sandbox #TLS #PCAP #proxy #tutorial #ASCII-art
Short URL: https://netresec.com/?b=19Ce12f
This network forensics video tutorial covers analysis of a malware redirect chain, where a PC is infected through the RIG Exploit Kit. A PCAP file, from Brad Duncan's malware-traffic-analysis.net website, is opened in NetworkMiner Professional in order to follow a redirect chain via a couple of hacked websites before delivering malware to the PC.
Resources
https://www.malware-traffic-analysis.net/2014/11/16/index.html
Meadgive on VirusTotal
CVE-2014-0569 Flash Exploit on VirusTotal
CVE-2012-0507 Java Exploit on VirusTotal
NetworkMiner Professional
IOCs
www.ciniholland.nl
24corp-shop.com
stand.trustandprobaterealty.com
793b698a82d999f1eb75525d050ebe16
f8482f5c4632fe237d062451b42393498a8d628ed9dee27147251f484e837a42
7b3baa7d6bb3720f369219789e38d6ab
e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747
1e34fdebbf655cebea78b45e43520ddf
178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3
Check out our series of network forensic video tutorials for more tips and tricks on how to analyze captured network traffic.
Posted by Erik Hjelmvik on Monday, 26 February 2018 11:19:00 (UTC/GMT)
Tags: #Netresec #Professional #NetworkMiner #NetworkMiner Professional #malware_traffic #malware #NSM #PCAP #videotutorial #video #tutorial
Short URL: https://netresec.com/?b=1829909
Analyzing Kelihos SPAM in CapLoader and NetworkMiner
» VoIP tab in NetworkMiner Professional
» Browsers tab in NetworkMiner Professional
» Files tab in NetworkMiner Professional
» Hosts tab in NetworkMiner Professional
» Opening capture files with NetworkMiner Professional
» Video Tutorial: Installing NetworkMiner Professional
» How to Inspect TLS Encrypted Traffic
» RSS Feed
