Clik here to view.
Analyzing Web Browsing Activity
One of the features included in the newly released version 2.0 ofNetworkMiner Professional is a new tab called “Browsers”. This tab shows web browsing requests and reponses in a hierarchical tree...
View ArticleClik here to view.
Packet Injection Attacks in the Wild
I have previously blogged about packet injection attacks, such as theChinese DDoS of GitHub andCovert Man-on-the-Side Attacks. However, this time I've decided to share some intelligence on real-world...
View ArticleClik here to view.
Detecting Periodic Flows with CapLoader 1.4
I am happy to announce a new release of our super-fast PCAP handling tool CapLoader! One of the new features in CapLoader makes it even easier to detect malicious network traffic without having to...
View ArticleClik here to view.
Bug Bounty PCAP T-shirts
As of today we officially launch the 'Netresec Bug Bounty Program'. Unfortunately we don't have the financial muscles of Microsoft, Facebook or Google, so instead of money we'll be giving away...
View ArticleClik here to view.
PacketCache lets you Go Back in Time
Have you ever wanted to go back in time to get a PCAP of something strange that just happened on a PC? I sure have, many times, which is why we are now releasing a new tool called PacketCache....
View ArticleClik here to view.
Detect TCP content injection attacks with findject
NSA's QUANTUM INSERT attack is probably the most well-known TCP packet injection attack due to the Snowden revelations regarding how GCHQ used this method to hack into Belgacom. However, the “Five...
View ArticleClik here to view.
Reading cached packets with Wireshark
Would you like to sniff packets that were sent/received some minutes, hours or even days ago in Wireshark? Can't afford to buy a time machine? Then your best chance is to install PacketCache, which...
View ArticleClik here to view.
BlackNurse Denial of Service Attack
Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the...
View ArticleClik here to view.
NetworkMiner 2.1 Released
We are releasing a new version ofNetworkMiner today. The latest and greatest version of NetworkMiner is now 2.1.Yay! /throws confetti in the airBetter Email Parsing I have spent some time during 2016...
View ArticleClik here to view.
Network Forensics Training at TROOPERS 2017
I will come back to the awesome TROOPERS conference in Germany this spring to teach mytwo-day network forensics class on March 20-21. The training will touch upon topics relevant for law enforcement...
View ArticleClik here to view.
10 Years of NetworkMiner
I released the first version of NetworkMiner on February 16, 2007, which is exactly 10 years ago today. One of the main uses of NetworkMiner today is to reassemble file transfers from PCAP files and...
View ArticleClik here to view.
Enable file extraction from PCAP with NetworkMiner in six steps
NetworkMiner can reassemble files transferred over protocols such as HTTP, FTP, TFTP, SMB, SMB2, SMTP, POP3 and IMAP simply by reading a PCAP file. NetworkMiner stores the extracted files in a...
View ArticleClik here to view.
CapLoader 1.5 Released
We are today happy to announce the release of CapLoader 1.5. This new version of CapLoader parses pcap and pcap-ng files even faster than before and comes with new features, such as a built-in TCP...
View ArticleClik here to view.
Domain Whitelist Benchmark: Alexa vs Umbrella
In November last year Alexa admitted in a tweet that they had stopped releasing their CSV file with the one million most popular domains. Members of the Internet measurement and infosec research...
View ArticleClik here to view.
Network Forensics Training in London
People sometimes ask me when I will teach mynetwork forensics class in the United States. The US is undoubtedly the country with the most advanced and mature DFIR community, so it would be awesome to...
View ArticleClik here to view.
NetworkMiner 2.2 Released
NetworkMiner 2.2 is faster, better and stronger than ever before! The PCAP parsing speed has more than doubled and even more details are now extracted from analyzed packet capture files. The improved...
View ArticleClik here to view.
Hunting AdwindRAT with SSL Heuristics
An increasing number of malware families employ SSL/TLS encryption in order to evade detection by Network Intrusion Detection Systems (NIDS). In this blog post I’m gonna have a look at Adwind, which...
View ArticleClik here to view.
CapLoader 1.6 Released
CapLoader is designed to simplify complex tasks, such as digging through gigabytes of PCAP data looking for traffic that sticks out or shouldn’t be there. Improved usability has therefore been the...
View ArticleClik here to view.
Don't Delete PCAP Files - Trim Them!
We are happy to release TrimPCAP today! TrimPCAP is a free open source tool that reduces the size of capture files in an intelligent way. The retention period of a packet capture solution is typically...
View ArticleClik here to view.
Zyklon Malware Network Forensics Video Tutorial
We are releasing a series of network forensics video tutorials throughout the next few weeks. First up is this analysis of a PCAP file containing network traffic from the "Zyklon H.T.T.P."...
View Article