Difference between pages "NetworkMiner" and "Malware analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(See Also)
 
Line 1: Line 1:
{{Infobox_Software |
+
Analyzing [[malware]], or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.  
  name = NetworkMiner |
+
  maintainer = Erik Hjelmvik |
+
  os = {{Windows}} |
+
  genre = Network forensics |
+
  license = {{GPL}} |
+
  website = [http://networkminer.sourceforge.net/ networkminer.sourceforge.net] |
+
}}
+
  
[http://www.netresec.com/?page=NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
+
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
  
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
+
== See Also ==
 +
* [[Malware]]
 +
* [[List of Malware Analysis Tools]]
  
NetworkMiner performs [[OS fingerprinting]] based on TCP SYN and SYN+ACK packet by using [[OS fingerprinting]] databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform [[OS fingerprinting]] based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) [[OS fingerprinting]] database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).
+
== External Links ==
 +
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
 +
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
  
NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Save_media_files save media files] (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.
+
[[Category:Malware]]
 
+
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.
+
 
+
Another very useful feature is that the user can [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Keyword_Search search sniffed or stored data for keywords]. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
+
 
+
Version 0.84 (and newer) of NetworkMiner support [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=WiFi_Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
+
 
+
There is also a commercial version available of NetworkMiner from [http://www.netresec.com/ Netresec]. The commercial version is called [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional] and has additional features such as:
+
* Port Independent Protocol Identification (PIPI)
+
* Export results to CSV / Excel
+
* Configurable file output directory
+
* Geo IP localization
+
* Host coloring support
+
* Command line scripting support
+
 
+
[[Category:Network Forensics]]
+

Revision as of 01:33, 28 October 2013

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

See Also

External Links