Network Forensics and
Network Security Monitoring
Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy
PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
Headlines from our Blog:
NetworkMiner 2.7.3 Released
NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network packets from memory dumps. Extraction of Meterpreter Paylo[...]
PolarProxy in Windows Sandbox
In this video I demonstrate how PolarProxy can be run in a Windows Sandbox to intercept and decrypt outgoing TLS communication. This setup can be used to inspect otherwise encrypted traffic from malware or suspicious Windows applications, which communicate over HTTPS or some other TLS encrypted prot[...]
PolarProxy 0.9 Released
PolarProxy was previously designed to only run as a transparent TLS proxy. But due to popular demand we've now extended PolarProxy to also include a SOCKS proxy and a HTTP CONNECT proxy. PolarProxy automatically decrypts all proxied SSL and TLS traffic, regardless if the remote server is running on[...]
Open .ETL Files with NetworkMiner and CapLoader
Windows event tracing .etl files can now be read by NetworkMiner and CapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and CapLoader 1.9.3, which were both released this morning. What is an ETL Trace File? ETL is short for Event Tra[...]
How the SolarWinds Hack (almost) went Undetected
My lightning talk from the SEC-T 0x0D conference has now been published on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being detected. Some of these tactics included using DNS based command-and-control (C2) that mimicked Amazon AWS DN[...]