Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
The NSA HSTS Security Feature Mystery
I recently stumbled across an NSA Cyber Advisory titled Managing Risk from Transport Layer Security Inspection (U/OO/212028-19) after first learning about it through Jonas Lejon's blog post NSA varnar för TLS-inspektion (Swedish). I read the NSA report with great interest since I wanted to see how o[...]
Extracting Kerberos Credentials from PCAP
NetworkMiner is one of the best tools around for extracting credentials, such as usernames and passwords, from PCAP files. The credential extraction feature is primarily designed for defenders, in order to analyze credential theft and lateral movement by adversaries inside your networks. But the cre[...]
NetworkMiner 2.5 Released
I am happy to announce the release of NetworkMiner 2.5 today! This new version includes new features like JA3 and parsers for the HTTP/2 and DoH protocols. We have also added support for a few older protocols that are still widely used, such as Kerberos and the CIFS browser protocol. Additionally, N[...]
Raspberry PI WiFi Access Point with TLS Inspection
This is a how-to guide for setting up a Raspberry Pi as a WiFi Access Point, which acts as a transparent TLS proxy and saves the decrypted traffic in PCAP files. Image: Raspberry Pi 4 Model B running PolarProxyStep 1: Install PolarProxy for Linux ARM We will start with installing PolarProxy, which w[...]
I'm very proud to announce the release of PolarProxy today! PolarProxy is a transparent TLS proxy that decrypts and re-encrypts TLS traffic while also generating a PCAP file containing the decrypted traffic. PolarProxy enables you to do lots of things that have previously been impossible, or at leas[...]
CapLoader 1.8 Released
We are happy to announce the release of CapLoader 1.8 today! CapLoader is primarily used to filter, slice and dice large PCAP datasets into smaller ones. This new version contains several new features that improves this filtering functionality even further. To start with, the 'Keyword Filter' can no[...]