Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
Robust Indicators of Compromise for SUNBURST
There has been a great deal of confusion regarding what network based Indicators of Compromise (IOC) SolarWinds Orion customers can use to self assess whether or not they have been targeted after having installed a software update with the SUNBURST backdoor. Many of the published IOCs only indicate[...]
Finding Targeted SUNBURST Victims with pDNS
Our SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been explicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com subdomains. Companies and organizations that have installed trojanized a SolarWinds Orion update contai[...]
Extracting Security Products from SUNBURST DNS Beacons
The latest version of our SunburstDomainDecoder (v1.7) can be used to reveal which endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for 'avsvmcloud.com' subdomains, which is used by SUNBURST as[...]
Reassembling Victim Domain Fragments from SUNBURST DNS
We are releasing a free tool called SunburstDomainDecoder today, which is created in order to help CERT organizations identify victims of the trojanized SolarWinds software update, known as SUNBURST or Solorigate. SunburstDomainDecoder can be fed with DNS queries to avsvmcloud.com in order to reveal[...]
Capturing Decrypted TLS Traffic with Arkime
The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to include 'pcapReadMethod=pcap-over-ip-server' in Arkime's config.ini file and start PolarProxy with th[...]
PolarProxy 0.8.16 Released
We are happy to announce a new release of the TLS decryption tool PolarProxy. The new version has been updated to support features like client certificates and a PCAP-over-IP connector. Client Certificates PolarProxy now supports client-authenticated TLS handshakes for outgoing connections to suppor[...]
PolarProxy in Podman
Podman is a daemonless Linux container engine, which can be used as a more secure alternative to Docker. This blog post demonstrates how to run PolarProxy in a rootless container using Podman. If you still prefer to run PolarProxy in Docker, then please read our blog post 'PolarProxy in Docker' inst[...]
Honeypot Network Forensics
NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC Group say that their objective is 'to enable all threat intelligence researchers to gain further understandi[...]
PolarProxy in Docker
Our transparent TLS proxy PolarProxy is gaining lots of popularity due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy. In this blog post we will show how to run PolarProxy in Docker. Installation Instructions Create a Dockerfile with the follow[...]
NetworkMiner 2.6 Released
We are happy to announce the release of NetworkMiner 2.6 today! The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 traffic than before. Some of the major improvements in this new release are related to extraction and p[...]