Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
Open .ETL Files with NetworkMiner and CapLoader
Windows event tracing .etl files can now be read by NetworkMiner and CapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and CapLoader 1.9.3, which were both released this morning. What is an ETL Trace File? ETL is short for Event Tra[...]
How the SolarWinds Hack (almost) went Undetected
My lightning talk from the SEC-T 0x0D conference has now been published on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being detected. Some of these tactics included using DNS based command-and-control (C2) that mimicked Amazon AWS DN[...]
Start Menu Search Video
In this video I demonstrate that text typed into the Windows 10 start menu gets sent to Microsoft and how that traffic can be intercepted, decrypted and parsed. The video cannot be played in your browser. What Was Sent? The XML files shown in the video were sent by Cortana's 'SmartSearch' app to htt[...]
Carving Packets from Memory
Someone who says 'We're gonna pull the packet captures out of the router' probably has no clue how to capture network traffic. In the Lindell case, statements like these were results of an elaborate hoax. Nevertheless, such a statement doesn't have to be nonsense — if it comes from someone who knows[...]
Walkthrough of DFIR Madness PCAP
I recently came across a fantastic digital forensics dataset at dfirmadness.com, which was created by James Smith. There is a case called The Stolen Szechuan Sauce on this website that includes forensic artifacts like disk images, memory dumps and a PCAP file (well, pcap-ng actually). In this video[...]
NetworkMiner 2.7 Released
We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as SMB2 traffic. We have also updated our JA3 implementation to fingerprint the server side in TLS sessions using JA3S[...]
Network Forensics Classes for EU and US
We have now scheduled two new live online classes, one in September and one in October. The September class is adapted to European time and the October one is adapted to American time. The contents are exactly the same in both classes. The training is split into four interactive morning sessions (4[...]
Detecting Cobalt Strike and Hancitor traffic in PCAP
This video shows how Cobalt Strike and Hancitor C2 traffic can be detected using CapLoader. Your browser does not support the video tag. I bet you're going: 😱 OMG he's analyzing Windows malware on a Windows PC!!! Relax, I know what I'm doing. I have also taken the precaution of analyzing the PCAP f[...]