NetworkMiner 3.1 Released
This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic.
More Artifacts Extracted
Usernames and passwords are now extracted from Proxy-Authenticate headers. NetworkMiner’s username extraction support for SMTP AUTH LOGIN requests has also been improved.
Image: Username and password extracted from HTTP Proxy-Authenticate header
NetworkMiner has several methods for passively identifying host names of clients and servers. We’ve added a few additional hostname sources to this release, such as client hostnames from SMTP EHLO requests and TLS SNI fields from RDP traffic.
User Interface Improvements
The most significant user interface update in the 3.1 release is probably the new “Not in” keyword filter mode. I received this feature request when teaching a network forensics class (thanks for the great idea Lukas!). This filter mode is the opposite to the default “Exact Phrase” setting.
Image: Parameters extracted from anything but HTTP traffic in Johannes Weber's Ultimate PCAP
The “Not in” filter mode comes in very handy when the information you’re interested in is drowning in a sea of non-relevant, but easily identifiable, data.
Malware C2 Traffic
NetworkMiner can extract information from various malware Command-and-Control (C2) protocols like Latrodectus/IcedID BackConnect, Meterpreter, njRAT, Redline Stealer, Remcos, RMS and StealC. The free version of NetworkMiner can extract information, such as commands or transferred files, from these malware protocols as long as the C2 server listens on a “standard” port number. But if the C2 server runs on some other port (which often is the case), then NetworkMiner Professional’s Port Independent Protocol Identification (PIPI) feature is required to identify the correct parser for the network traffic.
Implementing malware C2 protocol parsers is sometimes a thankless task because these protocols tend to get replaced at a much higher rate compared to legitimate network protocols. But it is an important task nevertheless.
njRAT
A popular malware for which the C2 protocol hasn’t changed much during the past decade is njRAT. In fact, new njRAT samples are discovered by security researchers pretty much every day despite it being a 13 years old trojan. NetworkMiner’s njRAT support has therefore been improved in this release. NetworkMiner can extract files that are uploaded or downloaded to/from a PC infected with njRAT. This file extraction feature also includes the ability to extract plugins for specific tasks, such as to run a reverse shell, see camera images or steal passwords. njRAT C2 servers transmit these plugins as gzip compressed DLL files to victim computers when needed.
Image: Files extracted from njRAT in PCAP from our network forensics class
NetworkMiner extracts these gz compressed plugin DLL files to disk. A new feature in the 3.1 release is that it then decompresses the gz data and calculates an MD5 hash of the file contents, but without saving the decompressed data to disk. The MD5 hash of the transferred files are instead displayed on the Parameters tab as seen in this screenshot:
Image: MD5 hashes of njRAT plugin DLLs
The following njRAT plugin MD5 hashes can be seen in this screenshot:
- cef141d894400bc2e0096d1ed0c8f95b (aka inf.dll)
- a73edb60b80a2dfa86735d821bea7b19 (aka cam.dll)
- a93349ba5e621cfb7a46dc9f401fd998 (aka plg.dll)
- 11375fb0cee4c06b5cefa2031ee2ed6d (aka pw.dll)
- 19967e886edcd2f22f8d4a58c8ea3773 (aka sc2.dll)
See our video Decoding njRAT traffic with NetworkMiner for a more in-depth demonstration of NetworkMiner’s njRAT parsing features.
Redline Stealer
Another common malware is Redline Stealer. It uses a legitimate protocol called MC-NMF to send instructions and exfiltrate data from victim computers. Basic support for the MC-NMF protocol has therefore been added to NetworkMiner 3.1. MC-NMF is also used by legitimate services like Microsoft’s Service Bus, so as a bonus you can now analyze such traffic with NetworkMiner as well. The MC-NMF protocol has a compression routine called MC-NBFSE, which is utilized by Redline Stealer. NetworkMiner can’t decompress this format, so files are extracted to disk in compressed form.
Image: Files extracted from Redline execution on Joe Sandbox
You can probably spot some interesting details in the extracted data even when viewing the NBFSE compressed contents though.
Image: NBFSE compressed file contents extracted from Redline execution on Joe Sandbox
Bug Fixes
NetworkMiner 3.1 also resolves several minor bugs. One of these bugs could cause NetworkMiner to hang when showing file details in Linux. Another resolved bug prevented some IPv6 payload from being parsed correctly if the Ethernet frame contained trailing padding data. The VoIP call metadata extraction has also been improved in NetworkMiner Professional.
Upgrading to Version 3.1
Users who have purchased NetworkMiner Professional can download version 3.1 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest release of NetworkMiner from the official NetworkMiner page.
Posted by Erik Hjelmvik on Monday, 01 December 2025 08:20:00 (UTC/GMT)
Tags: #NetworkMiner #NetworkMiner Professional #njRAT
