Softpedia >Windows >Network Tools >Network Information >NetworkMiner >  Changelog

NetworkMiner Changelog

What's new in NetworkMiner 2.8.0.0

Jan 2, 2023
  • User Interface Improvements:
  • The first thing you see when starting NetworkMiner is the Hosts tab, which now has been updated to include a filter text box. This text box can be used to filter the displayed hosts based on the property fields they contain. By entering “Android” into the filter box NetworkMiner will show only the hosts having a property containing the string “Android”, for example in the OS classification or User-Agent string. Other properties you might find useful to filter on are hostname, JA3 hash and MAC address. If you’re running NetworkMiner Professional then you’ll also be able to filter on Country thanks to the MaxMind GeoLite2 feature included in the Pro edition.
  • It’s now also possible to copy text from most tabs in NetworkMiner with Ctrl+C or by right-clicking and selecting “Copy selected rows”. A maximum of 10 rows can be copied at a time using the free version of NetworkMiner, while the Professional version allows all rows to be copied in one go.
  • The content based file type identification introduced in NetworkMiner 2.7 has been improved to also differentiate between EXE and DLL files as of version 2.8.
  • IEC 60870-5-104:
  • NetworkMiner’s parser for the SCADA protocol IEC 60870-5-104 (IEC-104) has been significantly improved in version 2.8. NetworkMiner now supports more IEC-104 commands and the commands are presented on the Parameters tab in a clearer way than before.
  • I’m also proud to announce that NetworkMiner 2.8 now extracts files transferred over the IEC-104 protocol. More details about that particular feature will be presented in a separate blog post.
  • CAPWAP Decapsulation:
  • NetworkMiner 2.8 can read IEEE 802.11 packets inside CAPWAP tunnels between WLAN Controllers and Access Points. This feature allows WiFi traffic to be analyzed without having to capture packets in the air.
  • Reading PCAP from a Named Pipe:
  • NetworkMiner previously allowed packets to be read from PacketCache over a named pipe. This feature has been upgraded to allow a PCAP stream to be read from any named pipe, not just from PacketCache. Here’s an example showing how to capture packets from localhost for 10 seconds with RawCap and make those packets available via a named pipe called “RawCap”
  • Bug Fixes:
  • NetworkMiner previously produced incorrect JA3S signatures for TLS servers if they sent Session ID values in Server Hello messages or listed only one supported TLS version using the Supported Versions extension. These bugs have now been fixed in NetworkMiner 2.8.
  • NetworkMiner’s live sniffing feature has been improved to better handle huge packets caused by Large Send Offload (LSO). NetworkMiner previously crashed with an error message saying that the received packet was “larger than the internal message buffer” when attempting to capture a too large packet.
  • TCP sessions occasionally didn’t show up in NetworkMiner’s Sessions tab previously if the application layer protocol was unknown. This bug has now been fixed in version 2.8.
  • New Features in NetworkMiner Professional:
  • NetworkMiner Professional includes a feature for port independent protocol detection of protocols like FTP, HTTP, IRC, Meterpreter, SSH and TLS, which enables extraction of artifacts from those protocols even though the service is running on a non-standard port. This new release adds two additional protocols to the collection of identified protocols, namely SMTP and SOCKS. This allows analysts to extract emails from spam runs sent to ports other than 25 or 587, as well as to see what goes on inside covert SOCKS tunnels running on non-standard ports.
  • In addition to allowing hosts to be filtered using string and regex matching, NetworkMiner Professional also allows the discovered hosts to be filtered on IP address using CIDR notation, such as “192.168.1.0/24” or “10.0.0.0/8”.
  • Here are some IPv4 and IPv6 CIDR filters that you might find useful:
  • 224.0.0.0/4 = IPv4 multicast (224/4 is also supported)
  • 127.0.0.0/8 = IPv4 loopback (127/8 is also supported)
  • fe80::/10 = IPv6 link-local addresses
  • ff00::/8 = IPv6 multicast
  • 0.0.0.0/0 = IPv4 hosts (0/0 is also supported)
  • 0::/0 = IPv6 hosts

New in NetworkMiner 2.7.3.0 (Apr 4, 2022)

  • Extraction of Meterpreter Payloads:
  • NetworkMiner 2.7.3 supports extraction of meterpreter DLL payloads from reverse shell TCP sessions deployed with Metasploit. The free version of NetworkMiner will try to extract the meterpreter DLL from TCP sessions going to "poker-hand ports" commonly used for meterpreter sessions, such as 3333, 4444, 5555, etc. The port-independent protocol detection feature available in NetworkMiner Professional additionally enables extraction of meterpreter DLLs regardless which LPORT the attacker specifies when deploying the reverse shell.
  • Packet Carving in NetworkMiner Professional:
  • If you try to open anything other than a PCAP, PcapNG or ETL file in NetworkMiner Professional, then you'll be presented with an option to carve packets from the opened file as of this release.
  • The packet carver can extract packets from any structured or unstructured data, such as memory dumps and proprietary packet capture formats. NetworkMiner Pro's carver is a simplified version of the packet carving feature in CapLoader.
  • Offline Matching of JA3 and X.509 hashes:
  • NetworkMiner 2.7.3 comes with a local copy of the SSL Certificate and JA3 Fingerprint Blacklists from the awesome abuse.ch project. JA3 hashes and extracted X.509 certificates are matched against these lists in order to see if they are associated with any piece of malware or botnet.
  • The port-independent protocol detection feature in NetworkMiner Professional additionally enables X.509 certificates to be extracted even from non-standard TLS ports, such as this certificate, which is identified as "BitRAT" with help of the abuse.ch certificate block-list.
  • DBSBL Lookup Detection:
  • DNSBL services are used by servers handling incoming email to verify that the sender's IP address isn't a known SPAM sender and that it isn't from a network that shouldn't be sending emails.
  • But DNSBL services can also be used by malware and botnets, such as TrickBot and Emotet, to verify that the public IP of a victim is allowed to send emails and that it hasn't already been blacklisted for sending SPAM. We have therefore decided to add DNSBL lookups to the Host Details section in NetworkMiner 2.7.3.
  • DNSBL lookups are also logged to the "Parameters" tab of NetworkMiner.
  • Additional Features and Updates:
  • We'd also like to mention some additional new features, bug fixes and improvements that have been included in this new release.
  • Support for HTTP CONNECT request method to extract artifacts like X.509 certificates and JA3 hashes from HTTPS traffic passing through a web proxy.
  • Traffic to TCP ports 3000 and 8000 are now configured to be parsed as HTTP by default in order to handle WEBrick traffic.
  • Improved extraction of SMTP credentials.
  • JA3 hashes were previously incorrect for clients that supported more than one EC point format (RFC 8422). This has now been fixed.
  • Support for SLL2 (Linux cooked capture v2) frames.
  • Improved handling of concurrent GUI events, for example when poking around in the "Hosts" tab while loading a PCAP file or doing live sniffing.
  • NetworkMiner's GUI no longer reloads between each PCAP file when multiple files are loaded at once.
  • New Features in NetworkMiner Professional:
  • We have also added a few new features exclusively to NetworkMiner Professional, which is the commercial version of NetworkMiner. Apart from the packet carver feature, mentioned earlier in this blog post, we've also updated the collection of OSINT lookup services available in the GUI. One of the newly added services is Ryan Benson's unfurl, which picks apart URLs to reveal data that might have been encoded into a complex URL. The unfurl lookup can be found by right-clicking an URL in NetworkMiner Professional's "Browsers" tab and selecting the "Lookup URL" sub menu.
  • Other OSINT services that we've added are FileScan.IO and JoeSandbox lookups of extracted files. These lookups can be performed by right clicking a file in the "Files" tab and opening the sub-menu called "Lookup Hash".
  • The command-line version of NetworkMiner Professional, NetworkMinerCLI, has also been updated to allow extracted information to be printed directly on standard output instead of logging everything to files.

New in NetworkMiner 2.7.2.0 (Nov 15, 2021)

  • The ETL support is not the only new feature in NetworkMiner 2.7.2 though. We have also added support for the ERSPAN protocol. The FTP parser has also been improved to support additional commands, such as AUTH (RFC2228).
  • We've also added a useful little feature to the context menu of the Parameter's tab, which allows users to send extracted parameters to CyberChef (on gchq.github.io) for decoding.

New in NetworkMiner 2.7.0.0 (Jun 16, 2021)

  • Extracts print files from LPR,
  • parses DNS TXT and SRV records,
  • computes JA3S hashes etc.

New in NetworkMiner 2.5.0.0 (Nov 22, 2019)

  • Improving Passive TLS Analysis with JA3
  • HTTP/2 and DoH Support
  • Extracting Kerberos Hashes from PCAP
  • Even more NetBIOS and CIFS Artifacts
  • Mono 5 Required for Linux and MacOS

New in NetworkMiner 2.2.0.0 (Oct 27, 2017)

  • Faster parsing speed (x2) and CASE export

New in NetworkMiner 2.1.0.0 (Jan 15, 2017)

  • Better email parsing
  • Encapsulation protocols
  • PacketCache
  • HTTP partial content / range requests
  • SSL/TLS and X.509 certificates

New in NetworkMiner 1.6.0.0 (Jun 16, 2014)

  • Drag-and-Drop:
  • Reassembled files and images can be opened with external tools by drag-and-dropping items from NetworkMiner's Files or Images tabs onto your favorite editor or viewer
  • Email extraction:
  • Improved extraction of emails and attachments sent over SMTP
  • DNS analysis:
  • Failed DNS lookups that result in NXDOMAIN and SERVFAIL are displayed in the DNS tab along with the flags in the DNS response
  • Live sniffing:
  • Improved live sniffing performance
  • PCAP-over-IP:
  • Remote live sniffing enabled by bringing the PCAP-over-IP feature into the free open source version of NetworkMiner

New in NetworkMiner 1.5.0.0 (Oct 25, 2013)

  • New features in the free and open source version of NetworkMiner:
  • Parser for PPPoE (RFC 2615)
  • Keywords can be loaded from text file (useful in investigations where you have lots of strings to search for)
  • Support for LLMNR DNS (RFC 4795) queries over UDP 5355

New in NetworkMiner 1.3.0.0 (Oct 25, 2013)

  • Extraction of user names from HTTP Digest Authentication (RFC 2617), such as those found in US Cyber Challenge “Cyber Quest February 2012”.
  • HTTP headers are shown on the Parameters tab (including common headers like “Host” and “User-Agent” as well as rare ones).
  • HTTP X headers are shown for hosts under the “Host Details” > “Extra Details” node. These X headers include “x-up-calling-line-id” and “HTTP_X_UP_CALLING_LINE_ID”, which can be used to identify the phone number of the mobile device used to access a web page. This type of information leakage can be detected with Collin Mulliner's MNO Privacy Checker.
  • Support for the Null / Loopback link layer packets that are written when sniffing localhost on BSD operating systems.
  • Ability to select a custom cleartext dictionary file for the "Cleartext" tab. This feature can be used in order to look for text in a specific language.
  • Files with “.raw” extension are now treated as pcap files since this is the extension used by Sguil (hat tip to Doug Burks for this idea).
  • The alert window about WinPcap not being installed has been removed.

New in NetworkMiner 1.2.0.0 (Oct 25, 2013)

  • NetworkMiner is now platform independent and can be run on Linux, Mac etc. with help of Mono.
  • Better parsing of emails sent with SMTP.
  • Content extraction of emails went with AOL webmail as in ”The L33t Pill” from the Network Forensics Puzzle Contest.
  • Content extraction from unencrypted SquirrelMail webmail posts.
  • Content extraction of comments sent to Wordpress and Blogspot blogs.
  • Support for GRE encapsulation.
  • Better handling of truncated pcap files that are cut in the middle of a frame.
  • Updated "Details" column in "Files" tab to display the HTTP host name as well as the URI from where the file was retrieved.

New in NetworkMiner 1.0.0.0 (May 9, 2011)

  • Support for Per-Packet Information header (WTAP_ENCAP_PPI) as used by Kismet and sometimes Wireshark WiFi sniffing.
  • Extraction of Facebook as well as Twitter messages into the message tab. Added support to extract emails sent with Microsoft Hotmail (I.e. Windows Live) into Messages tab.
  • Extraction of twitter passwords from when settings are changed. Facebook user account names are also extracted (but not Facebook passwords).
  • Extraction of gmailchat parameter from cookies in order to identify users through their Google account logins.
  • Protocol parser for Syslog. Syslog messages are displayed on the Parameter tab.