TryHackMe: NetworkMiner Walkthrough (SOC Level 1)

Welcome to this walkthrough of the NetworkMiner Room on TryHackMe. In this room we get to learn how to use NetworkMiner to analyse recorded traffic files and practice network forensics activities.

https://tryhackme.com/r/room/networkminer

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Task 1: Room Introduction

NetworkMiner is an open-source Network Forensic Analysis Tool (NFAT) designed for Windows but also compatible with Linux, macOS, and FreeBSD. It functions as a passive network sniffer and a PCAP analyzer, allowing users to extract artifacts like operating systems, sessions, hostnames, and open ports without generating network traffic. Additionally, it can reassemble transmitted files and certificates from captured traffic.

Since its release in 2007, NetworkMiner has become a widely used tool among incident response teams and law enforcement due to its intuitive interface, which simplifies network traffic analysis.

This training room focuses on network forensics using NetworkMiner. It requires basic Linux familiarity and an understanding of network fundamentals, such as ports, protocols, and traffic analysis. Completing the “Network Fundamentals” path is recommended before starting. The room provides an overview of network forensics and practical experience in analyzing captured traffic.

Open the tool folder and double click on the .exe file to start NetworkMiner.

Jasper’s note: Wait!? Doesn’t that start a bit like Snort which we just learned about?

I thought so myself when first hearing about NetworkMiner, just after learning Snort. The differences are as follows:

• NetworkMiner is passive, capturing traffic to analyze later, while Snort is active, analyzing traffic in real-time to identify and alert on potential threats.
• NetworkMiner is geared more toward network forensics and post-event analysis, whereas Snort is focused on intrusion detection and real-time threat prevention.
• Data Handling: NetworkMiner excels in parsing PCAP files and reconstructing sessions and files, while Snort focuses on matching traffic against known attack signatures and behaviors.
• Usage Context: NetworkMiner is used by incident responders and forensic investigators for detailed analysis of captured network data, while Snort is typically used by security teams for ongoing monitoring and active defense.

In short, NetworkMiner is for investigating past network traffic, while Snort is for real-time detection of malicious activity on the network.
I hope that clears some things up for you before we move on.

Questions

Read the task above.

Answer: No answer needed

Task 2: Introduction to Network Forensics

This task introduces network forensics. I will summarize the theory here:

Introduction to Network Forensics

Network forensics focuses on investigating network traffic to detect security breaches, ensure compliance, and analyze system behavior. It involves capturing and analyzing packets to reconstruct events and identify threats. Investigations seek to answer key questions: Who (source IP), What (data), Where (destination IP), When (timestamp), and Why (cause of the event).

Use Cases

• Network Discovery: Identifies connected devices and network load.
• Packet Reassembly: Reconstructs packet flows, useful for analyzing unencrypted traffic.
• Data Leakage Detection: Monitors traffic patterns to detect abnormal data transfers.
• Threat Detection: Analyzes ports, addresses, and data flows to identify malicious activities.
• Compliance Monitoring: Ensures adherence to security policies and regulations.

Advantages of Network Forensics

• Easy evidence collection without creating network noise.
• Network traffic is harder to destroy compared to logs.
• Can detect memory-resident threats that don’t leave disk traces.
• Logs provide additional context for investigation.

Challenges of Network Forensics

• Limited data capture: Continuous full-packet logging is impractical due to storage constraints.
• Encrypted traffic: Limits visibility into packet contents.
• GDPR and privacy concerns: Recording traffic must comply with regulations.
• Nonstandard port usage: Attackers may evade detection by using uncommon ports.
• Time zone inconsistencies: Correlating events across different time zones is difficult.
• Log tampering: Attackers may erase logs to cover tracks.

Sources of Network Evidence

• Network devices: Firewalls, routers, switches, DHCP servers, and authentication servers.
• Traffic monitoring points: TAPS, SPAN ports, inline devices, hubs.
• Log sources: IDS/IPS, OS logs, web proxies, and central log servers.

Primary Goals of Network Forensics

• Security Operations (SOC): Routine monitoring of system performance and security events.
• Incident Response & Threat Hunting: Investigating security incidents and detecting malicious activities.

Data Types

• Live Traffic: Real-time monitoring of network activity.
• Packet Captures (PCAP): Full-packet and network flow captures for post-event analysis.
• Log Files: Data from network and security devices.

NetworkMiner helps investigate packet captures and live traffic but is not designed for continuous long-term monitoring. It is primarily used for analyzing limited amounts of traffic to identify hosts, sessions, files, and other artifacts. More advanced packet analysis is covered in other topics.

Questions

Read the task above

Answer: No answer needed

Task 3: What is NetworkMiner?

NetworkMiner is a Network Forensic Analysis Tool (NFAT) that offers several features primarily focused on offline analysis and quick insights into network traffic.

Key Capabilities:

• Traffic Sniffing: It can intercept and log network traffic. However, it is not as reliable or robust as dedicated sniffers like Wireshark or tcpdump, especially in real-time sniffing.
• Parsing PCAP Files: NetworkMiner can analyze packet capture (PCAP) files and display detailed information from the traffic.
• Protocol Analysis: The tool can identify which protocols are used in the traffic, although it doesn’t provide the in-depth protocol analysis found in other tools like Wireshark.
• OS Fingerprinting: It can attempt to identify the operating systems of devices in the network using methods like Satori and p0f.
• File Extraction: NetworkMiner can extract files such as images, emails, HTML files, and other content directly from the traffic, making it a useful tool for forensics.
• Credential Grabbing: The tool can identify and extract plaintext credentials found in the traffic (e.g., HTTP, FTP, or other protocols with weak encryption).
• Cleartext Keyword Parsing: It can extract and highlight cleartext keywords or strings, helping identify unencrypted sensitive data.

Operating Modes:

1. Sniffer Mode: While NetworkMiner does have sniffing capabilities, it is not meant to be a primary sniffing tool. It works on Windows for sniffing, but the feature is less reliable compared to other sniffers like Wireshark and tcpdump. It is mainly designed for forensic analysis.
2. Packet Parsing/Processing: This mode allows NetworkMiner to quickly parse and process packet captures (PCAPs) to give an overview of the traffic, helping investigators identify immediate insights before diving deeper.

Pros and Cons:

Pros:

• OS Fingerprinting: NetworkMiner is good at identifying the operating systems of devices within the network.
• Easy File Extraction: Simplifies extracting files such as images, emails, and documents from captured traffic.
• Credential Grabbing: Can identify and extract sensitive data like usernames and passwords transmitted in plaintext.
• Cleartext Keyword Parsing: Helps quickly spot sensitive or relevant strings in the captured traffic.

Cons:

• Not Useful for Active Sniffing: While it has a sniffing feature, it is not as effective for live traffic monitoring or sniffing.
• Not Ideal for Large PCAP Investigations: NetworkMiner may not be the best tool for handling very large PCAP files due to its limited filtering and processing capabilities.
• Limited Filtering: Compared to other tools, the filtering options in NetworkMiner are somewhat basic, which can be a limitation in more complex investigations.
• Not Built for Manual Traffic Investigation: NetworkMiner offers an overview of traffic but lacks detailed tools for manual traffic investigation, such as those found in Wireshark.

Differences Between NetworkMiner and Wireshark:

When to use which

• Use NetworkMiner for a Quick Overview: NetworkMiner is ideal for quickly parsing and mapping out the traffic in PCAP files, identifying potential artifacts like OS types, credentials, and files.
• Use Wireshark for In-Depth Analysis: After using NetworkMiner for an initial overview, it’s best to use Wireshark for deep packet-level analysis, protocol analysis, and more detailed filtering and decoding.

In summary, NetworkMiner is a great tool for post-capture analysis and for gaining quick insights into a network’s traffic, but for deeper and more granular investigation, tools like Wireshark are preferred.

Questions

Read the task above

Answer: No answer needed

Task 4: Tool Overview 1

When you open NetworkMiner, the first screen you encounter is the landing page, where you can begin the investigation process.
Here you will have access to the following menus:

The File Menu provides options for loading PCAP files or receiving PCAP over IP:

• You can load PCAP files manually, drag and drop them into the interface, or receive them via IP (although this is not emphasized in this room’s tasks).
• For basic investigations, the File Menu will allow you to import the data and begin your analysis quickly.

The Tools Menu helps in clearing the data or resetting the dashboard:

• It enables the user to remove any captured data, effectively giving you a fresh start or the option to reset your investigation at any point.

The Help Menu offers information regarding:

• Updates to the software.
• The current version of NetworkMiner in use, ensuring you stay informed about your tool’s capabilities.

The Case Panel organizes the PCAP files you’ve loaded:

• PCAP List: Shows the files that are currently being investigated.
• Actions: You can reload, refresh, or remove files as needed.
• Metadata View: Access detailed metadata of loaded files to help guide your investigation.

The Hosts Menu identifies all hosts involved in the captured traffic:

• Host Information includes:
  • IP Address
  • MAC Address
  • OS Type (via Satori and p0f)
  • Open Ports
  • Sent/Received Packets
  • Sessions: Incoming/Outgoing
• OS Fingerprinting uses Satori and p0f to analyze the OS of hosts.
• You can sort and color-code hosts for easier identification. Some advanced features, like OSINT lookup, are available only in the Premium version.
• The right-click menu provides the ability to copy values.

The Sessions Menu lists detected sessions in the traffic capture:

• Provides details on:
  • Frame Number
  • Client/Server Address
  • Source/Destination Port
  • Protocol
  • Start Time
• Use the filter bar to search for specific keywords within the frames, making it easier to find specific sessions.

The DNS Menu displays DNS queries within the capture:

• Key details include:
  • Frame Number
  • Timestamp
  • Client/Server Information
  • Source/Destination Port
  • TTL (Time to Live)
  • DNS Query & Answer
  • Transaction ID and Type
• Alexa Top 1M feature (available in Premium) helps to cross-reference with popular domain names.
• The search bar allows you to filter DNS queries effectively.

The Credentials Menu is dedicated to extracting credentials and password hashes from captured data:

• Types of Extracted Credentials:
  • Kerberos Hashes
  • NTLM Hashes
  • RDP Cookies
  • HTTP Cookies
  • HTTP Requests
  • IMAP/FTP/SMTP/MS SQL Credentials
• You can use tools like Hashcat and John the Ripper (from GitHub) to attempt to decrypt these credentials.

Questions

Use mx-3.pcapm What is the total number of frames?

Alright, let’s start getting some practice with NetworkMiner. I am excited, are you?

Start up NetworkMiner 2.7.2. from its directory on the Desktop (Double click NetworkMiner.exe).

Start by loading up mx-3.pcap. Press File > Open and find the exercise files folder on the Desktop. Select mx-3.pcap.

Now we file is loaded. Proceed by right-clicking on the mx-3.pcap case in the case panel on the right side of your screen. Press Show Metadata.

A window will open which, among other data, shows the total numbers of frames (460).

Answer: 460

How many IP addresses use the same MAC address with host 145.253.2.203?

This one is quite easy. Look in the Hosts menu and you should see an entry for IP address 145.253.2.203.

Open it up and you should see information on its MAC address, which is FEFF20000100. This also features a dropdown and when you open it you should see IP address which share the same MAC. These IP addresses therefore originate from the same machine.

There are to other IPs which use the same MAC.

Answer: 2

How many packets were sent from host 65.208.228.223?

This question relates to the first of the two IP addresses which we found in the previous question.

If you click on this entry, NetworkMiner will automatically find the entry on the main list of hosts. (the Linux host on the top).
Open the dropdown and you will see more information on the host, as before.

One of the types of data we can see is the total of packets sent, in this case 72.

Answer: 72

What is the name of the webserver banner under host 65.208.228.223?

Another easy one. Simply open the Host Details dropdown.

Here you can read that the webserver banner is equal to Apache.

Answer: Apache

Use mx-4.pcap

What is the extracted username?

Time to open mx-4.pcap.

This time open up the Credentials Menu.

Here you can straight away see the extracted username in the fourth column: #B\Administrator.

Answer: #B\Administrator

What is the extracted password?

The password is also on the previous screenshot. We have to input the NTLM hash here, which is the information on the second row.

If you like me wondered why there are two rows, the explanation is that both rows actually basicly show the same information.

The main difference between the two formats is how the information is structured.

The first row outputs verbose NTLM Authentication details. It includes the NTLM challenge, LAN Manager (LM) response, and NTLM response separately.
It provides more details explicitly, including each component of the NTLM authentication handshake.
Useful for understanding how the authentication process is structured but not directly used for cracking.

The second row includes the $NETNTLMv2$ hash format useful for cracking. This format follows the $NETNTLMv2$ hash representation, commonly used in password cracking tools like Hashcat and John the Ripper. It removes unnecessary details (such as “NTLM Challenge:”, “LAN Manager Response:”) and restructures the information into a single-line hash format that follows this pattern:

$NETNTLMv2;<username>;<challenge>;<NTLMv2 response>

Anyway, we got the answer on the second row!

Answer: $NETNTLMv2$#B$136B077D942D9A63$FBFF3C253926907AAAAD670A9037F2A5$01010000000000000094D71AE38CD60170A8D571127AE49E00000000020004003300420001001E003000310035003600360053002D00570049004E00310036002D004900520004001E0074006800720065006500620065006500730063006F002E0063006F006D0003003E003000310035003600360073002D00770069006E00310036002D00690072002E0074006800720065006500620065006500730063006F002E0063006F006D0005001E0074006800720065006500620065006500730063006F002E0063006F006D00070008000094D71AE38CD601060004000200000008003000300000000000000000000000003000009050B30CECBEBD73F501D6A2B88286851A6E84DDFAE1211D512A6A5A72594D340A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E00360036002E0033003600000000000000000000000000

Task 5: Tool Overview 2

Some more menus and panels to discuss:

The Files Menu displays extracted files from PCAPs and provides the following details:

• Frame Number
• Filename
• Extension
• Size
• Source & Destination Address
• Source & Destination Port
• Protocol
• Timestamp
• Reconstructed Path
• Details

The Images Menu focuses on extracted images from the investigated PCAPs.

Right-Click Menu allows:

• Opening image files
• Zooming in & out for better analysis

Hovering over an image reveals:

• Source & Destination Addresses
• File Path
• Other file details

The Parameters Menu lists extracted parameters from PCAP files, including:

• Parameter Name
• Parameter Value
• Frame Number
• Source & Destination Host
• Source & Destination Port
• Timestamp
• Details

The Keywords Menu allows filtering extracted keywords from processed PCAPs.

Data Displayed:

• Frame Number
• Timestamp
• Keyword
• Context
• Source & Destination Host
• Source & Destination Port

The Messages Menu extracts and displays emails, chats, and messages from PCAPs.

Data Displayed:

• Frame Number
• Source & Destination Host
• Protocol
• Sender (From)
• Receiver (To)
• Timestamp
• Size

Finally, the Anomalies Menu lists detected anomalies in the processed PCAP.

Questions

Use mx-7 pcap. What is the name of the Linux distro mentioned in the file associated with frame 63075?

You should know the drill by now. Press File > Open and select the mx-7.pcap file in the Exercise Files folder on the Desktop.

This pcap file is quite a bit larger than before so it might be 1-2 minutes to get loaded.

Now we have to look at the file associated with frame number 63075. Select the Files menu in the top, and find frame number 63075.

If you look at its details you can find that the name of the Linux distro is CentOS.

Answer: CentOS

What is the header of the page associated with frame 75942?

Same as before. Find the frame #75942, still in the Files menu.

The <h1> tag contents are Password-Ned AB.

Answer: Password-Ned AB

What is the source address of the image “ads.bmp.2E5F0FD9.bmp”?

We are talking about images now, so time to look at the Images menu.

I had trouble finding it, but it actually is the last one in the large list of images. To see the required information, all we have to do is hover over the image:

The source IP is right there on the first line : 80.239.178.187

Answer: 80.239.178.187

What is the frame number of the possible TLS anomaly?

Anomalies can be seen on the Anomalies Menu.

Open this menu and you will see 2? anomalies.

I picked the first one (36255) and it was accepted.

Answer: 36255

Use mx-9 file. Look at the messages. Which platform sent a password reset email?

This sounds like something we can answer with the Messages menu.

The only password related email I could find was from Facebook:

Answer: Facebook

What is the email address of Branson Matheson?

The answer to this question can also be found in the Messages menu.

The mail address is found on line 5 and 6: Branson@sandsite.org

Answer: Branson@sandsite.org

Task 6: Version Differences

This tasks goes into the differences between versions 1.6 and 2.7 of NetworkMiner, and is otherwise pretty boring. Here are the key differences:

• MAC Address Processing (v2.0+):
  • Available in v2.7 and later.
  • Helps detect MAC address conflicts.
• Sent/Received Packet Processing (v1.6 and earlier):
  • More detailed packet analysis.
  • Removed in v2.0+.
• Frame Processing (v1.6 and earlier):
  • Provides frame count & details.
  • Removed in v2.0+.
• Parameter Processing (v2.0+):
  • Improved parameter extraction.
  • v1.6 catches fewer parameters.
• Cleartext Processing (v1.6 and earlier):
  • Extracts cleartext data in a single tab.
  • Cannot match cleartext data with packets.
  • Removed in v2.0+.

Questions

Which version can detect duplicate MAC addresses?

NetworkMiner versions after version 2 can process MAC address specific correlation as shown in the picture below. This option will help you identify if there is a MAC Address conflict. Since we are comparing version 1.6 and 2.7, the answer must be 2.7.

Answer: 2.7

Which version can handle frames?

Frame processing was removed in version 2, so the answer is 1.6.

Answer: 1.6

Which version can provide more details on packet details?

More extensive packet details were also removed in verison 2, so the answer is again 1.6.

Answer: 1.6

Task 7: Exercises

You’ve learned what NetworkMiner is and how to use it. Let’s put this into practice!

Questions

Use case1.pcap. What is the OS name of the host 131.151.37.122?

Go ahead and open case1.pcap (File > Open). I will use Network Miner 2.7.2 for these first questions. Stay on the Hosts menu.

You should see the right IP address in the list. Open the dropdown and underneath OS: Windows you should see the answer: Windows – Windows NT 4.

Answer: Windows – Windows NT 4

Investigate the hosts 131.151.37.122 and 131.151.32.91.
How many data bytes were received from host 131.151.32.91 to host 131.151.37.122 through port 1065?

This one is a bit more difficult to find, but still doable.

Find the receiving host (131.151.37.122) and underneath Incoming sessions, you can find that it has received 192 data bytes.
Alternatively, you can look under the sending host (131.151.32.91) and underneath Outgoing sessions, you can also find that it has sent 192 to the other host.

Answer: 192

Investigate the hosts 131.151.37.122 and 131.151.32.21.
How many data bytes were received from host 131.151.37.122 to host 131.151.32.21 through port 143?

To be honest, this question really confused me. The question asks about data received by the 131.151.32.21 host, but the right answer is to be found underneath that hosts sessions information, and then Outgoing sessions. This does not make sense to me as it should be an incoming question.

I am not sure if this is a mistake or if I misunderstand the question. Anyway, we got the answer: 20769 bytes.

Answer:20769

What is the sequence number of frame 9?

We need to look at frames, and therefore we need to switch to NetworkMiner 1.6.1 *sigh*.

Go to the Frames menu and find frame 9.

The sequence number is part of the TCP protocol. TCP uses sequence numbers in the TCP header to keep track of bytes sent and received.
The initial sequence number (ISN) is chosen randomly and increments with each byte of data.

Anyway, the answer is there: 2AD77400.

Answer:2AD77400

What is the number of the detected “content types”?

We need to use the parameters menu here, which is empty on version 1.6.1. So back to version 2.7.2. we go.

Simply look for the parameter name Content-Type. You can use the Filter keyword input if you want.

They are interested in the number of unique content types, which are: text/plain and multipart/mixed. So the number is 2.

Answer: 2

Use case2.pcap. Investigate the files. What is the USB product’s brand name?

Go ahead and load case2.pcap.

USB product’s brand name…hmm. This requires more analysis I guess. Let’s have a look around.

I quickly found a lead inside of the Images menu. There is an image of a USB key in the fourth row. Looking at the image does not show a brand, but Network Miner has reconstructed the source domain which includes the brand name: www.asix.com.tw.

Answer: ASIX

What is the name of the phone model?

I guess we should keep looking for images to find our phone. And I had to keep looking for a while, since I had trouble finding it! But there is a Lumia 535 image out there:

This is the answer. Phew.

Answer: Lumia 535

What is the source IP of the fish image?

This one is easier to tackle. HA!

Go to the File Menu and search for fish. The following result should show up:

Just to be sure, right click the row, and select Open file.

Seems right! The source IP is on the search result, 5th column.

Answer: 50.22.95.9

What is the password of the “homer.pwned.se@gmx.com”?

We are nearly done, hold on!

This was was VERY easy. Go inside the Credentials Menu. It has 312 credentials, but only one has a value in the Password field: homer.pwned.se@gmx.com.

His password is spring2015.

Answer: spring2015

What is the DNS Query of frame 62001?

Since there is a question about DNS, let open the DNS Window.

We can filter on frame 62001, and you should see some results. In one of the column you can find the answer: pop.gmx.com.

Answer: pop.gmx.com

Task 8: Conclusion

Congratulations! You just finished the NetworkMiner room. 

In this room, we covered NetworkMiner, what it is, how it operates, and how to investigate pcap files. As I mentioned in the tasks before, there are a few things to remember about the NetworkMiner;

• Don’t use this tool as a primary sniffer.
• Use this tool to overview the traffic, then move forward with Wireshark and tcpdump for a more in-depth investigation.

If you like this content, make sure you visit the following rooms later on THM;

• Wireshark
• Snort
• Brim

Questions

Read the task above.

Answer: No answer needed.

Congratulations on completing Network Miner!!!

Congratulations on finishing this walkthrough of the TryHackMe NetworkMiner room. I think it was a good introduction to the program, and it does help a lot with getting more valuable data from your network traffic processed into “boxes”.
I was overall not very impressed with the software, and it seems a bit old fashioned. But I guess it makes for a great quick overview of the data before diving in with other software.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg