TryHackMe | NetworkMiner https://medium.

com/@huglertomgaw/tryhackme-networkminer-
ab7849eca0f0

Open in app

Home
Following

Library
Stories
Stats
Get unlimited access to the best of Medium for less than $1/week.
Become a member

TryHackMe | NetworkMiner — Write-

up

igor_sec
·

Follow
7 min read
 ·
Jul 19, 2023

Listen

Share

More

Learn how to use NetworkMiner to analyse recorded traffic

files and practice network forensics activities.

NetworkMiner is an open-source traffic sniffer, pcap

handler and protocol analyser. Developed and still
maintained by Netresec.

The official description;

“NetworkMiner is an open source Network Forensic

Analysis Tool (NFAT) for Windows (but also works in Linux /
Mac OS X / FreeBSD). NetworkMiner can be used as a
passive network sniffer/packet capturing tool to detect
operating systems, sessions, hostnames, open ports etc.
without putting any traffic on the network. NetworkMiner
can also parse PCAP files for off-line analysis and to
regenerate/reassemble transmitted files and certificates
from PCAP files.

NetworkMiner makes it easy to perform advanced Network

Traffic Analysis (NTA) by providing extracted artefacts in
an intuitive user interface. The way data is presented not
 only makes the analysis simpler, it also saves valuable time
for the analyst or forensic investigator.

NetworkMiner has, since the first release in 2007, become

a popular tool among incident response teams as well as
law enforcement. NetworkMiner is today used by
companies and organizations all over the world.”

For this room, you will be expected to have basic Linux

familiarity and Network fundamentals (ports, protocols and
traffic data). We suggest completing the “Network
Fundamentals” path before starting working in this room.

Tip: If you have loaded multiple pcap files, they will be merged
by NetworkMiner. If they are not related to each other, make
sure to remove the previously loaded pcap file/s and reload the
pcap file you want to analyze.

The image below is for loading one pcap file.

The following image is the result when two pcap files are
loaded
 To remove a pcap file, go to “Case Panel’, select and right-
click the file that we want to remove, in this example,
“case1.pcap”. Select “Remove selected files and Reload
Case Files”.

This would remove “case1.pcap” file and will reload

“case2.pcap” file as seen in the image below.

Task 4: Tool Overview 1

Answer the questions below

Use mx-3.pcap

What is the total number of frames?

Answer: 460

Use the “2.7.2” version of NetworkMiner. Go to the “Case

Panel” and right-click on the loaded pcap file. Select “Show
Metadata”.
How many IP addresses use the same MAC address
with host 145.253.2.203?

Answer: 2

Use the “2.7.2” version of NetworkMiner. “Under the

“Hosts” menu, expand the IP addresses. One of the IP
addresses has two IP addresses that use the same MAC
address.

How many packets were sent from host

65.208.228.223?

Answer: 72

Both version would show the information.

What is the name of the webserver banner under host
65.208.228.223?

Answer: Apache

Both versions show the information.

Use mx-4.pcap

What is the extracted username?

Answer: #B\Administrator

Version 1.6.1 did not grab any credentials.

What is the extracted password?

Answer:
$NETNTLMv2$#B$136B077D942D9A63$FBFF3C2539
26907AAAAD670A9037F2A5$01010000000000000094
D71AE38CD60170A8D571127AE49E00000000020004
003300420001001E003000310035003600360053002
D00570049004E00310036002D004900520004001E00
74006800720065006500620065006500730063006F00
2E0063006F006D0003003E003000310035003600360
073002D00770069006E00310036002D00690072002E
0074006800720065006500620065006500730063006F
002E0063006F006D0005001E0074006800720065006
500620065006500730063006F002E0063006F006D00
070008000094D71AE38CD6010600040002000000080
03000300000000000000000000000003000009050B30
CECBEBD73F501D6A2B88286851A6E84DDFAE1211D
512A6A5A72594D340A0010000000000000000000000
00000000000000900220063006900660073002F00310
0370032002E00310036002E00360036002E00330036
00000000000000000000000000
 Same as the previous question. Only version 2.7.2 is able to
grab credentials.

Task 5: Tool Overview 2

Note: Version 2.7.2 was used to answer the questions in

this task.

Answer the questions below

Use mx-7 pcap

What is the name of the Linux distro mentioned in the

file associated with frame 63075?

Answer: centos

Let’s go to “Files” menu and filter with keywords “63075”,

selecting “ExactPhrase”, and for the column, “Frame nr.”

What is the header of the page associated with frame

75942?

Answer: Password-Ned AB
Same method as the above, except changing the keyword
with the frame number being filtered. Open the file to see
the header of the page.

What is the source address of the image

“ads.bmp.2E5F0FD9.bmp”?

Answer: 80.239.178.187

Same method as the above, except changing the keyword

with the file name.
What is the frame number of the possible TLS
anomaly?

Answer: 36255

Go to “Anomalies” menu. Two frame numbers are identified.

Select the first one.

Use mx-9 file

Look at the messages. Which platform sent a

password reset email?

Answer: facebook

Select the second message and browse through the

information about the message. Although the answer is
“facebook”, I am not quite sure if the content of the
message has something to do with resetting a password.
What is the email address of Branson Matheson?

Answer: [email protected]
 We can see the email address of “Branson Matheson” from
the first image in the previous question.

Task 6: Version Differences

Answer the questions below

Which version can detect duplicate MAC addresses?

Answer: 2.7

From the image provided to us, it is noticeable that version

2.7 is able to identify conflict of MAC address, as also
observed in Task 4.
Which version can handle frames?

Answer: 1.6

It is pretty evident in the image provided, that version 2.7.1

does not handle frames.
Which version can provide more details on packet
details?

Answer: 1.6

Versions after 1.6 do not provide more details on packet

details.
Task 7: Exercises

You’ve learned what NetworkMiner is and how to use

it. Let’s put this into practice!

Answer the questions below

Use case1.pcap

What is the OS name of the host 131.151.37.122?

Answer: Windows — Windows NT 4

Go to “Hosts” menu and scroll down to the IP address.

Investigate the hosts 131.151.37.122 and

131.151.32.91.

How many data bytes were received from host

131.151.32.91 to host 131.151.37.122 through port
1065?

Answer: 192

Expand “Incoming Sessions” and select the port number

that we are interested in.
How many data bytes were received from host
131.151.37.122 to host 131.151.32.21 through port
143?

Answer: 20769

Expand the port number that we are investigating.

Note: So far, I have been using version 2.7.2 to answer the

questions above.

What is the sequence number of frame 9?

Answer: 2AD77400

For this question, use version 1.6.1. As learned previously,

versions above 1.6 does not handle frames.
What is the number of the detected “content types”?

Answer: 2

Use version 2.7.2 for this question. Go to “Paremeters”

menu, type in “content-type” as our filter keyword and then
select “Parameter name” for the column. There are two
types of “Content-Types” as seen in the “Parameter value”
column.
Use case2.pcap

Investigate the files.

Note: Version 2.7.2 was used to investigate the pcap file.

What is the USB product’s brand name?

Answer: asix

Go to “Files” menu and type in “usb” as our filter keyword,

and select “Filename” for the column.

What is the name of the phone model?

Answer: Lumia 535

Go to “Images” menu and scroll until an image of a phone

with a selfie photo appears. The model name is found in the
filename itself.

What is the source IP of the fish image?

Answer: 50.22.95.9

Go to “Files” menu and type in “fish” as the filter keyword

and select “Filename” column.
What is the password of the
“[email protected]”?

Answer: spring2015

The “Credentials” menu is where captured credentials are

stored.

What is the DNS Query of frame 62001?

Answer: pop.gmx.com

Let’s go to “DNS” menu and we will filter the DNS query by

using the frame number as the keyword.

Thanks for reading. :-)

 Happy learning.
6

Tryhackme

Ctf Writeup

Cybersecurity

Learning

Ctf

Follow

Written by igor_sec

396 Followers

11 Following
 No responses yet

To respond to this story,

get the free Medium app.

Open in app

More from igor_sec

igor_sec

TryHackMe |Wireshark: The Basics

Learn the basics of Wireshark and how to analyse protocols and PCAPs.
Jun 23, 2023
85
4

igor_sec

Snort | TryHackMe — Write-up

SNORT is an open-source, rule-based Network Intrusion Detection and
Prevention System (NIDS/NIPS). It was developed and still maintained by…
Jul 20, 2023
125

igor_sec
TryHackMe | Zeek
Introduction to hands-on network monitoring and threat detection with Zeek
(formerly Bro).
Jul 12, 2023
114
1

igor_sec

Snort Challenge — The Basics : TryHackMe

Task 1: Introduction
Jul 20, 2023
77
2
See all from igor_sec

Recommended from Medium

In

T3CH

by

Axoloth
TryHackMe | Snort Challenge — The Basics | WriteUp

Put your snort skills into practice and write snort rules to analyse live capture
network traffic

Nov 9, 2024

100

Abhijeet Singh

TShark Challenge I: Teamwork | SOC Level 1 | TryHackMe

Walkthrough

Task 1 - Introduction

Nov 11, 2024

1
CyberdefendeR

Tryhackme Snort Challenge-LiveAttacks [Resolved]

Link to the CTF : TryHackMe | Snort Challenge — Live Attacks
Feb 20
4

rutbar

TryHackMe — CAPA: The Basics | Cyber Security 101 (THM)

Tool Overview: How CAPA Works
Oct 24, 2024
13

Abhijeet Singh

TShark Challenge II: Directory | SOC Level 1 | TryHackMe

Walkthrough
Task 1 Introduction
Nov 27, 2024
rutbar

TryHackMe — Logs Fundamentals | Cyber Security 101

(THM)
Introduction to Logs Attackers often try to hide traces of their actions. However,
security teams can piece together clues to understand…
Oct 26, 2024
1
See more recommendations