NETWORK MINER
TOOL OVERVIEW 1
Perform network analysis on mx-3.pcap. What is the total number of frames?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-3.pcap
Case Panel > right-click mx-3.pcap > Show Metadata
- Frames: 460Perform network analysis on mx-3.pcap. How many IP addresses use the same MAC address with host 145.253.2.203?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-3.pcap
Hosts:
[-] 145.253.2.203
65.208.228.223 (same MAC address)
216.239.59.99 (same MAC address) Perform network analysis on mx-3.pcap. How many packets were sent from host 65.208.228.223?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-3.pcap
Hosts:
[-] 65.208.228.223
Sent: 72 packets (76,368 Bytes), 0.00 % cleartext (0 of 0 Bytes)Perform network analysis on mx-3.pcap. What is the name of the webserver banner under host 65.208.228.223?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-3.pcap
Hosts:
[-] 65.208.228.223
[-] Host Details
Web Server Banner 1 : TCP 80 : ApachePerform network analysis on mx-4.pcap. What is the extracted username?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-4.pcap
Credentials:
172.16.66.37...#B\AdministratorPerform network analysis on mx-4.pcap. What is the extracted password?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-4.pcap
Credentials:
172.16.66.37...NTLM Challenge: 136B077D942D9A63 - LAN Manager Response: 000000000000000000000000000000000000000000000000 - NTLM Response: FBFF3C253926907AAAAD670A9037F2A501010000000000000094D71AE38CD60170A8D571127AE49E00000000020004003300420001001E003000310035003600360053002D00570049004E00310036002D004900520004001E0074006800720065006500620065006500730063006F002E0063006F006D0003003E003000310035003600360073002D00770069006E00310036002D00690072002E0074006800720065006500620065006500730063006F002E0063006F006D0005001E0074006800720065006500620065006500730063006F002E0063006F006D00070008000094D71AE38CD601060004000200000008003000300000000000000000000000003000009050B30CECBEBD73F501D6A2B88286851A6E84DDFAE1211D512A6A5A72594D340A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E00360036002E0033003600000000000000000000000000TOOL OVERVIEW 2
Perform network analysis on mx-7.pcap. What is the name of the Linux distro mentioned in the file associated with frame 63075?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Files > Filter Keyword: 63075
index.EE08FE3A.txt > right-click > File Details
...7475702E6E65742F43656E744F532F37 tup.net/CentOS/7Perform network analysis on mx-7.pcap. What is the header of the page associated with frame 75942?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Files > Filter Keyword: 75942
index.html > right-click > File Details
...2E7365202D2050617373776F72642D4E .se - Password-N
65642041423C2F7469746C653E0A2020 ed AB</title>.Perform network analysis on mx-7.pcap. What is the source address of the image "ads.bmp.2E5F0FD9.bmp"?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Images > look for "ads.bmp.2E5F0FD9.bmp" > hover mouse over the image file
Source: 80.239.178.187Perform network analysis on mx-7.pcap. What is the frame number of the possible TLS anomaly?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Anomalies: [2015-03-08 10:44:43 UTC] Error : TLS data boundary is not on a TLS record boundary in frame 36255Perform network analysis on mx-9.pcap. Look at the messages. Which platform sent a password reset email?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Messages > view each messages & identify the platform
- facebookPerform network analysis on mx-9.pcap. What is the email address of Branson Matheson?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > mx-7.pcap
Messages > view each messages & identify the email address of Branson Matheson
- [email protected]VERSION DIFFERENCES
EXERCISES
Perform network analysis on case1.pcap. What is the OS name of the host 131.151.37.122?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case1.pcap
Hosts > 131.151.37.122 > OS Windows
- Satori TCP: Windows - Windows NT 4 (50.00 %) Windows - Windows 98 (50.00 %) Perform network analysis on case1.pcap. Investigate the hosts 131.151.37.122 and 131.151.32.91. How many data bytes were received from host 131.151.32.91 to host 131.151.37.122 through port 1065?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case1.pcap
Hosts > 131.151.32.91 > Outgoing sessions: 2 > Server: 131.151.37.122 (Windows) TCP 1065
- Server: 131.151.37.122 (Windows) TCP 1065 (432 data bytes sent), Client: 131.151.32.91 TCP 3614 (192 data bytes sent), Session start: 1999-11-11 21:55:27 UTC, Session end: 1999-11-11 21:55:52 UTCPerform network analysis on case1.pcap. Investigate the hosts 131.151.37.122 and 131.151.32.21. How many data bytes were received from host 131.151.37.122 to host 131.151.32.21 through port 143?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case1.pcap
Hosts > 131.151.37.122 > Incoming sessions: 2 > Server: 131.151.37.122 (Windows) TCP 143
- Server: 131.151.37.122 (Windows) TCP 143 (20769 data bytes sent), Client: 131.151.32.21 (Linux) TCP 4167 (746 data bytes sent), Session start: 1999-11-11 21:55:27 UTC, Session end: 1999-11-11 21:55:53 UTCPerform network analysis on case1.pcap. Perform network analysis on case1.pcap.
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_1-6-1/NetworkMiner.exe
NetworkMiner: File > Open > case1.pcap
Frames > Frame Number 9 > TCP [34-80]
Sequence Number: 2AD77400Perform network analysis on case1.pcap. What is the number of the detected "content types"?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case1.pcap
Parameter
Filter: content
Filter: All Words
Filter: Parameter name
- count 2Perform network analysis on case2.pcap. What is the USB product's brand name?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case2.pcap
Files
Filter: usb
- asixPerform network analysis on case2.pcap. Perform network analysis on case2.pcap.
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case2.pcap
Images: ...Lumia
Files:
Filter: lumia
- /home/ubuntu/Desktop/NetworkMiner_2-7-2/AssembledFiles/2.22.40.154/TCP-80/sv-se/CMSImages/MMD_Lumia535_Sin.jpg
- right-click the file then select File DetailsPerform network analysis on case2.pcap. What is the source IP of the fish image?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case2.pcap
Images: ...fish
Files:
Filter: fish
- 50.22.95.9 [yiv.com] [www.yiv.com]
- right-click the file then select File DetailsPerform network analysis on case2.pcap. What is the password of the "[email protected]"?
root@thm:~$ cd /home/ubuntu/Desktop/NetworkMiner_2-7-2/NetworkMiner.exe
NetworkMiner: File > Open > case2.pcap
Credentials
[email protected]:spring2015Last updated