(IN)SECURE Magazine issue 18
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Head over to www.insecuremag.com to browse previous issues and subscribe for FREE!
Whether working as a Network Penetration Tester, IT Security Auditor or Network Security Analyst, chances are you have spent time analyzing captured network trafﬁc with applications such as Wireshark. Going through network trafﬁc on a packet-by-packet or byte-per-byte level can be very powerful at times, but as the amount of captured trafﬁc grows the need for more advanced analysis tools becomes apparent. This article outlines the importance of analyzing captured network trafﬁc and introduces an application called NetworkMiner, which is designed to support the IT security analysis by extracting useful information from captured data. It is disturbing how often networks are not properly documented in terms of IP plans, network segmentations and network security. Having a good view of the network is essential when performing a network security assessment. As such, one might choose to perform an active network scan with a tool such as Nmap or Nessus in order to quickly gather inventory information of the hosts on a network. Performing active scanning is, however, not very suitable for situations when the network is being used for operations of critical IT systems such as process control, radar, SCADA, or telecommunications systems. These types of critical IT systems always need to be in opwww.insecuremag.com eration and scheduled service windows are very rare, so any active scanning should be avoided since it might affect the performance of the network or hosts on the network. Even the so-called “safe checks” in Nessus can cause critical IT systems to malfunction since these systems often are embedded systems running proprietary software with a high number of undiscovered vulnerabilities and bugs. To avoid an emergency shutdown of a nuclear plant on which you might be performing your network security assessment, it is recommended that the analysis be based on passively captured network trafﬁc from the system under investigation. 18