Issuu on Google+

Whether working as a Network Penetration Tester, IT Security Auditor or Network Security Analyst, chances are you have spent time analyzing captured network traffic with applications such as Wireshark. Going through network traffic on a packet-by-packet or byte-per-byte level can be very powerful at times, but as the amount of captured traffic grows the need for more advanced analysis tools becomes apparent. This article outlines the importance of analyzing captured network traffic and introduces an application called NetworkMiner, which is designed to support the IT security analysis by extracting useful information from captured data. It is disturbing how often networks are not properly documented in terms of IP plans, network segmentations and network security. Having a good view of the network is essential when performing a network security assessment. As such, one might choose to perform an active network scan with a tool such as Nmap or Nessus in order to quickly gather inventory information of the hosts on a network.

eration and scheduled service windows are very rare, so any active scanning should be avoided since it might affect the performance of the network or hosts on the network. Even the so-called “safe checks� in Nessus can cause critical IT systems to malfunction since these systems often are embedded systems running proprietary software with a high number of undiscovered vulnerabilities and bugs.

Performing active scanning is, however, not very suitable for situations when the network is being used for operations of critical IT systems such as process control, radar, SCADA, or telecommunications systems. These types of critical IT systems always need to be in op-

To avoid an emergency shutdown of a nuclear plant on which you might be performing your network security assessment, it is recommended that the analysis be based on passively captured network traffic from the system under investigation.


(IN)SECURE Magazine issue 18