Friday, February 25, 2011

Another Free Packet Tool - NetWitness Investigator

NetWitness Investigator is a  free tool for packet analysis. This one runs on Windows (including Windows 7) only (except for the commercial version, which runs on Linux) and has functionality that includes wireless support, real time layer 7 analysis, IPv6 support, SSL decryption (with the server cert) and full context searching including regex. The freeware version license supports 25 simultaneous 1 Gb captures.

To get started, grab a copy from the download page here and install.
When opening the program for the first time, you'll be prompted to login, or create an account. Go ahead and create a community account and after activating Netwitness (from the email you'll receive), you'll be presented with the Investigator window. In the left hand pane will be a folder marked Demo Collection, a packet capture that allows you to test out the app immediately, without needing to do any capturing of your own.

Double-click the Demo collection icon, and a new tab will open with the contents of that collection, which will look like this:
We can see a whole host of attributes that can be drilled into to explore. At the very top, we see Investigator has flagged three alerts for us, non-standard http, cleartext passwords and irc file transfer. Clicking the "Alert" attribute will drill down to the next level where all the attributes are related to these three alerts. We see the services used, source and destination addresses, ports and protocols, and all our layer 7 info broken out for us, like email addresses, user accounts, and attachments.

Clicking on the "sample_vulnerability:cleartextpasswords:other (1)" link takes us down another level, showing us all the attributes of the packets that triggered this alert. We now know the IP addresses involved, the service type (POP3), the user account involved and the email address involved. When we drill down even further in our later 7 data, Investigator will do reconstructions for us. For example, the email address attribute has one session associated with it (the number in green in parentheses after the field shows the number of sessions). When we click on the number after the email address, NetWitness reconstructs the email header for us:
   
We can do the same for the other data presented, such as the Creditcards.txt attachment. Investigator will ask us how we want to open the file, allowing us to open it in a default app for the data type, choose a different app or use Investigator itself to open it. 


This is just the very basic starting point of what you can do with this tool. Like xtractr, it's a very good tool to investigate a capture and you need to drill down deep in a visual way to ascertain what action took place. 

No comments:

Blog Archive