Using Network Miner To Reconstruct Network Traffic

good morning and thank you everyone for coming and I'm surprised that it says beer turn out of this and quite blunt my talk concerns and using Network minor and to reconstruct narrow traffic to the title but it also in Baz bit of Wireshark and so I was first shown this and by my cousin who works in self security and for me it just kind of demystified a lot of things about kind of how data sent over the Internet so I'll start off with a bit about me so um I actually started off and I've always been fairly technical but by the time I reached sort of my university choices I decided to go into and do a

degree in management marketing I actually did work in marketing for a bit and realized it wasn't for me and so I now I'm back in kind of technology so I put our usual II work in technical support and the company I work for doesn't really like me kind and it all like anyone putting out that who they kind of work with when they do these things but it's a it's a fairly prominent brand who had a big announcement on Monday I'll say just the kind of thing it but I'm a genius as well so I'm and used to kind of diagnose and helping people but to kind of benchmark give myself a benchmark and show you what my level of knowledge I

also took the CompTIA a security plus and although since realized that really she kind of go through all sorts of steps up to it I just went straight in for security plus and just passed luckily and so I won't go into too much depth because I think is better at the end to see why this is a good demo but and this is just a small look at how kind of networking I suppose in terms of the internet networking works and for me and I'll explain why afterwards it makes it a bit more approachable for people and so I'll go to the demo so first of all and we'll get a wide shot well I've

already got the wireshark capture that one up her and prepare this I made sure to not need the internet at all and the in theory you would gone to Wireshark and you know browse to a website and then capture your data so and as well I do qetsiyah I've used the capital my day through the University of Oxford so and there's a website out there called why no HTTP which just lists quite prominent websites that still don't have HTTPS enabled on their sites so this makes this demo really quick and easy because you don't need to mess around with you know kind of getting into the data encrypting it and one of them is Oxford

University but still use just plain old HTTP for their website so when you're in Wireshark and if you if you ever run this before in your hair even on your home network you'll get masses and masses of data and even things like Smart TVs are popping up in there constantly looking and pinging your network but for this I'm just gonna restrict it down to HTTP so you'll see a little bit when I did this the only site eyebrows towards Oxford University so it makes it really clear but you'll see things mentioned where it says Oxford sights files so you will in there somewhere see listed JPEG images but I suppose there's a bit of a convoluted

way but this is for my demo so when you're in Wireshark if you go to follow and then HTTP stream at first you'll get this kind of the cookie data and things of get requests things like that but we're not actually going to use this form of the data for it and but when you're in here you'll flip into raw and this will give you the kind of the hex values for all the data that's going through so it's not really intelligible it might be to some people but it's certainly not to me once you're in here all we need to do is you need to capture this file this is all one through our

HTTP so you can go save us and save it it's just a plain text file so maybe bit silly if I hadn't already prepared this so I'm gonna just skip on again so once we've got our text capture and this is literally the entire file of or the flow just from oxford university's homepage so there's a lot of data and this is a program called hex fiend on the Mac I'm sure there's an equivalent on Windows but this is hex fiend so it will show you some of the data that we saw previously just right there and but if we go this is a site I've used and Gary Kessler that's it and he has a database of like common

file signatures so I'm gonna do this with a JPEG so with a JPEG in those hex values a jpg file will always start with FF d8 and always end with FF d9 so knowing that we can go back to our file and don't worry I'm not going to actually do this because this would be rather boring for you all but we would search F F da and note down the value on the left hand side that says you know two hundred and forty seven thousand then search F 15 9 we should take us to the very next value or that one in that for that image just at the end once you've got that you can highlight it and

extract it through and then you'll end up with a file and 40 spores it with a quick look but if you will end up with a file that looks like this so this starts with our FF d8 and will end with FF d9 so that is an entire image file but it doesn't look like it just looks like a text file but all you need to do is whack on dot jpg JPEG at the end jpg and you'll end up with your image file so this isn't actually on the web site anymore but if you really want it I can send it to you but that's just a kind of a quick demo on how sort of easy is to

extract it but that oxygen your University website even when I used it had and probably a good few sort of 10 20 images it'd be a bit too laborious to then go through and extract every time so for the second half and there's a tool which is actually a Windows tall but you can run it on Mac OS with mono called network miner so we'll just start that up a second so this makes it a bit easier to extract things it admittedly image files I'm going to be the most sensitive pieces of data you've got but and another to note as well with our packet capture so Wireshark now saves them in a new format most tools that kind of pair in

with Wireshark do them in an old style kind of classic packet capture file dear one happy Cap'n G so to be able to import it you need to search just go into why shark and save that file as a pcap file and unfortunately it this because it's a Windows file I just need to find this a second desktop network - oh just get my peek out there so this will just kind of load through and I'll expand it a bit so it does quite a bit and you can literally go through and it's got things like messages in there that have come forward I'm going to skip + and come back to a DNS requests that

are in there so loads but for now I'm not really interested in this images tab you can see everything there so there is about 20-25 images in there but they're all quickly and easily you're more like you can DoubleTap and it will actually go into preview on a Mac so if you were looking for sensitive images it's that easy come straight down so that that is really the kind of the demo of the technology but the reasons why I kind of want to show that as I say so when my cousin first showed me that demo it's kind of for me demystifying on how things work so for an outsider person not in technology so I would have met

every day my job involves me talking to people who will usually say things like oh I'm not very good with technologies the usual line for me that shows you the instead of it almost being sort of there's a physical fire though it's just some sort of magic coming through the internet than a phone line it's much easier to see that actually it's just a list of instructions most things with networking with any form of computing is just a list of instructions and it makes it a lot simpler and easier for people to understand I can't count the amount of times I have people that come in with things like snapchat crashing or really basic things like that I even had

someone where they taken a screenshot of their home screen set it as their wallpaper and then come in and so it looks like there were two times on top of each other and they asked to have their phone replaced for that because you don't know why it's doing it for all you know it's just there's a problem with my phone my computer my whatever you don't know what's going on so you just think it just needs replace and and I would do that with things like my car not very kind of I'm not a car person I would rather to get it swapped every time so it just really makes it simpler for people to understand so it's just

it's a great short little demo I mean it's only taking you sort of 10 minutes there to show you and hopefully you've understood anyway and it's just a really quick way to kind of build understanding and show people on that so mmm excuse me sir any questions well I think I used homebrew oh and if you don't know what home brewers it's like a package manager on a Mac so instead of if you want to download something like mono homebrew or fetch everything else it needs as well instead of you having to fetch like ten facets to get one thing working so just literally use got mono with that and then got the executable Network minor

file and it worked and the version I'm using just the free version they did like a probably Community Edition I might record or something and there's a premium version which does a lot more and that probably the more kind of juicy stuff that for me experiment in the free version is good enough anywhere else now hopefully that entertained enough and got off to a good start and thank you all for coming again you