Previously I have posted a tutorial on how data can be easily reconstructed from a packet capture using Wireshark if the site is using an unsecured connection. This method involves manually reconstructing the desired files by looking for the appropriate signature.
Manually looking for the desired file within a packet capture is a time intensive task and impractical to do in most circumstances. An easier method of finding sensitive information within a packet capture is to use NetworkMiner by NETRESEC.
NetworkMiner is an application for Windows, but also works on macOS Linux and FreeBSD by using the Mono framework to run. I followed the instructions on the NETRESEC website to install NetworkMiner on my Mac and had the NetworkMiner application up and running within minutes.
You’ll also need a packet capture file; I attempted to use the same site as I used in my previous blog post, bonsaitreegardener.net, but they have since secured this site. I chose a site from Why No HTTPS? to then generate a packet capture file in Wireshark. Surprisingly the website for Oxford University hasn’t yet been updated to use HTTPS by default, so I decided to use it for my test of NetworkMiner. When saving the packet capture generated by Wireshark, the format of the packet capture will be Wireshark’s next generation format (.pcapng), make sure to save the capture as the older version (.pcap) as NetworkMiner is currently unable to read the .pcapng format.
With the packet capture file ready, launch NetworkMiner (on macOS) by going to terminal and using the command
$ mono –arch=32 [NetworkMiner Executable Location.exe]
NetworkMiner will launch then go to File > Open in the menubar to open your packet capture. It will then be imported into NetworkMiner allowing you to browse the information within.
You’ll have a range of tabs at the top including the hosts listed within the packet capture as well as any information about them; the images in the packet capture; any credentials as well as the parameters in the capture.
Using NetworkMiner is massively quicker than a manual reconstruction of files, I went to around three pages on the Oxford University website and managed to see 47 images, a larger capture could contain thousands more. Any unsecured credentials will easily be shown in the credentials tab, emphasising the need to not broadcast credentials in plaintext and ensure passwords are hashed when authenticating.