LogRhythm’s Network Monitor (NetMon) is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution.
Network Monitor Freemium provides customers with a free and easy way to deploy NetMon on a small and compact system. This is ideal for the home network, branch offices, forensic go-kits, penetration testing drop boxes, and much more.
To demonstrate how to easily deploy NetMon we decided to build a miniature device ourselves.
With the release of Network Monitor version 3 and the Freemium license, the hardware requirements have been scaled back significantly, to allow for installation on a diverse array of systems.
Network Monitor Requirements:
- Intel x86 chipset
- CPU/Processor: 2 cores (4 cores recommended)
- Network interface controllers (NICs): 1 1Gbps NIC (2 1Gbps NICs recommended)
- 60GB of storage (120GB+ recommended)
- 4GB RAM (8GB recommended)
For this project, we went with the QOTOM-Q190G4—a small, portable, fanless, micro-PC. This is a Quad Core system that comes with a 2GHz CPU, 8GB RAM, four Ethernet ports, two USB ports, a VGA port, and two Wi-Fi NIC’s. The computer itself is passively cooled as the whole chassis is a heat-sink. This results in a silent solution that manages low temperatures under full load, currently selling for under $200 on Amazon. We think it is perfect for a home network or small satellite office.
Click on images to view larger.
Figure 1: Micro-PC Hardware Specifications
The next piece of hardware required is the passive network tap. We went with the Throwing Star LAN Tap available from the Hak5 Shop. These small and simple network taps allow for monitoring of small 10BASE-T and up to 100BASE-TX networks. There are many other and more powerful ways to do this, but we went this route because we are primarily targeting the home network. In the future, we’d like to embed this functionality directly into the device.
Figure 2: Throwing Star LAN Tap
Note that if you do use a passive tap, be aware that your maximum bandwidth will not be 1 Gb/s. Most passive taps can only split up to 500Mbps without significant loss of signal.
While the hardware mentioned above has been tested and works well, we also analyzed other hardware options. Nearly anything with comparable specs will work, including Intel NUC devices, old laptops or other hardware you might have at home.
Now that the hardware is taken care of, we need to get the NetMon image flashed onto the device. This sounds a bit easier than it is, so follow along below to ensure a successful installation.
You can either burn the ISO file to disk and use an external CD ROM drive to install the software or copy the ISO.USB contents to the drive and use a USB to install NetMon.
In order to prepare the installation USB, begin by wiping the drive (OS X instructions below):
- $ diskutil list
- $ diskutil info
- $ diskutil eraseDisk FAT32 NETMON MBRFormat /dev/
Once the drive has been wiped successfully, copy the contents of the ISO over to the USB and make the drive bootable. There are many ways to do this, so we’ll use (dd) on OS X for this example.
This can be done in the same way on Linux. However, if you’re creating the install media on a Windows machine, we recommend using Unetbootin.
Figure 3: Unetbootin ISO to USB Configuration
Now that the drive is ready, boot the hardware to the USB drive and follow the instructions to install NetMon.
Initial Configuration and Testing
With NetMon successfully installed onto the Micro-PC, the next phase is deployment. This can vary greatly depending on the deployment scenario, so we’ll focus on testing and validation first.
Ensure that the NetMon appliance is plugged into power and then connect the ethernet cables as shown below. ‘LAN1’ is the management interface and ‘LAN4’ is the going to be used to sniff network traffic. Refer to the picture below, which shows a basic configuration designed to sniff traffic from a single computer.
Figure 4: LAN Tap Configuration
Once again, we’re using a minimum of two ports. One is our “input” from the tap. The other is our “output” to the NetMon user interface (Management Interface).
Figure 5: Test Network
Once the network interfaces have been configured, power on the NetMon device. Next, browse to the NetMon’s management interface. You will automatically redirect to port 443. From here, follow the on-screen prompts to complete the NetMon configuration.
If all goes well, you will start seeing traffic flow through momentarily.
Figure 6: Test - Sniffing Traffic on a Single System
After testing the configuration to ensure that traffic is being captured, let’s translate this to a real-world scenario by configuring the Miniature NetMon on a home network.
In a home network, you’ll need a Tap, Hub, Smart Switch, or a router that supports port mirroring in order to capture traffic in-transit. There are countless products out there that will support these options; however, the ideal solution is to either use a Switch or configure Port Mirroring from the router directly, as this will have the least degradation on your home network’s connection speed. For optimal performance, we recommend utilizing Cat6 Ethernet cables to optimize the wired connections.
Figure 7: Example Network Diagram (Click on images to view larger)
While a mini NetMon is perfect for the home network, it can be installed just as easily in satellite office locations and small businesses.
Penetration Testing Drop Box
You can also use the Mini NetMon device as a penetration testing dropbox to capture network traffic in your target network.
Figure 8: All Up in Your Network, Capturing All the Packets
In a penetration-testing scenario, you will ideally want to gain access to the NetMon interface remotely. To spawn a reverse-shell that will communicate with a command and control server and allow remote access to the device, all you need to do is configure a cron job using the Python Reverse Shell by Dave Kennedy, or something similar, and configure this to use port forwarding to view the NetMon web interface. From here, you can configure Deep Packet Inspection (DPI) rules to sniff passwords, take full packet captures, pivot to other systems, and much more.
This is just the beginning. There are many more features that we’d like to add to the Mini NetMon—and that’s where we need your help. We’re looking for ideas from the security community around what their needs are, how NetMon can help solve problems they are facing, and general product improvements. Some of the additional items we came up with:
- Reverse Shell for Remote Access
- Passive Wireless Sniffing and Management Interface
- Integrated Software Tap
- Scale Down the Hardware Requirements
If you have a Chromecast, AppleTV, or similar screen-casting device, you can build a miniature “SOC.”
Figure 9: DIY Home Network SOC
More Posts from LogRhythm Labs
- LogRhythm Challenge: Black Hat 2016
- The State of Ransomware: How to Prepare for an Attack
- 10 Security Predictions for 2016