Visualizing Network map using BruteShark & Neo4J
Introduction
The process of analyzing a network can be simplified by visualizing the network map as a graph, this way we can incorporate and apply algorithms and techniques from the graph theory mathematics for deeper and further analysis. In this article i will show you how to do just that using two tools.
Whether you’re a penetration tester or a red team member doing a vulnerability tests, or whether you’re a cyber analyst or an incident response team member responding to an event, you are familiar with the process of analyzing a network.
When analyzing a network, one of the first steps we would do is to find the endpoints, all the hosts in the network and their connections, in order to create a network map, after we gathered the data it’s time to analyze it and get some insights.
There are plenty of tools and techniques that can help you gather this network map data, tools that work passively can gather this data form a network capture file(.pcap) such as “Wireshark” and more, there are also tools such as “Nmap” that can actively scan the network and can provide us real-time information, each method and it’s own pros and cons, sometimes, i.e. as a penetration tester you don’t want to actively scan the network and maybe expose your presence and compromise the test, and sometimes, as an analyst or an incident response team member the only thing you get is a network capture file(.pcap).
Network map data can include a lot of information about the hosts and connections, such as open ports, hosts operating systems and more, the basic information is the network topology, or: “which host connects to another”.
all these tools and different techniques and approaches simplify the process of gathering the network data, but the process of analysis and getting the information is more difficult and can be done in many ways.
One way of network analysis is by visualizing and represent the network map as a graph, visualizing data can be more convenient to an analyst to work with and, by incorporating this representation we can also apply algorithms and techniques from graph theory mathematics for further analysis.
The entire process can be done by using two tools:
BruteShark — A network forensics analysis tool capable of analyzing pcap capture files(.pcap), one of it’s capabilities is exporting the network connections occurred between hosts to json format that can be loaded into Neo4J.
Further information can be found in:
Neo4J — A graph database allowing visualization of data.
Further information can be found in:
First let’s gather the data out of out pcap capture using BruteShark cli, we’ll start by starting the cli and adding our pcap file to it’s processing list, after we’ve added the file we will start processing it and exporting the network map data to a json file
after we have our data exported, let’s start our Neo4j database and load the data into it.
Neo4j can be installed locally on your machine or by using docker.
In order to load any file to the Neo4j engine you need to make sure that you got the apoc plugin installed, enabled and configured correctly.
After we’ve started our database we’ll open it and the Neo4j browser, load the json file, and create a network map graph using Neo4j’s Cypher syntax:
CALL apoc.load.json(“YOUR-FILE-PATH”)
YIELD value
MERGE (n:Host {host: value.Source})
WITH n, value
UNWIND value AS val
MERGE (c:Host {host: val.Destination})
WITH val
UNWIND val as v
MATCH (src:Host)
MATCH (dest:Host) where v.Source = src.host and v.Destination = dest.host
MERGE (src) — [:Connects] → (dest)
Success!
Demo video:
From now on the world(well…the graph) is your playground! you can use Neo4j “algo” Cypher module to apply graph search algorithms such as BFS, DFS and more.
Happy analysis and if you have any further questions feel free to contact me :).
Best regards,
Aviad
