NetMon Freemium – Use case : Detect non-encrypted logins

This is one of the few times  that I have written about a product for a company that I am working for. NetMon, or Network Monitor by LogRhythm is in my opinion well warranted all the extra PR and I hope by writing about it I can interest you in trying it out. In just a few minutes you could get full visibility into your corporate or home network.

Let me show you one great use case of where NetMon truly shines. From it I think you will see how using NetMon will increase the visibility of what happens on your network and how it can detect vulnerabilities that no virus scanner or malware detection tool will detect. This is something that you can use on your home network as well as on your company network.

The use case is detecting unencrypted logins. Obviously with unencrypted logins on your network you are extra vulnerable if a hacker manages to get pass your firewall and starts sniffing network traffic. Detecting clear text credentials from the services you use on the internal network is vital when securing your network.

NetMon provides capture of network packets and deep packet inspection and metadata extraction from these packets. Think scary NSA “big brother sees you”, but for personal or company protection.

With the metadata extraction comes rich searches through a simple interface with the Lucene query syntax.  To make this truly kick-ass;  these searches can be saved into alerts that are triggered if any network data matches your search.

Even better than that is the Deep Packet Analytics (DPA) which is just fancy way of saying Lua scripting  to process  incoming packet data and extracted metadata.  What’s Lua? you might ask. Lua is a tiny-footprint-and-highly-efficient scripting language that is easy to learn and integrate with other high performance code. It is mostly famous for being the game engines scripting language of choice.

Back to the core topic: Detecting non-encrypted logins.  Now, why would you care about that on your home network or on your company network?

It’s simple.  You will not be able to stop all network intrusion! It’s not a question on “if” but on “when” someone else will be snooping and listening on what happens on your network. If you have a service, internal -> internal, or worse, internal -> external, that does not encrypt your credentials than that’s the same as clear text credentials. Once an intruder has gotten hold of that information you can be sure that it will be used against you.


Using the metadata extracted from NetMon’s engine you can make a search-and-alert that would trigger if an non-encrypted password is sent over your network. It becomes even better with DPA scripting as you can use that to fine-tune your alert and remove many false positives.

Here’s the core of the detect clear text credentials rule I wrote in 2015.

In pseudo-code:


if IsValid(user) && IsValid(password) {
TriggerAlert(“Clear text password detected for user:$user, passwd:$passwd)

Now, with the metadata and function callback in NetMon it’s a little bit more complicated but not by much. There is some calling convention and you have to specify the metadata you need to look into. NetMon comes with great documentation and code snippets that show what metadata is available and how you can use it.

Here’s the DPA/Lua equivalent of the pseudo-code above:

user=GetString(network_msg, 'http', 'auth_username')
password=GetString(network_msg, 'http', 'auth_username')
if (IsValid(user) and IsValid(password)) then
  SetCustomField(network_msg, 'ClearTextCredentials_User', user)
  SetCustomField(network_msg, 'ClearTextCredentials_Passwd, masked_password)
TriggerUserAlarm(network_msg, script_engine, 'high')

* IsValid(…) is just validation that the value is not nil or empty
** ‘network_msg’,  and ‘script_engine’ is needed for the callbacks to connect properly on the server side. These variables are passed into your script as start attributes.

In short. If the login over http is in readable clear text instead of encrypted then it is not secure and you need to be shut that sh*t down before the hacker shuts your company down!

Here’s the blog entry from LogRhythm that showcased this rule the first time:

About kjellkod

Software Engineer by trade, (former?) Martial Artist and Champion by strong will and small skill... and a Swede by nationality :)
This entry was posted in NetMon, Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s