Wednesday, February 24, 2010

Xplico - Network Forensics

Finally had a chance to play with Xplico, recently updated to version 0.5.5. For those not familiar with Xplico, please visit the development page here.
In short, Xplico is an open source tool designed to aid in dissecting large network captures in .pcap format. It can also do live captures and report on sessions as they get discovered. Installing Xplico is not trivial, and required some trial and error on my part so here are the cliff notes based on an Ubuntu 9.10 installation.
apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode libmysqlclient15-dev

mkdir xplico_install
cd xplico_install
tar zxvf xplico-0.5.x.tgz
tar zxvf GeoIP-1.4.6.tar.gz
cd GeoIP-1.4.6
makecd ..
rm -f GeoIP-1.4.6.tar.gzcd xplico-0.5.5
gzip -d GeoLiteCity.dat.gz
rm -f GeoLiteCity.dat.gz
cd ..
tar jxvf ghostpdl-8.70.tar.bz2
rm -f ghostpdl-8.70.tar.bz2
cd ghostpdl-8.70make (this will take some time so go get coffee or something)
cd ..
cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.5
rm -rf ghostpdl-8.70
cd xplico-0.5.5
make install
cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

- Edit this file by adding as follows /etc/apache2/ports.conf
# xplico Host port
NameVirtualHost *:9876
Listen 9876

- You will also have to edit the php.ini file located here /etc/php5/apache2/php.ini.
Find and modify both of these lines:post_max_size = 200M
upload_max_filesize = 100M

a2enmod rewrite
/etc/init.d/apache2 restart

Once you get this laundry list complete, simply fire up Firefox and launch URL (if on local box) or http://(ip address):9876 if accessing remotely. Version 0.5.5 has a default username/password combination of xplico/xplico.

The first thing you'll want to do after logging in is create a new case. Xplico uses cases as top level and session as bottom level for all investigations. The screenshot below shows a session named example with multiple .pcap files uploaded and decoded by Xplico.

Navigating around the interface is fairly self explanatory but I've found it does a great job with decoding specific high level applications such as HTTP and FTP. Others may find value in its ability to decode Facebook chat and various types of email.

To reconstruct HTTP sessions, set Firefox's proxy settings to Xplico (below is a screenshot assuming Xplico is being run on localhost).

Click on the Web menu item and select what you want to view. In this case, I am looking at HTML. Select the HTTP conversation you want to inspect and click on the URL recorded by Xplico. It will reconstruct the HTTP session and display the session in a new window.

Future posts will go into more depth on Xplico as I have an opportunity to use it in real-world investigations. Kudos to the Xplico development team on a very promising tool...

No comments:

Post a Comment