ClsHack:Computer Security Blog    

[How-To]Xplico:Network Forensic Analysis Tool

Posted on: 7 May 2010

Xplico, that is now on backtrack, è un tool, for a effettuareè Network Forensic Analysis Tool (NFAT).

It is not entirely understood, then, is a software that can reconstruct the packets through(pcap) captured through the use of sniffer come Wireshark, Tcpdump etc., or also with the same Xplico(“Live MODE”).

Xplico can reconstruct all the data carried by protocols such as HTTP, IMAP, POP, SMTP, SIP “voip”, FTP TELNET e, more able to detect known chat like facebook :D or emails exchanged ;)


Xplico, course is Open Source :D

Let's see how to install it on ubuntu ;)

The first thing to do, is to install these packages:

sudo apt-get install libice6 tshark libsm6 build-essential
sudo apt-get install sqlite tcpdump tshark libx11-dev libxt-dev libxi-dev apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite0-dev libmysqlclient15-dev python-all

Now, we download and install Xplico => FILE *:DEB

DOWNLOAD XPLICO
We go to the folder where resides the deb Xplico:
Example:
cd $HOME/Downloads
And then install Xplico:
sudo dpkg -i xplico*
sudo apt-get install -f
Now, we place a small imperfection that php :D
There set the upload size to 2MB :(
Thirty seconds of wireshark with a user browses, capture at least 2.1 MB and if after uplodiamo the *. Cap Xplico we return an error :(

Then, ediamo the file /etc/php5/apache2/php.ini and set these two options:
post_max_size = 100M

upload_max_filesize = 100M
In place of 100 You can also make boh 100000, what you want ;)
Restart apache:

sudo /etc/init.d/apache2 restart

Bootstrap hours Xplico:
sudo /etc/init.d/xplico start
Now we access the web GUI :D
Then open your browser and go to:
http://localhost:9876
Logghiamoci with the default user:
Xplico

Now, create a new “cases” => “new session ” and godiamoci Xplico.

What we do with Xplico ?

Then, For example, we are at school ?
Or we wifi networks nearby :D ?

Well then we combine the power of ettercap with wireshark and this attack => GUIDE:Arp Poisoning by evilsocket :)
to Xplico…

We capture the remote packages, we filter the ip, and make their cocks :D

Chat di faceboo,email, sites, massively images…

Have fun :D

Related posts:

  1. RATS: Rough Auditing Tool for Security
  2. SoftPerfect Network Scanner:LAN NETWORK WITHOUT SECRETS
  3. w3af:Web Application Attack and Audit Framework
  4. AutoScan: EXCELLENT Network Scanner UBUNTU and windows :P
  5. WireShark:Sniffs all WIFI Password / MSN data

This entry was posted on Friday, May 7th, 2010 at 9:31 am and is filed under GNU/Linux, Hacking, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with:
  • One at random or by chance

    Hello,
    little known but important. Do “Their cocks” and’ UNLAWFUL regardless how these unwary “their”.

    However not’ said that it is always possible examples:
    – connections / encrypted communications: https, ssh, sftp, …
    – tool come SniffJoke

    Greetings.

  • L1ghtman

    Mmhh… When I have time I try it , but what exactly does?

  • clshack

    @ L1ghtman:

    Umm do not understand why certain questions :P

    @ A coincidence or by chance:

    One , One at random or by chance I have to stress that using techniques such as Arp Poisoning is ILLEGAL :)

    For encrypted connections, Well here we just ettercap, Xplico rebuilds everything but tools like ettercap can sniff and capture passwords encrypted connections…

    An example:

    http://www.alessandroscoscia.it/it/2009/03/06/arp_poisoning_e_ssl_sniffing_per_la_cattura_delle_password.html

  • Gianluca

    @clshack
    I have never experienced what is described by Alexander Scoscia… I will have just’ I'll try a bit of time’ spetimentare in the example.

    I forgot to thank you for your post.
    Hello.
    Gianluca

  • clshack

    @ Gianluca:

    You're welcome gianluca…

    I wanted to correct me,ettercap sniffing is not encrypted connections but external tools.

    I wanted to alert you even ssltrip that goes very well together with ettercap :D

    In the video section backtrack.it, see a demonstration with ettercap and ssltrip.

    Hello and congratulations to you and your partner to Xplico :D

    Any new software versions will be reported ;)

    Hello :)

  • Pingback: [chronicle]Man in the Middle attack:Help with ettercap | Clshack

  • Pingback: news on the world of programming » [How-To]Xplico:Network Forensic Analysis Tool

  • http://www.realtanascosta.it L1ghtman

    Ho Ubuntu 11.04 64 bit when I try to install gives me:
    l1ghtman @ F4b3x PC:~ / Downloads $ sudo dpkg-i * xplico_
    dpkg: error processing xplico_0.6.1_i386.deb (–install):
    architecture of the package (i386) does not match that of the system (amd64)
    There were errors in the:
    xplico_0.6.1_i386.deb

    So I try with :
    l1ghtman @ F4b3x PC:~ / Downloads $ sudo dpkg-i –force-architecture xplico_*
    dpkg: attention: the problem is ignored because it is used the option –force:
    architecture of the package (i386) does not match that of the system (amd64)
    (Reading the database… 162201 files and directories currently installed.)
    Preparing to replace Xplico:i386 v.0.6.1 (using xplico_0.6.1_i386.deb)…
    Unpacking replacement Xplico:i386…
    invoke-rc.d: unknown initscript, /etc/init.d/xplico not found.
    dpkg: attention: subprocess post-removal script returned error status 100
    dpkg – is trying script from the new package…
    invoke-rc.d: unknown initscript, /etc/init.d/xplico not found.
    dpkg: error processing xplico_0.6.1_i386.deb (–install):
    subprocess new post-removal script returned error status 100
    invoke-rc.d: unknown initscript, /etc/init.d/xplico not found.
    dpkg: Error during cleaning:
    subprocess new post-removal script returned error status 100
    There were errors in the:
    xplico_0.6.1_i386.deb

    and do not solve… why?

    Thanks, L1

  • http://www.nemesilabs.org Xanio

    @ L1ghtman: but so to the eye, I suggest you download the right package for your archietuttara 64bit ;)

  • Pingback: Xplico 1.0.0: Network traffics are in your hands :)ClsHack:Computer Security Blog

  • Vu Huy Quan

    hi.can you help me???i am sorry..i am vietnammese.i do not write english well.
    when i start xplico with eth1 have error
    Warning (2): fopen(/opt/xplico/pol_1/realtime_start) [http://php.net/function.fopen]: failed to open stream: No such file or directory [APP/controllers/sols_controller.php, line 515]

    Warning (2): fwrite() expects parameter 1 to be resource, boolean given [APP/controllers/sols_controller.php, line 516]

    Warning (2): fwrite() expects parameter 1 to be resource, boolean given [APP/controllers/sols_controller.php, line 517]

    Warning (2): fclose() expects parameter 1 to be resource, boolean given [APP/controllers/sols_controller.php, line 518]

    Warning (2): Cannot modify header information – headers already sent by (output started at /opt/xplico/xi/cake/libs/debugger.php:683) [CORE/cake/libs/controller/controller.php, line 742]

    thankssssssss.I try with backtrack 5 R2

  • clshack_

    yes because file:
    (/opt/xplico/pol_1/realtime_start) doen't exist … do you have permission for this ?

  • Muertehtml

     Hey man
    I do this post_max_size = 100M
    upload_max_filesize = 100M 
    and still not letting me upload a pcap 12 megs.

    Otherwise everything perfect.
    Did you help please?