ul
Chrystal Dueno
In this article we'll present Xplico, which is a network forensics tool installed in major digital forensics Linux distributions like Kali, Backtrack, Security Onion, DEFT, etc. In this tutorial, we'll take a look at the DEFT Linux distribution, which we can download from here: we need to download the 3GB large deft-8.1.iso file. Additionally, we can also take a look at the enclosed md5.txt file, which presents the MD5 hashes of the present files, presented on the picture below.
We can use the MD5 hashes in order to check whether the downloaded file has the same signature, which verifies that we've downloaded the same version of the file. Thus, nobody has tampered with the file when being downloaded, which can happen if an attacker has gained access to one of the intermediary points in the data transmission: in most cases, it happens through MITM attacks on your local LAN. It's fairly easy to check whether the files are the same by using the md5sum program as presented below.
Notice that the hash of the deft-8.1.iso matches the one presented at This is a clear indication that the files are the same and at this point, we can use the file without a bad aftertaste, since we know the file is valid and legit. After downloading a valid version of DEFT, we can boot it up by using standard virtualization tools like Vmware/VirtualBox, but we'll use Qemu. First we have to create the Qemu image with the command below:
We can also use simpler script with just a few lines, but the above script is used to set the specific MAC address to the eth0 network interface as well as use user networking and also share the /home/ directory between host and guest. Then, we can boot into the livecd version of the DEFT operating system or install the system to /home/deft.qcow2 as already configured. When the system has finished booting up, we can see the eth0 interface settings, where the IP address 172.16.1.21 has been assigned to the eth0 interface.
When connected to the Xplico web interface, we can start a new case by either uploading a PCAP capture file or acquire the data live from existing interfaces. In our case, we'll create a test use case, which defines the capture point in a network.
After creating a new case, we also have to create a new session, where each case can have multiple sessions differentiated by the time interval; note that each session can have multiple pcap files. A new session can be created by clicking on the 'New Session' link on the left side of the menu. In the new session, the following will be shown, where all the supported protocols don't have any numbers assigned to them, since we haven't yet uploaded a pcap file. The picture below also presents an option where we can choose the pcap file and upload it. When the pcap file is uploaded, the Xplico will automatically start decoding and analyzing the file, which will be shown by a red text 'File uploaded, start decoding...' on the top of the page.
The great thing about Xplico is that it can automatically parse and analyze the pcap files or acquired network traffic. Imagine the pcap file being analyzed by Wireshark, where we have to input the filter in order to show only a subset of all data; the data which we're interested in. Then we can select the interesting packet, right-click on it and follow the stream. Doing that for each and every packet would quickly become tiresome, since we don't have the time or energy to analyze all the traffic in such a way. Therefore, Xplico is a great tool which can be used to considerably reduce the time that would normally be needed for analysis. Let's now take a look at what Xplico can do by using the analyzed pcap file.
After that we have to create a new session and reupload the data for changes in Xplico to take effect. The new DNS requests will now look like below, where we can see that the time is the same as in Wireshark.
The Host field as shown in Xplico can just as easily be seen in Wireshark in the Info column; it isn't as pretty though, because the Wireshark presents some other information not that relevant to some use cases. Therefore, Xplico does a good job abstracting away the details in order to present the information in a clear and concise way.
The CName column can also be easily seen in the Wireshark in the Info column. In order to see it we have use the "dns and dns.qry.name==code.jquery.com" filter, since twitter.com didn't have the CNAME. You can see the same information as in previous Xplico screenshot on the picture below, where the "code.jquery.netdna-cdn.com" is shown.
If we look at the packet details in Wireshark, we can see the Answers section, which actually contains the four returned addresses. But Xplico reported just one IP address, which is the first one on the list that is used anyway. Upon subsequent DNS requests for the same domain, the order of IP addresses will very likely be different, which will cause the client to use that IP address. Therefore, we're not losing much when Xplico doesn't report all returned IP addresses, because the first one is used anyway.
We've seen how Xplico compared to Wireshark when analyzing data: Xplico has analyzed the data and abstracted away all the details that we're not interested in, which makes it great for quickly viewing the results of analyzed data. Let's also see the other features of Xplico, which allows us to see the actual GET requests, which can be filtered by input string. The picture below presents all the requests to webpage 'serverfault.com':
In the Undetected menu we can observe all the traffic that wasn't detected and processed by Xplico. Such traffic is presented below, where we can see the date of the actual traffic, the destination domain names and port numbers, as well as other information.
In this article we've seen that Xplico is a great tool for analyzing network traffic, since it has multiple protocol dissectors, which can be used to analyze specific protocols inside the .pcap file. The obtained results are presented in an easy to undestand web interface, which does a great job in presenting all the relevant information to the users. We've also taken a look at Wireshark and how it compares to Xplico, but let me summarize that Xplico is not an alternative to Wireshark; it's merely a tool which does a great job in analyzing and presenting information in nice colorful graphs and tables in a web interface.
Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here:
Network forensic tools are incredibly useful when it comes to evidence collection, especially in a day and age when most people are constantly within reach of a cell phone, laptop and other technology. In this blog post we explore nearly two dozen types of network forensics tools and techniques that cybersecurity professionals are using to aid in investigations.
The Master of Science in Cyber Security Operations and Leadership, which is 100% online, is ideal for professionals who are interested in gaining leadership skills and a deeper understanding of cybersecurity topics, theories and concepts.
Xplico is an open source network forensics tool that differs from a network protocol analyzer. Xplico extracts the contents of various file types such as HTTP, IMAP, POP and SMTP. Xplico comes with a variety of powerful features such as data reassembly, realtime elaboration and Port Independent Protocol Identification (PIPI). Xplico is able to quickly and easily export reports into SQLite, MySQL and other formats.
NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files. NetworkMiner can also be used to capture live network traffic by sniffing a network interface. Detailed information about each IP address in the analyzed network traffic is aggregated to a network host inventory, which can be used for passive asset discovery as well as to get an overview of which devices that are communicating. NetworkMiner is primarily designed to run in Windows, but can also be used in Linux.
NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also shows information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.
Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
NetworkMiner Professional can be delivered either as an Electronic Software Download (ESD) or shipped physically on a USB flash drive. The product is exactly the same, regardless of delivery method. NetworkMiner is a portable application that doesn't require any installation, which means that the USB version can be run directly from the USB flash drive. However, we recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.
Install Mono (cross platform, open source .NET framework), download and extract NetworkMiner and then start NetworkMiner with mono NetworkMiner.exe.For more details, please see our HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux blog post.
7fc3f7cf58