Xplico

This version brings some improvements and fixes some bugs too serious.

• RTP, FTP, Telnet, SIP dissectors improvements
• RTP bug fix
• Xplico Interface XSS Vulnerability fixed
• Xplico Interface updated to CakePHP 1.2.7
• new tool named trigcap to manage pcap
• new version (0.63) of videosnarf

We thank:

• Maximiliano Soler from Security-Database and Marcos Garcia from Zero Science Lab for finding the vulnerability (XSS) and for helping us.
• Alex Antão for having supported us in finding a bug in RTP

You can download VirtualBox.org image, source code and Ubuntu 10.04 package here.

Enjoy .

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.5.7 installed and running.

Click here to download it.

Thanks to Carlos Gacimartín.

This release introduces improvements in the SIP and RTP dissectors.
In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets).

DEFT 5.1 Live distribution contains this version.

You can download source code and Ubuntu 10.04 package here.

Enjoy .

In this version there are new and important features:

• HTTP reconstruction file. ie: files downloaded with tools like DownThemAll
• undecodec UDP and TCP “stream” with textual content
• RTP dissector
• SIP dissector
• SDP dissector
• Improved XI
• many bugfix

This version of the SIP and RTP dissectors is not optimal. The (media) contents currently decoded have the following characteristics (limitations) :

• only audio
• audio codec: G711ulaw, G711alaw, G722, G729, G723 and G726
• only static RTP payload type

We have to thank:

• Michele Dallachiesa, for his wonderful tool rtpbreak and for his papers on VoIP protocols
• UCSniff Team for their tool VideoSnarf
• Carlos Gacimartín, for his help and for Virtualbox Image
• Massimiliano Dal Cero for his help with flash application
• all forum users for their debug

You can download VirtualBox.org image, source code and Ubuntu 9.10 package here.

Enjoy .

Tomorrow 10 March Carlos Gacimartín, of Xplico team, will hold a conference and a demo of Xplico in Madrid.
Anyone wishing to attend the conference is invited to:

Room 1.1.F01
University Carlos III
Avda. Universidad 30, Leganés
Madrid, Spain
At 16:00

With pleasure we announce that Xplico is officially included in BackTrack repository.
Thanks to everyone and in particular to the team of BackTrack.

In this version:

• migrating to SQLite3
• telnet dissector
• webmail dissector
• webmail manipulator: Yahoo!, AOL, Hotmail (all without attachments)
• Improved LLC dissector
• Improved XI
• script to check new release (only in source code)

Hotmail (Live) depends on the language. Currently the languages supported are Italian and English.
Any feedback are welcome: forum.

You can download VirtualBox image, source code and Ubuntu 9.10 package here.

Currently there are at least 2 Forensic challenges in which Xplico can be used and can facilitate the analysis. These two challenges are:

• Forensic Challenge 2010 – pcap attack trace
• Ann’s AppleTV

We do not answer the questions, here we will give some indication of use of Xplico.

The “Ann’s AppleTV” pcap file has no particular problems of decoding, in fact if you process the pcap you obtain the data represented in the  two pictures below.

For the “Forensic Challenge 2010 – pcap attack trace” pcap  decoding requires more attention. In fact this pcap file has corrupted packet  (and not retransmitted), so you must disable the Xplico checksum verification (HowTo).

From cli the command is:

./xplico -c config/xplico_cli_nc.cfg -m pcap -f attack-trace.pcap

Since Xplico is able to recognize the protocols (not all) even if they use non-standard ports is easy to see what protocol was used and which data file was downloaded.
In the figure below there is the result of decoding with XI.

Enjoy .

This version of Xplico introduce new and important features:

• Facebook web chat dissector
• New XI based on CakePHP 1.2.5
• New representation of images
• For each image you can see (with the proxy enabled) the page where the image is contained
• WLAN and LLC basic dissectors
• HTTP dissector Improvements

You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

You can find this release in DEFT Vx5 Linux distribution.
You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

This version of Xplico introduce many new features:

• snoop Packet Capture File Format as input file
• DNS dissector with graphical representation in Xplico Interface (XI)
• NNTP dissector
• PPPOE dissector
• direct live acquisition from XI
• new dispatcher named CLI: this dispatcher organize the data extracted in a tree as this:
  
xdecode/<ip_src_1>/http
xdecode/<ip_src_1>/mail/
xdecode/<ip_src_1>/nntp
xdecode/<ip_src_1>/ftp
xdecode/<ip_src_1>/...
xdecode/<ip_src_2>/http
xdecode/<ip_src_2>/mail/
xdecode/<ip_src_2>/nntp
xdecode/<ip_src_2>/ftp
xdecode/<ip_src_2>/...


• default  CLI dispatcher in command line execution
• file extension for the HTTP contents

We have to thank:

• Carlos Gacimartín, for his help
• Doriano Azzena, for his support in debugging
• Matteo G.P. Flora for inspiration of DNS XI graphics
• Open Flash Chart team for their wonderful tool
• all forum users for their debug

Enjoy .