Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 0.6.2: l7-patterns

This version introduces l7-patterns classifier for all flows not decoded, also there is the improvement of the real time acquisition, new features for the XI (Xplico Interface) and many bugs fixes.

ChangeLog:

  • l7-patterns for all flows/protocols not decoded by xplico
  • Xplico Interface (XI) improved
  • python3 porting of many scripts
  • realtime capture module improved
  • facebook chat realtime view
  • UTC/localtime bug fixes
  • l2tp dissector bug fixes
  • cli and lite dispatchers bug fixes
  • telnet dissector bug fixes
  • trigcap bug fixes
  • new script named session_mng.pyc to facilitate the creation of new case and/or new session from command line

We thank naif for his support and his availability.


The decoding performance are:

  • from command line: 5.9 MB/s
  • from Xplico Interface (XI) with SQLite DB (=> lite dispatcher): 1.76 MB/s
  • from Xplico Interface with MySQL DB (=> ximysql dispatcher): 4.09 MB/s

measured on an Aspire 5633WLMi (Intel Core 2 Duo processor T5500 with 1GB RAM an HD IDE controller) with the pcap http://domex.nps.edu/corp/scenarios/2009-m57/net/day11-18.dmp.zip (851 MB).

As always: Enjoy !

XI Cookie hijacking: Windows Live

Windwa Live

XI Cookie hijacking is a new feature introduced in 0.6.1 version.

This post shows how to use this new tool with Windows Live.

Enjoy.

Xplico 0.6.1: MSN and Paltalk

In this version new dissectors, new features and obviously many bugfix:

  • Paltalk chat dissector
  • MSN dissector (beta basic version)
  • XI Cookie hijacking
  • XI pagination for Images and Web
  • XI XSS fixed
  • XI bugfix

We thank:

You can found Xplico 0.6.1 in DEFT Linux 6 and you can download VirtualBox.org image, source code and Ubuntu 10.10 package here.

Enjoy 😉

Xplico 0.6.0 for Fedora 11-14 by CERT

Larry Rogers has built and tested Xplico version 0.6.0 for the CERT.
The rpm package is available for Fedora 11-14 from CERT Forensics Appliance repository.

More info and for all comments please see here.

Thank to Larry Rogers.

VirtualBox Image 0.6.0

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.6.0 installed and running.

Click here to download it.

Thanks to Carlos Gacimartín.

Xplico 0.6.0: IRC and Paltalk Express

In this version there are bugfix, dissectors improvements and new features:

  • XI configuration pages
  • XI administator pages
  • XI multi-user
  • IRC dissector
  • ARP/RAP dissector
  • radiotap dissector
  • GeoMap latitude and longitude selectable from XI
  • CLI decoding directory (xdecode) selectable
  • Telent dissector with PIPI
  • Paltalk Express dissector and aggregator (basic version)
  • sftp/scp pcap files upload

Any feedback is welcome.

You can download source code and Ubuntu 10.04 package here.

Enjoy ;).

ESC: END SUMMER CAMP 2K10

“ESC is a meeting of people interested in Free Software, Hacking, Security.”

When: September 3rd-5th 2010
Where: FORTE BAZZERA, via Bazzera, +∞ Venezia Tessera (Venice, Italy)
Links: ESC, Talks

Update, slides : (IT) Xplico ESC2K10.pdf

Xplico version 0.5.8: Improvements and bug fix

This version brings some improvements and fixes some bugs too serious.

  • RTP, FTP, Telnet, SIP dissectors improvements
  • RTP bug fix
  • Xplico Interface XSS Vulnerability fixed
  • Xplico Interface updated to CakePHP 1.2.7
  • new tool named trigcap to manage pcap
  • new version (0.63) of videosnarf

We thank:

  • Maximiliano Soler from Security-Database and Marcos Garcia from Zero Science Lab for finding the vulnerability (XSS) and for helping us.
  • Alex Antão for having supported us in finding a bug in RTP

You can download VirtualBox.org image, source code and Ubuntu 10.04 package here.

Enjoy ;).

VirtualBox Image 0.5.7

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.5.7 installed and running.

Click here to download it.

Thanks to Carlos Gacimartín.

Xplico 0.5.7: VoIP tapping and phone numbers

This release introduces improvements in the SIP and RTP dissectors.
In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets).

DEFT 5.1 Live distribution contains this version.

You can download source code and Ubuntu 10.04 package here.

Enjoy ;).