toolsmith ISSA Journal | June 2011 Xplico: Internet Traffic Decoder. Network Forensic Analysis Tool

By Russ McRee – ISSA member, Puget Sound (Seattle), USA Chapter

Prerequisites very expensive tools. Xplico can be used on platforms with an embedded ARM platform – installation method- core processor or typical multi-core serv- ology described is specific to Ubuntu ers, making optimal use of available resources. Xplico, as a framework, is made up of various components hen last we discussed a Network Forensic Analy- and applications (increasing in number). See Figure 1. sis Tool (NFAT) it was in July 2010’s NetWitness At the core of Xplico is the decoder, accentuated by various 1 Investigator review and August 2008’s Network- manipulators. Xplico has been designed so that you can use W2 Miner write-up. Similarly, Xplico is a project released under the decoder (and manipulators) as stand-alone entities if you GPL that decodes packet captures (), extracting the wish without necessarily depending on DeMa (decoder man- likes of email content (POP, IMAP, and SMTP protocols), all ager) or Xplico Web GUI. This allows you the potential use of HTTP content, VoIP calls (SIP), IM chats, FTP, TFTP, and different database architecture and other GUI options. The 3 many others. Check out the Xplico status page for the cur- architecture promotes a high degree of integration in support rent state of available protocol dissectors. of the free and open source model. In an email exchange with project lead Gianluca Costa (ciao With regard to the modular design of the decoder, Xplico from Venezia!), I learned quite a bit about Xplico. Gianluca provides a broad array of functionality including capture and partner Andrea De Franceschi started the Xplico project (data acquisition), dissector (protocol decoders), and dis- in 2007 as there were no free tools that reconstructed applica- patcher (interface to storage) modules. Need to ensure that tion network data. They decided to close the gap by designing your modules conform to the specifications and guidelines and developing Xplico as a system (framework) as well as a of CALEA4 Lawful Intercept standards or NIST Computer decoder which could be used without the need to purchase Forensics Tool Testing (CFTT)5 methodology? No problem; Xplico is designed to support your cause, and the dispatcher 1 http://holisticinfosec.org/toolsmith/docs/july2010.html. logic will make querying the likes of SQLite, MySQL, and flat 2 http://holisticinfosec.org/toolsmith/docs/august2008.pdf. files supportive of reporting. 3 http://www.xplico.org/status. The project team is currently finishing the development of:

• Web MSN dissector and manipulator • VoIP MGCP dissector • SMB dissector • Web Yahoo! chat dissector and manipulator • Improvements to the Python3 script In future months their goals are:

• New WebMail decoder • ICQ basic dissector • JABBER basic dissector • YAHOO chat basic dissector Count on the inevitable “professional version” as well, in- cluding a different Web GUI with new features, and the hopes of economic support for development efforts.

4 http://lawfulintercept.org. Figure 1 – The Xplico system 5 http://www.cftt.nist.gov

©2011 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 37 toolsmith: Xplico | Russ McRee ISSA Journal | June 2011

Figure 2 – Xplico web session decoding

Xplico has been included in BackTrack, DEFT Linux, Orion, If you wish to roll Xplico from source or work through your GnackTrack, Security Onion, and other similar Live CD/ own installation options with the Debian/Ubuntu package, DVD distributions. grab the bits from SourceForge.9 The project leads also pointed out that Xplico is discussed under further reading as part of the European project INDE- Analyzing PCAPs with Xplico CT.6 Specifically, a paper is cited, “European FP7-SEC: On Login to Xplico via a browser on your local host or from a re- detecting Internet-based criminal threats with XplicoAlerts,” mote system with access to the Xplico server; the session will wherein the authors developed an extension of Xplico called be bound to port 9876 by default: http://:9876. XplicoAlerts (remember that extensible modularity already The default username and password are (you guessed it) xpli- mentioned?). This paper7 is a worthy read if for no other rea- co/xplico. If you wish to make use of administrative func- son than to illuminate Xplico’s strong suits. tionality such as changing the default password ;-) log in as admin/xplico. Installation Begin by clicking New Case and name your case appropri- I focused my installation efforts on the latest version of ately; I utilized toolsmith for this exercise. Ubuntu (11.04) as I found that dependencies for Xplico 0.6.2 Click the new case in the Cases List and choose New Session. were not easily met on earlier versions. Working with version I recommend choosing names for your sessions that are spe- 0.6.2 was important to me as it includes layer seven pattern cific to the PCAPs you’re going to analyze. Perhaps yours is a classifiers (application) for “all flows not decoded” along with more forensic effort and there are applicable case (evidence) other improvements. numbers for PCAPs, or you’re utilizing Xplico for network On Ububtu 11.04 (Natty Narwhal) the following script ex- analysis specific to malware behavior. ecuted at a terminal prompt will ensure a one-step installa- Click the new session from List of listening sessions, then up- tion, including a download of the .deb package (ripped and 8 load your intended PCAP. Note that you can choose to ac- modified from a tal.ki forum ): quire a capture from a listening interface on the Xplico host sudo apt-get update && sudo apt-get in addition to uploading already acquired network captures. install -y gdebi sed && wget http:// sourceforge.net/projects/xplico/files/ The first capture I uploaded was one taken from a Renocide/ Xplico%20versions/version%200.6.2/ Harakit worm runtime analysis. xplico_0.6.2_i386.deb && sudo gdebi -n Renocide is a pervasive, annoying little b#$%^&d; if you’ve xplico* && sudo find /etc/php5/apache2/ .ini -exec sed -i.bak ‘s/post_max_ had to hunt it down and kill it, you know exactly what I mean. size = 8M/post_max_size = 800M/g; s/ You’ll receive a “File uploaded, wait start decoding...” mes- upload_max_filesize = 2M/upload_max_ sage while the uploaded PCAP is decoded by Xplico. filesize = 400M/g’ {} \; && sudo service apache2 restart && sudo service xplico The results from this particular capture weren’t all that ex- restart && firefox localhost:9876 traordinary, but Xplico capably grabbed all the web requests this Renocide variant made when it phoned home for more 6 http://en.wikipedia.org/wiki/INDECT. 7 http://www.it.uc3m.es/~muruenya/papers/MCSS10XplicoAlerts.pdf. 8 http://5ff1cwepqm.tal.ki/20101216/wicd-xplico-261923. 9 http://sourceforge.net/projects/xplico/files/Xplico%20versions/version%200.6.2.

38 ©2011 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. toolsmith: Xplico | Russ McRee ISSA Journal | June 2011

Figure 3 – Xplico VoIP decoding

mayhem. My short PCAP decoded resulted in three DNS hits, time analyzing; particularly those that are VoIP related such and five HTTP GETs. as Session Initiation Protocol (SIP) and Real-time Transport NOTE: If you’re using Xplico for analysis of malware-gen- Protocol (RTP). Even though the capture discussed below erated PCAPs, exercise the standard cautions. I recommend was posted to Pcapr, it seemed a bit of a privacy violation to browsing the Xplico Web GUI from a VM for which you have post all the detail Xplico returns, including email address, IP snapshot. All results, particularly those specific to web ses- address, and audio playback of the conversation (via Flash). sions, are active hyperlinks and will send you to malicious As a result, I’ve redacted said details in Figure 3, but you’ll command and control or infected sites when clicked. definitely get a sense of how useful Xplico is. This sample first hits whatsmyip.com (72.233.89.197) for ob- If your duties include policy enforcement for your organiza- vious reasons (whoami), then conducts a geo-locate (where- tion, or you work for law enforcement investigating the dark- ami) from geoloc.daiguo.com (77.55.21.124), and finally est of crimes, Xplico will also decode and render image files phones home to 95.211.21.180, 182, and 184. from web sessions. Under Info you can select PCAP and Xplico will provide you Again, as we discussed above regarding malware analysis, be with a capture of just the selected conversation as seen in Fig- aware that Xplico will present you evidence in all its abhor- ure 2. rent detail. You’re always at risk of seeing things you really never wanted to see. You can view the HTTP request and response by clicking That said, I grabbed a PCAP from Pcapr that results in a few GET for the request/responses of interest. harmless images via Web => Images as seen in Figure 4. This particular request included the AutoIt user- agent, a common indicator of the AutoIt Trojan,10 an- other name for our Reno- cide/Harakit friend. By the way, anyone else for stan- dardized malware naming conventions? Experimenting with Xplico is an ideal time to create an account on Pcapr11 and download PCAPs of your Figure 4 – Xplico image presentation choosing. I was interested in captures that are inclusive of protocols I don’t spend much Similar evidence gathering activities may include the need to decode instant messaging captures. Xplico includes six chat- oriented decoders in the web GUI, but there are also l7-pat- 10 http://www.secureworks.com/research/blog/trojans/20811. 11 http://pcapr.com. tern classifiers for flows that aren’t natively decoded includ-

©2011 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 39 toolsmith: Xplico | Russ McRee ISSA Journal | June 2011

Figure 5 – Xplico chat decoding

ing AIM, Jabber, and Skype, as well as others for gaming and Enjoy this one! core (DHCP, Netbios, NTP) flows. Figure 5 presents an MSN Ping me via email if you have questions (russ at holisticinfo- flow decoded; again, in the interest of privacy, I’ve obscured sec dot org). personally identifiable information. Cheers…until next month. Other features include the ability to generate a GeoMap (.kml file) that can be consumed by Google Maps and Google Earth. Acknowledgements For command line aficionados Xplico can be used in console mode via the like of ./xplico -m pcap -f test.pcap. —Gianluca Costa, project lead, for interview feedback In conclusion About the Author Russ McRee, GCIH, GCFA, GPEN, CISSP, is team leader and It’s been a heck of year so far for toolsmith; we’ve discussed senior security analyst for Microsoft’s Online Services Security some consistently powerful (even scary) tools and Xplico is Incident Management team. As an advocate of a holistic ap- no exception. I highly suggest starting with PCAPs that in- proach to information security, Russ’ website is holisticinfosec. terest you and see what Xplico uncovers. Just remember to org. Contact him at russ at holisticinfosec dot org. be careful. There’s lots of documentation and insight on the Xplico Wiki and Forum and you can look forward to consis- tent updates on the roadmap.12 The polls are still open! 12 http://www.xplico.org/roadmap Add Your Vote

ISSA Connect Survey – UPDATE

Should the U.S. Government Remotely Access Your PC? 6/1/11 Hands o at all costs! (58%)

There might be a good reason, but this ain't it (21%)

Very mixed feelings (14%)

Generally yes, but with reservations... (7%)

Absolutely! Help solve the epidemic (0%) Last month’s results

40 ©2011 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only.