Above Image…the Xplico baby is delivered and working perfectly!
In my previous Xplico post, I mentioned how I had been using the VirtualBox images of Xplico. And how suddenly they had stopped working.
Having been using this tool for a while, the sudden loss of this resource was frustrating.
In the end I sought to create my own self-built version so I could have a running version in my own VirtualBox session/image.
Plan A - Good Theory, Difficult Implementation
My original plan was quite simple. (Warning: Linux-noobie stumblings ahead!)
- Create a 8 GB dynamic VirtualBox vmdk file.
- Find a Debian-based LiveCD that included a local installer.
- Load the vmdk file using the LiveCD to boot it.
- Install the Debian OS.
- Install Xplico
- Celebrate.
In theory this should have worked fine.
I had no challenges making the vmdk file.
I picked out PureOS and Linux Mint Debian LiveCD’s as my platform sources. Downloaded both and went with Mint.
I booted the vmdk file and installed Mint. No issues besides having to do some gparted work on the volume and some formatting of the partition. No biggie.
Then I set about doing the Xplico installation. The Xplico developers have done a great job with providing the documentation on their Xplico-Wiki:
Install Xplico
Building: Building and Installing Xplico
Interface: Installing Xplico Interface (XI)
Tutorial: Step by step installation
doing a DEB package: Instructions to generate a DEB package from source code.
So it should have been a piece of cake. Right?
Unfortunately, despite all my Step by Step attempts, I couldn’t apt-get a version of libmysqlclient16-dev. And even though I continued on bravely anyway, stuff just started falling apart.
So after a few hours of work last night struggling through--and at least another hour of research--I found an alternative Xplico-installation method offered and decided to get some zzz’s and start fresh in the morning.
Plan B - Can it be this easy?
My new plan was realistically simple.
- Create a 8 GB dynamic VirtualBox vmdk file.
- Download Ubuntu Desktop Version 10.10 (it has a local installer).
- Load the vmdk file using the LiveCD to boot it.
- Install Ubuntu.
- Install Xplico via a pre-crafted script I had discovered in a forum.
- Celebrate.
And it worked!
The GSD Xplico Recipe
Here’s the Haps!
After much research from the night before, and realizing that the “official” Xplico VirtualBox images were based on Ubuntu, that seemed the way to go rather than my first choices.
Note this assumes some moderate familiarity with VirtualBox and Linux. I’m leaving some of the details out that seem straight-forward (to me)…YMMV.
- Download VirtualBox if you haven’t already done so. At the time of this post I used 4.0.4. Install accordingly.
- Launch and create a new virtual machine using the wizard. Give it a name, for the OS type pick “Linux” and for version pick “Ubuntu”. Pick your base memory size. For my host system I’ve got lots of RAM so I went with 1024MB but you could use the default 512MB. I kept the Boot Hard Disk option checked and allowed it to create a new hard disk at 8 GB. Since space is still a premium, even with a 500GB local hard drive, I went with the Dynamically expanding storage disk option. I took the default location, confirmed the size and hit “Finish”. Done.
- Next I downloaded Download Ubuntu Desktop Edition 10.10 x32 bit version of the LiveCD.
- Once done I modified by virtual machine storage settings for the CD to point to the ISO I just downloaded and then launched the virtual machine.
- Once Ubuntu booted I just clicked the large “Install Ubuntu” button offered.
- I decided to go with all the defaults, including downloading of updates while installing as well as installing all third-party software packages offered. I took the default to let the installer erase and use the entire disk automatically (look ma! No manual gparted work!).
- While the installation went on in the background I continued with the localization setup and profile setup. I decided to name my build GSD-Xplico and use “xplico” for both the name and password (to mirror the default account in the Xplico app) for simplicity.
- Hang out and chill for a while (or get started make an Old Bay Gulf-Coast pot-boil for dinner) as the installation/updating process completes. Yummers.
- When done, reboot as requested by the installer (don’t forget to disassociate the attached ISO LiveCD/Installer first!).
- Log in using the credentials you created in step 7.
- Optional but recommended. Go ahead and install the VirtualBox Guest Additions. I’m assuming most folks still here should be able to handle knowing how to do that. This will help a number of things but most of all will allow you a few more screen resolution size options.
- Optional but recommended. When prompted by the Update Manager, go ahead and install all available updates offered. At the time of this post, I found 275 updates offered.
- When done, reboot.
- Log in again and open up Firefox.
- Now for the secret sauce.
- Browse to http://5ff1cwepqm.tal.ki/20101216/wicd-xplico-261923/
- In that GnackTrack forum, commenter blaksark posted the following Xplico Script installation by Nsark. All honor and credit ascribed accordingly.
sudo apt-get update && sudo apt-get install -y gdebi sed && wget http://sourceforge.net/projects/xplico/files/Xplico%20versions/version%200.6.1/xplico_0.6.1_i386.deb && sudo gdebi -n xplico* && sudo find /etc/php5/apache2/php.ini -exec sed -i.bak 's/post_max_size = 8M/post_max_size = 800M/g; s/upload_max_filesize = 2M/upload_max_filesize = 400M/g' {} \; && sudo service apache2 restart && sudo service xplico restart && firefox localhost:9876
- Copy that script to the clipboard.
- Open “Applications” --> “Terminal” from the top menu bar.
- Paste the copied script.
- Press “Enter”
- Provide the prompt your password.
- Watch Nsark’s magic run for a bit. Basically it is getting all the dependencies, all the packages, installing them, then adjusting the apache settings to allow for larger PCAP file size uploads, restarting apache and the xplico service, and finally launching Firefox to the Xplico web-page. Brilliant!
- When completed, close the terminal window.
- Behold, a wonderfully installed version of Xplico!
- You may want to set the Xplico Web Interface page as your Firefox homepage. http://localhost:9876/users/login
- Default Username = xplico
- Default Password = xplico
- Admin Username = admin
- Admin Password = xplico
- Tips…you will want to use the default sets above for general PCAP work and Analysis. Use the Admin account to change some variables, user accounts, and configuration settings. Most mere mortals probably won’t need to fiddle with these at all.
- Adjust Ubuntu theme/wallpaper accordingly for attitude and coolness factor as needed. I personally kept the default “Ambiance” theme but changed the wallpaper to the included orange feather on the grey background. Seemed to match the Xplico Web-page interface colors nicely. If you have already resized the virtual screen size to as large as you can but still feel a bit jammed up in the Xplico web-interface, you can also adjust the zoom size in Firefox to be a bit smaller to get more on without having to fiddle with the scroll bars.
That’s pretty much it! You’ve just built your own lab for processing PCAP files. Sure it doesn’t have all the extra cool pen/sec/for tools and apps that DEFT LiveCD comes with, but hey! it works and you built it yourself! And with some more work, you can download additional network/security packages as needed.
If you can’t wait, download, unpack, and upload Sample captures from the Xplico Wiki site.
I’ll go into more detail on those and the wonders of Xplico PCAP session reassembly in the next post.
Please also note…if you shut down Xplico and the Ubuntu system, then before you re-launch Xplico the next time you need to run the following command in a terminal session before launching Firefox and logging into the Xplico web interface:
sudo /etc/init.d/xplico start
I suspect in the DEFT 6 LiveCD, that when you run the Xplico icon and the terminal window opens but doesn’t close out it is trying to do the following but failing for some reason.
sudo /etc/init.d/xplico start http://localhost:9876/users/login
I haven’t had time to see if a manual-launch of Xplico in the DEFT 6 Live CD will work better that way. Xplico appears to work but fails on uploading of PCAP files in my experience.
Post Script #1 - Useful Xplico-building Resources
Before I eventually dug up blaksark’s Nsark script, I did uncover a few more installation recipes from other Xplico tinkerers.
I'm listing them below as together they provide a great overview of other installation techniques on a few other platforms. They might be found helpful by others all assembled in one place:
- Step by Step Xplico 0.6.1, 0.6.0, 0.5.8, 0.5.7 and 0.5.6 Installation - [Xplico Wiki]
- xplico - [Xplico Wiki] - All kinds of official documentation!
- Securityfu - Installing Xplico on Ubuntu 9.10 64bit style
- Xplico : Quick Setup Debian - YauB shares some Wi-Fi tips for Xplico.
- Xplico: An intro - SOLDIERX.COM. EverestX shares some guides on getting it going on Backtrack4 and then has a very basic overview if you can’t wait to start playing.
- [How-To] Xplico:Network Forensic Analysis Tool - by ClsHack.
- Compiling xplico - backtrack-linux forums - Another “all-in-one” auto-script by vvpalin for Backtrack distros.
Post Script #2 - Pre-Loaded Xplico Distros (Installable)
For whatever reason, to the best of my knowledge, the DEFT builders haven’t included an installer for the LiveCD to allow installation directly onto a local drive (real or virtual).
Only after all this exercise, and some leads in the resources mentioned above I’ve found (so far) two LiveCD distros that do include “pre-built” versions of Xplico in them, and can be fully installed in a real/virtual system. This may be another option for folks who don’t want to cook your own version as I’ve shown earlier.
- GnackTrack - Gnome Based Penetration Distro - This is a really cool pen/sec/for distro I’ve not seen before. It is quite mature and very polished and includes Xplico.
- BackTrack Linux – Penetration Testing Distribution - Probably one of the Godfathers of all pen/sec/for LiveCD distros. Now including Xplico. Install BackTrack to Disk - BackTrack Linux.
- Security Onion - LiveDVD - For “…installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools.”
If you are aware of any other LiveCD’s (with installer support) that include pre-added builds of Xplico, please drop the information in the comments and I’ll keep this post updated.
updated 03/06/2011 to include Security Onion LiveDVD suggested by Doug Berks.
Hope someone finds this useful.
Next stop…putting Xplico through the paces on PCAP processing and traffic reassembly.
Cheers!
Claus V.
Hi Claus,
ReplyDeleteGreat post!
My own Security Onion LiveCD includes Xplico. Security Onion is based on Xubuntu 10.04 and includes the standard Ubuntu installer. You can read more about it at http://securityonion.blogspot.com.
Regards,
Doug Burks
Hi Claus,
ReplyDeleteGreat post!
We are looking to continuously improve Xplico. We are very pleased to know that it is appreciated and (especially) used ... although it is not yet user friendly ;) .
Ciao.
Gianluca
Point after point you made me remember the same problems i had.
ReplyDeleteBut reading them from you made the thing funniest than ever.
If you need help find "noes1s" at gnacktrack forums or IRC.
~blaksark