Posted: May 21st, 2012 | Author: xanda | Filed under: IT Related | Tags: client, honeyclient, honeypot, python, shellcode, Thug, ubuntu, v8 | 2 Comments »
Thug is a Python low-interaction honeyclient aimed at mimicking the behaviour of a web browser in order to detect and emulate malicious contents. [1]
I’m impressed with the artwork of @buffer AKA Angelo in his previous project, phoneyc and started to give a detail look and hacks on the project. While only 1 hack finished on my side, Angelo already release a brand new honeyclient based on Python + V8 JS engine called Thug. What a wonderful idea + talent
Here are some useful information that might help you to build and compile Thug + V8 on Ubuntu/Debian machine:
- Install some dependencies
sudo apt-get install python-setuptools build-essential git-core subversion scons python-chardet python-html5lib libboost-python-dev libboost-dev python-pefile python-httplib2 python-cssutils libboost-thread-dev libc6-dev libreadline-dev libboost-system-dev
sudo easy_install beautifulsoup4
sudo apt-get install python-magic python-pydot |
sudo apt-get install python-setuptools build-essential git-core subversion scons python-chardet python-html5lib libboost-python-dev libboost-dev python-pefile python-httplib2 python-cssutils libboost-thread-dev libc6-dev libreadline-dev libboost-system-dev
sudo easy_install beautifulsoup4
sudo apt-get install python-magic python-pydot
- Obtain the codes via svn and git
cd ~
git clone https://github.com/buffer/thug.git
cd ~/thug/
svn checkout http://v8.googlecode.com/svn/trunk/ v8 |
cd ~
git clone https://github.com/buffer/thug.git
cd ~/thug/
svn checkout http://v8.googlecode.com/svn/trunk/ v8
- Apply the Thug’s patch for V8
cp patches/V8-patch* .
patch -p0 < V8-patch1.diff
patch -p0 < V8-patch2.diff
rm V8-patch* |
cp patches/V8-patch* .
patch -p0 < V8-patch1.diff
patch -p0 < V8-patch2.diff
rm V8-patch*
- Build and compile python wrapper for V8. This process will compile the V8 engine at the same time
cd /tmp/
svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
export V8_HOME=$HOME/thug/v8
cd pyv8 && python setup.py build
sudo python setup.py install |
cd /tmp/
svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
export V8_HOME=$HOME/thug/v8
cd pyv8 && python setup.py build
sudo python setup.py install
- If you came across the following warning, simply ignore it
#######################################################
# WARNING: Building V8 with SCons is deprecated and #
# will not work much longer. Please switch to using #
# the GYP-based build now. Instructions are at #
# http://code.google.com/p/v8/wiki/BuildingWithGYP. #
####################################################### |
#######################################################
# WARNING: Building V8 with SCons is deprecated and #
# will not work much longer. Please switch to using #
# the GYP-based build now. Instructions are at #
# http://code.google.com/p/v8/wiki/BuildingWithGYP. #
#######################################################
- Now test your installation
cd ~/thug/src
python thug.py |
cd ~/thug/src
python thug.py
- With the previous test, you will get something similar to this:
Synopsis:
Thug: Pure Python honeyclient implementation
Usage:
python thug.py [ options ] url
Options:
-h, --help Display this help information
-o, --output= Log to a specified file
-r, --referer= Specify a referer
-p, --proxy= Specify a proxy (see below for format and supported schemes)
-l, --local
-v, --verbose Enable verbose mode
-d, --debug Enable debug mode
-u, --useragent= Select a user agent (see below for values, default: xpie61)
Proxy Format:
scheme://[username:password@]host:port (supported schemes: http, socks4, socks5)
Available User-Agents:
xpie60 Internet Explorer 6.0 (Windows XP)
xpie61 Internet Explorer 6.1 (Windows XP)
xpie70 Internet Explorer 7.0 (Windows XP)
xpie80 Internet Explorer 8.0 (Windows XP)
w2kie60 Internet Explorer 6.0 (Windows 2000)
w2kie80 Internet Explorer 8.0 (Windows 2000) |
Synopsis:
Thug: Pure Python honeyclient implementation
Usage:
python thug.py [ options ] url
Options:
-h, --help Display this help information
-o, --output= Log to a specified file
-r, --referer= Specify a referer
-p, --proxy= Specify a proxy (see below for format and supported schemes)
-l, --local
-v, --verbose Enable verbose mode
-d, --debug Enable debug mode
-u, --useragent= Select a user agent (see below for values, default: xpie61)
Proxy Format:
scheme://[username:password@]host:port (supported schemes: http, socks4, socks5)
Available User-Agents:
xpie60 Internet Explorer 6.0 (Windows XP)
xpie61 Internet Explorer 6.1 (Windows XP)
xpie70 Internet Explorer 7.0 (Windows XP)
xpie80 Internet Explorer 8.0 (Windows XP)
w2kie60 Internet Explorer 6.0 (Windows 2000)
w2kie80 Internet Explorer 8.0 (Windows 2000)
Reference:
[1] https://github.com/buffer/thug
I had problems the first time I tried setting up Thug.
I’m looking forward to giving this a try tonight.
Great! Thanks so much!
cd pyv8 && python setup.py build didn’t work with the “&” reported as unknown token
instead cd pyv8 amp; amp; python setup.py build seems to work correctly