EDIT: This post was originally written for Kali 1.0 in 2013. It was not tested on any later version.
I started this post with Backtrack, but since Kali Linux came out yesterday, I figured I would update the instructions to use the latest and greatest!
Thug is a low-interaction honeyclient put out by The Honeynet Project. The purpose of a honeyclient is to emulate a web browser when viewing malicious websites without actually visiting the page in a vulnerable browser. It can then follow redirects, pull down malware, and emulate browser plugins to pull down any of the malicious code trying to be served up to victims. You can read more about Thug here and here.
Here is how to install thug and its many dependencies on Kali Linux. You should be able to copy and paste the whole block of commands below right into a terminal to get everything going.
# Install the dependencies that are available in aptitude apt-get -y install subversion libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev python-pip python-dev libbz2-dev libboost-all-dev python-magic autoconf automake dh-autoreconf # Install libemu. Used for shellcode emulation cd git clone git://git.carnivore.it/libemu.git cd libemu autoreconf -v -i ./configure --enable-python-bindings --prefix=/opt/libemu make -j4 make install ldconfig -n /opt/libemu/lib # Install pylibemu - used for libemu to talk with python cd git clone https://github.com/buffer/pylibemu.git sh -c "echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf" cd pylibemu python setup.py build python setup.py install # Install some remaining python libraries that are needed pip install beautifulsoup4 zope.interface pymongo cssutils httplib2 pefile chardet html5lib # pydot requires pyparsing, but the last version of pyparsing that supports python 2.x is 1.5.7 easy_install pyparsing==1.5.7 pip install pydot # Change to a working directory and get thug cd /usr/local/src mkdir thug cd thug git clone https://github.com/buffer/thug.git # Download, configure and install Google V8 svn checkout http://v8.googlecode.com/svn/trunk/ v8 svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8 # Patch from thug cp thug/patches/V8-patch* ./ patch -p0 < V8-patch1.diff # setup V8 and PyV8 export V8_HOME=/usr/local/src/thug/v8/ cd pyv8/ python setup.py build python setup.py install # Make a copy of thug in /opt for use cd .. cp -ar ./thug/ /opt/thug # Make sure python knows where libemu is in this session an permanently export LD_LIBRARY_PATH=/opt/libemu/lib echo 'export LD_LIBRARY_PATH=/opt/libemu/lib' >> ~/.bashrc # Profit! python /opt/thug/src/thug.py -h
That’s it. It’s actually easier to install on Kali than on Backtrack 5r3, so I’m glad I gave it a go.
To begin analyzing malicious sites, I’d recommend creating a directory called ~/thug/run and executing thug from within that directory using
root@kali:~/thug/run# python /opt/thug/src/thug.py <url>
Thug will create the directory ~/thug/logs for everything it finds. From there you can pull out files or code for further examination with other tools.
References
Installation of libemu and pylibemu on Ubuntu/Debian
Thug on REMnux (Walkthrough)
PaulDotCom Episode318
Great post, some packages missing for install but great anyhow.
Thanks. What packages were missing? I wrote this guide when the original Kali 1.0 came out so perhaps things have changed now that we’re on 1.0.5.
Getting an error while building Pyv8 on Kali 1.0
src/Engine.cpp:357:43: error: cannot convert ‘v8::ResourceConstraints*’ to ‘v8::Isolate*’ for argument ‘1’ to ‘bool v8::SetResourceConstraints(v8::Isolate*, v8::ResourceConstraints*)’
Any thoughts?
Im getting issue(s) with missing boost/python.hpp from src/Utils.h . Went out and grabbed the lib, put it in the proper dir and still no luck… I really dont want to have a separate VM for thug but it looks like this is not going to work 🙁
Please please please make similar instructions for OSX! Tried doing each thing by hand with not much luck, things are not happy in OSX land with all these dependencies!
Thanks much!
I wish I could. Alas, I don’t have access to a current OS X machine. Good luck though, hope you get it working!
This does not work at all, as far as I can tell its missing boost. Went out and got it put it in the src directory and still does not work.
Sorry, this post is old. I’d gather that these instructions and package versions are not going to work on Kali 2 (assuming that’s what you’re using).