EDIT: This post was originally written for Kali 1.0 in 2013. It was not tested on any later version.
I started this post with Backtrack, but since Kali Linux came out yesterday, I figured I would update the instructions to use the latest and greatest!
Thug is a low-interaction honeyclient put out by The Honeynet Project. The purpose of a honeyclient is to emulate a web browser when viewing malicious websites without actually visiting the page in a vulnerable browser. It can then follow redirects, pull down malware, and emulate browser plugins to pull down any of the malicious code trying to be served up to victims. You can read more about Thug here and here.
Here is how to install thug and its many dependencies on Kali Linux. You should be able to copy and paste the whole block of commands below right into a terminal to get everything going.
# Install the dependencies that are available in aptitude apt-get -y install subversion libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev python-pip python-dev libbz2-dev libboost-all-dev python-magic autoconf automake dh-autoreconf # Install libemu. Used for shellcode emulation cd git clone git://git.carnivore.it/libemu.git cd libemu autoreconf -v -i ./configure --enable-python-bindings --prefix=/opt/libemu make -j4 make install ldconfig -n /opt/libemu/lib # Install pylibemu - used for libemu to talk with python cd git clone https://github.com/buffer/pylibemu.git sh -c "echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf" cd pylibemu python setup.py build python setup.py install # Install some remaining python libraries that are needed pip install beautifulsoup4 zope.interface pymongo cssutils httplib2 pefile chardet html5lib # pydot requires pyparsing, but the last version of pyparsing that supports python 2.x is 1.5.7 easy_install pyparsing==1.5.7 pip install pydot # Change to a working directory and get thug cd /usr/local/src mkdir thug cd thug git clone https://github.com/buffer/thug.git # Download, configure and install Google V8 svn checkout http://v8.googlecode.com/svn/trunk/ v8 svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8 # Patch from thug cp thug/patches/V8-patch* ./ patch -p0 < V8-patch1.diff # setup V8 and PyV8 export V8_HOME=/usr/local/src/thug/v8/ cd pyv8/ python setup.py build python setup.py install # Make a copy of thug in /opt for use cd .. cp -ar ./thug/ /opt/thug # Make sure python knows where libemu is in this session an permanently export LD_LIBRARY_PATH=/opt/libemu/lib echo 'export LD_LIBRARY_PATH=/opt/libemu/lib' >> ~/.bashrc # Profit! python /opt/thug/src/thug.py -h
That’s it. It’s actually easier to install on Kali than on Backtrack 5r3, so I’m glad I gave it a go.
To begin analyzing malicious sites, I’d recommend creating a directory called ~/thug/run and executing thug from within that directory using
root@kali:~/thug/run# python /opt/thug/src/thug.py <url>
Thug will create the directory ~/thug/logs for everything it finds. From there you can pull out files or code for further examination with other tools.