Python low-interaction honeyclient

Overview

Thug

version badge github badge lgtm badge codefactor badge codecov badge bandit badge

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks.

A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

Documentation

docs badge

Documentation about Thug installation and usage can be found at http://thug-honeyclient.readthedocs.io/.

Contributions

donate badge

Thug is open source and we welcome contributions in all forms!

Thug is free to use for any purpose (even commercial ones). If you use and appreciate Thug, please consider supporting the project with a donation using Paypal.

Testing

To run the full test suite using tox, run the command:

tox

Since tox builds and installs dependencies from scratch, using pytest for faster testing is recommended:

pytest --cov thug

License information

Copyright (C) 2011-2021 Angelo Dell'Aera <[email protected]>

License: GNU General Public License, version 2

Comments
  • Add support for WScriptNetwork object.

    Add support for WScriptNetwork object.

    Adds support for the WScriptNetwork object which was used in some recent samples.

    Ideally the attributes shouldn't be static but retrieved using WScriptShell.ExpandEnvironmentStrings(). Any comments on how to do that?

    Also did some improvements on the Scripting.FileSystemObject module.

    enhancement 
    opened by tweemeterjop 17
  • Thug not properly handling redirects logging

    Thug not properly handling redirects logging

    Hi! Let's take a look at this situation: At hxxp://localhost:1337/ek_tests/dummy_redirect_chain/exploit.html some code was added by nasty hacker.

    <html>
    <head>
    <title>Dummy sploit</title>
    </head>
    <body>
    <!-- malicious code start -->
    <script src="javascript.php?option=0"></script>
    <!-- malicious code end -->
    </body>
    </html>
    

    That code redirects (indirectly) to (imaginated) exploit kit's gate (that uses alert(1) from js as exploit). It creates some new scripts on the way to gate. At the backend side, it looks like this:

    <?php
    /**
    * javascript.php
    */
    $i = $_GET['option'];
    $to_write = "";
    switch ($i) {
        case 0:
            $to_write =  "var script = document.createElement('script');
    script.src = 'javascript.php?option=1';
    document.body.appendChild(script);";
            break;
        case 1:
            header('Location: javascript.php?option=2');
            break;
        case 2:
            $to_write = "document.write(\"<iframe src='iframe.php?option=1'></iframe>\");";
            break;
       case 3:
            $to_write =  "var script = document.createElement('script');
    script.src = 'javascript.php?option=4';";
        case 4:
           $to_write = "alert('1');";
    }
    echo $to_write;
    ?>
    

    Also uses iframes

    <?php
    /**
    * iframe.php
    */
    $i = $_GET['option'];
    $to_write = "";
    switch ($i) {
        case 0:
            $to_write =  "var script = document.createElement('script');
    script.src = 'javascript.php?option=1';";
            break;
        case 1:
            $to_write = "<script src='javascript.php?option=3'></script>";
            break;
        case 2:
            $to_write = "document.write(\"<iframe src='iframe.php?option=1'></iframe>\");";
            break;
       case 3:
            $to_write =  "var script = document.createElement('script');
    script.src = 'javascript.php?option=4';";
        case 4:
           $to_write = "document.alert(1);";
    }
    echo '<html><head></head><body>';
    echo $to_write;
    echo '</body></html>';
    ?>
    

    When user (thug) enters that site, it produces some redirects with alert(1) at the end. It looks like this: http://svgur.com/i/1XW.svg - graph made by thug itself.

    The problem is: Even if one script leads to another, we are not informed about that. We cannot build proper redirect chains for that redirections. We get such output:

     | -> 1    / (2->3 redirected by HTTP Location header)
    0| -> 2 -> 3
     | -> 4
    

    Even if that really should be:

    0 -> 1 -> 2 -> 3 -> 4
    

    I know that this is caused by, for example, that newly created scripts are executed within base (0's) DOM. I believe we could somehow get information about real source of some action from V8. It is critical aspect for analysis of web threats, because at the moment we don't really know what part of website is malicious, and what is not. Also, thanks for a great tool :)

    enhancement 
    opened by internaldefect 16
  • new version - missing graph.svg

    new version - missing graph.svg

    Using thug via docker installation, very good tool. Recently installed the new version but it seems the graph.svg file is not being created within the analysis folder.

    Is this feature removed completely or can it be enabled?

    Thanks

    configuration 
    opened by arunkhan1984 13
  • First time set-up problems.

    First time set-up problems.

    Hi, firstly I am on Ubuntu 16.04 and have gone through the Thug installation guide multiple time and am currently stuck as where to go from here. I installed all packages except HoneyAgent & VirusTotal (both optional). My problem is that when I run thug --list-ua I get this:

    
    [2017-03-28 10:11:03] [HTML Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [HTML Classifier] Skipping not existing default filter file
    [2017-03-28 10:11:03] [JS Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [JS Classifier] Skipping not existing default filter file
    [2017-03-28 10:11:03] [VBS Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [VBS Classifier] Skipping not existing default filter file
    [2017-03-28 10:11:03] [URL Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [URL Classifier] Skipping not existing default filter file
    [2017-03-28 10:11:03] [Sample Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [Sample Classifier] Skipping not existing default filter file
    [2017-03-28 10:11:03] [Text Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:11:03] [Text Classifier] Skipping not existing default filter file
    
    Synopsis:
        Thug: Pure Python honeyclient implementation
    
        Available User-Agents:
    

    So lots of skipping, I don't know if that is a problem but no User-Agents? Also when I try to run Thug I get the following:

    [2017-03-28 10:15:41] [HTML Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [HTML Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [JS Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [JS Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [VBS Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [VBS Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [URL Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [URL Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [Sample Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [Sample Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [Text Classifier] Skipping not existing default classification rule file
    [2017-03-28 10:15:41] [Text Classifier] Skipping not existing default filter file
    [2017-03-28 10:15:41] [WARNING] VirusTotal disabled (no configuration file found)
    [2017-03-28 10:15:41] [CRITICAL] Logging subsystem not initialized (configuration file not found)
    Traceback (most recent call last):
      File "/usr/local/bin/thug", line 11, in <module>
        sys.exit(main())
      File "/usr/local/lib/python2.7/dist-packages/thug/thug.py", line 334, in main
        Thug(sys.argv[1:])()
      File "/usr/local/lib/python2.7/dist-packages/thug/ThugAPI/ThugAPI.py", line 86, in __call__
        self.analyze()
      File "/usr/local/lib/python2.7/dist-packages/thug/thug.py", line 324, in analyze
        ThugPlugins(PRE_ANALYSIS_PLUGINS, self)()
      File "/usr/local/lib/python2.7/dist-packages/thug/Plugins/ThugPlugins.py", line 44, in __init__
        self.get_plugins()
      File "/usr/local/lib/python2.7/dist-packages/thug/Plugins/ThugPlugins.py", line 68, in get_plugins
        for p in os.listdir(PLUGINS_PATH):
    OSError: [Errno 2] No such file or directory: '/etc/thug/plugins'
    
    

    I have followed the installation guide step by step and it is now at the Usage section? Am I meant to install the Docker too or is there something else I have missed?

    Thank you for your help in advance!

    opened by Waffles-2 11
  • ReferenceError

    ReferenceError

    There is malicious code and normal code in javascript. If a reference error occurs in the normal code, the malicious code will not be analyzed in the future. Can I pass(skip) the reference error?... and then I want to continue analyzing the malicious code

    [2018-11-12 21:47:41] Traceback (most recent call last):    File "/usr/lib/python2.7/site-packages/thug-0.9.37-py2.7.egg/thug/Debugger/Shellcode.py", line 162, in run      result = self.ctxt.eval (self.script) ReferenceError: ReferenceError: functions is not defined (@ 1: 0) -> functions.validateAndSubmitForm ();

    not an issue 
    opened by parknom 10
  • Data in mongodb

    Data in mongodb

    Hi, I wonder how possible it would be to push most of the data in analysis.xml/avlog.json and graph.svg into mongodb so it can be used by eg. a web interface.

    I really want to use thug, but I find the lack of a web interface for viewing the reports quite the problem.

    Ideally I guess a JSON version of the MAEC schema would be the best, but that kinda goes against the MAEC specifications, for now.. :)

    An example of a web interface I could make with having all the data in mongodb could be something like http://two.mrfjo.org/02906d5b-a7cd-47f8-9885-6e80eecf967a/

    enhancement 
    opened by espenfjo 10
  • Fix infinite recursion problem in Window.__getattr__

    Fix infinite recursion problem in Window.__getattr__

    Window object has infinite recursion when the following two conditions:

    1. Check whether the V8 JSContext has been initialized through getattr(). It would be a lookup loop which always calls getattr() since the code uses self.context before initializing V8 JSContext.

    Fix by: Raise attribute error if getattribute() can't find "_context" variable.

    1. Get the nonexistent variable or function by "self.context.eval(name)". When V8 JSContext can't find the variable, it will call getattr() again. It also becomes a lookup loop.

    Fix by: Avoid to call getattr() from V8Context internal.

    > python -m cProfile thug.py -l ../samples/Events/testEvent10.html

    Before fix: ncalls tottime percall cumtime percall filename:lineno(function) 588/5 0.193 0.000 0.759 0.152 Window.py:138(getattr) 6825 0.003 0.000 0.003 0.000 Window.py:196(window) 616/344 0.378 0.001 0.599 0.002 Window.py:850(context)

    After fix: ncalls tottime percall cumtime percall filename:lineno(function) 55/37 0.014 0.000 0.014 0.000 Window.py:139(getattr) 35 0.000 0.000 0.000 0.000 Window.py:206(window) 82/4 0.004 0.000 0.020 0.005 Window.py:860(context)

    opened by Joseph-CHC 10
  • javascript that fools thug

    javascript that fools thug

    Saw this on a landing page, thug did not follow it:

    <script type="text/javascript">
        setTimeout("testTime()", 0);
        function testTime() {
            location = "/";
        }
     </script>
    
    defect 
    opened by evilscheme 10
  • ImportError: libemu.so.2: cannot open shared object file: No such file or directory

    ImportError: libemu.so.2: cannot open shared object file: No such file or directory

    I have successfully installed V8 and PyV8. i have tested it and the result is OK.

    but while i was executing python thug.py -h,, the error was appeared. the errors look like:

    root@ubuntu:/home/kafin/thug/src# sudo python thug.py -h Traceback (most recent call last): File "thug.py", line 31, in from DOM import Window, DFT, MIMEHandler, SchemeHandler File "/home/kafin/thug/src/DOM/Window.py", line 32, in from .Location import Location File "/home/kafin/thug/src/DOM/Location.py", line 22, in import DFT File "/home/kafin/thug/src/DOM/DFT.py", line 20, in import pylibemu ImportError: libemu.so.2: cannot open shared object file: No such file or directory

    anyone got also this error, or how do i solve this?

    thanks

    opened by kafin 10
  • Problem with shellcode encoding - MongoDB logging

    Problem with shellcode encoding - MongoDB logging

    Hello, I think that the shellcode is not properly handled and stored in MongoDB. I get error messages like this one when thug tries to decode the hex encoded shellcode:

    ...
      File "/usr/local/lib/python2.7/dist-packages/thug/Logging/ThugLogging.py", line 125, in add_shellcode_snippet
        m(snippet, language, relationship, tag.hex, method)
      File "/usr/local/lib/python2.7/dist-packages/thug/Logging/modules/MongoDB.py", line 416, in add_code_snippet
        'snippet'      : self.fix(snippet),
      File "/usr/local/lib/python2.7/dist-packages/thug/Logging/modules/MongoDB.py", line 408, in fix
        return thug_unicode(data).replace("\n", "").strip()
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xeb in position 4: ordinal not in range(128) 
    

    The problem is that the shellcode contains non printable characters and thus can not be stored in decoded form. Also even when it is possible to decode the shellcode from unicode encoding the output is not as useful as the original hex encoded form. This exception also breaks the analysis and thus it is not properly finished. I think that the shellcode should not be decoded and should be stored in its original form. What do you think about that? Thank you.

    Stanislav

    defect 
    opened by standa4 9
  • Timeout option not working properly

    Timeout option not working properly

    Hello Is it possible that the timeout option (-T) is not working as intended? I was scanning some targets that take a long time or never finish at all (longer than the 600s default timeout), where I noticed that the runs actually don't finish after the default timeout. I still see the timeout message in the log: [2019-03-19 09:09:30] The analysis took more than 60 second(s). Aborting! however the run is not stopped as result, rather it continues as if nothing happened. The same behaviour was occurring after choosing different targets and a shorter timeout.

    I am running thug inside a docker container and am starting the scans with the following command (short timeout for testing purposes): docker run --rm -it buffer/thug thug -T 10 -d <target url>

    I am misinterpreting what the timeout option is for? I am assuming it should abort the scan as soon as the timeout is reached, but maybe that is not the case.

    defect docker 
    opened by PinkSheep 8
Releases(v4.7)
Owner
Angelo Dell'Aera
Linux kernel hacker, deeply interested in every facet of computer and information security, intensely involved in exploring and analyzing new emerging threats.
Angelo Dell'Aera
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Nov 9, 2022
Python decompiler for Python 1.5-2.4 (for historical archive)

This preserves the early code of a Python decompiler for Python versions 1.5 to 2.4. I have been able to install this using pyenv using Python 2.3.7 u

R. Bernstein 2 Jan 4, 2022
Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

rzx. 1 Dec 29, 2021
A Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

Karim 3 Mar 24, 2022
Whois-Python - Get Whois Domain with Python GUI

Whois-Python-GUI Get Whois Domain with Python - GUI :) WARNING > Dont Copy ! - W

MR.D3F417 3 Feb 21, 2022
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

neeraj 95 Dec 26, 2022
A simple python script for hosting a Snowflake Proxy in your python program or with it's standalone cli

snowflake-cli Snowflake is a system to defeat internet censorship, made by Tor Project. The system works by volunteers who run the snowflake extension

Guilherme Paixão 6 Jul 14, 2022
Bandit is a tool designed to find common security issues in Python code.

A security linter from PyCQA Free software: Apache license Documentation: https://bandit.readthedocs.io/en/latest/ Source: https://github.com/PyCQA/ba

Python Code Quality Authority 4.8k Dec 31, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.

Dlint Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure. The most important thing I have done as a progra

Dlint 127 Dec 27, 2022
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Dec 30, 2022
Looks at Python code to search for things which look "dodgy" such as passwords or diffs

dodgy Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions desig

Landscape 112 Nov 25, 2022
Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

Big-Papa is a remote cookie stealer which can then be used for session hijacking and Bypassing 2 Factor Authentication

null 77 Jan 3, 2023
A Python tool to automate some dorking stuff to find information disclosures.

WebDork v1.0.3 A open-source tool to find publicly available sensitive information about Companies/Organisations! WebDork A Python tool to automate so

Rahul rc 123 Jan 8, 2023
Python implementation of the diceware password generating algorithm.

Diceware Password Generator - Generate High Entropy Passwords Please Note - This Program Do Not Store Passwords In Any Form And All The Passwords Are

Sameera Madushan 35 Dec 25, 2022
Python tool for dumping flash via uboot reliably

Reliable Uboot Flash Dumper is a Python tool for dumping flash via uboot reliably. If you've ever had to dump flash via uboot and a serial connection and became frustrated about doing it several times and hand-merging files together to fix issues, this should help you out

SecurityJon 25 May 10, 2022
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Nov 30, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
Remote Desktop Protocol in Twisted Python

RDPY Remote Desktop Protocol in twisted python. RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client a

Sylvain Peyrefitte 1.6k Dec 30, 2022