Tutorial on using Thug.py, the sweet sticky client
Thug can be found on the excellent honeydrive linux distribution but the project is being very actively maintained and newer version can be cloned right from https://github.com/buffer/thug
It supports all kinds of user agents, allows you to send the samples directly to virustotal and gives you the option to specify different plugins. The proxy support is also a great feature.
To demo it I threw up a standard metasploit browser autopwn module and pointed thug at it without using any options.
Checking out the logs directy shows us some long directory names. There is the thug.csv file which tells you which url request corresponds to the directory names. The names were computed by hashing the contents of the request and timestamps of the event. Below you can see the directory structure of the thug generated record.
looking at the html files you can see that the script is fingerprinting the requester and routing it to an exploit if it’s applicable.
By playing with the user agent and the plugin versions you can get the webserver to react to the request differently.
The analysis folder in the log contains a generated svg image that allows to to visualize the redirects at each hop and the method of the redirect. This can get pretty crazy and intricate. This is good place to start to see suspicious redirects or inclusions in seemly innocous domains.