Tutorial on using Thug.py, the sweet sticky client

Most “honey” software is intended to emulate a systemhowever, client side attacks are becoming common and to research these attacks there is a need for emulating a client. Enter thug. It requests a target url, follows redirects and obtains all javascript and shellcode from potentially malicious urls. Thug can be found on the excellent honeydrive linux distribution but the project is being very actively maintained and newer version can be cloned right from https://github.com/buffer/thug

There is information on 2 thug docker images here https://www.honeynet.org/node/1168

The guy from bruteforce labs has a nice script for a vagrant set up here https://github.com/ikoniaris/thug-vagrant

 Thug: Pure Python honeyclient implementation

        python thug.py [ options ] url

        -h, --help          	Display this help information
        -V, --version       	Display Thug version
        -u, --useragent=    	Select a user agent (see below for values, default: winxpie60)
        -e, --events=       	Enable comma-separated specified DOM events handling
        -w, --delay=        	Set a maximum setTimeout/setInterval delay value (in milliseconds)
        -n, --logdir=       	Set the log output directory
        -o, --output=       	Log to a specified file
        -r, --referer=      	Specify a referer
        -p, --proxy=        	Specify a proxy (see below for format and supported schemes)
        -l, --local         	Analyze a locally saved page
        -x, --local-nofetch 	Analyze a locally saved page and prevent remote content fetching
        -v, --verbose       	Enable verbose mode
        -d, --debug         	Enable debug mode
        -q, --quiet         	Disable console logging
        -m, --no-cache      	Disable local web cache
        -a, --ast-debug     	Enable AST debug mode (requires debug mode)
        -g, --http-debug    	Enable HTTP debug mode 
        -t, --threshold     	Maximum pages to fetch
        -E, --extensive     	Extensive fetch of linked pages
        -T, --timeout=      	Set the analysis timeout (in seconds)
        -B, --broken-url    	Set the broken URL mode
        -y, --vtquery       	Query VirusTotal for samples analysis
        -s, --vtsubmit      	Submit samples to VirusTotal
        -N, --no-honeyagent 	Disable HoneyAgent support

        -A, --adobepdf=     	Specify the Adobe Acrobat Reader version (default: 9.1.0)
        -P, --no-adobepdf   	Disable Adobe Acrobat Reader plugin
        -S, --shockwave=    	Specify the Shockwave Flash version (default:
        -R, --no-shockwave  	Disable Shockwave Flash plugin
        -J, --javaplugin=   	Specify the JavaPlugin version (default:
        -K, --no-javaplugin 	Disable Java plugin

        -Q, --urlclassifier 	Specify a list of additional (comma separated) URL classifier rule files
        -W, --jsclassifier  	Specify a list of additional (comma separated) JS classifier rule files
        -C, --sampleclassifier 	Specify a list of additional (comma separated) sample classifier rule files

    Proxy Format:
        scheme://[username:password@]host:port (supported schemes: http, http2, socks4, socks5)

    Available User-Agents:
	winxpie60		Internet Explorer 6.0	(Windows XP)
	winxpie61		Internet Explorer 6.1	(Windows XP)
	winxpie70		Internet Explorer 7.0	(Windows XP)
	winxpie80		Internet Explorer 8.0	(Windows XP)
	winxpchrome20		Chrome 20.0.1132.47	(Windows XP)
	winxpfirefox12		Firefox 12.0		(Windows XP)
	winxpsafari5		Safari 5.1.7		(Windows XP)
	win2kie60		Internet Explorer 6.0	(Windows 2000)
	win2kie80		Internet Explorer 8.0	(Windows 2000)
	win7ie80		Internet Explorer 8.0	(Windows 7)
	win7ie90		Internet Explorer 9.0	(Windows 7)
	win7chrome20		Chrome 20.0.1132.47	(Windows 7)
	win7firefox3		Firefox 3.6.13		(Windows 7)
	win7safari5		Safari 5.1.7		(Windows 7)
	osx10safari5		Safari 5.1.1		(MacOS X 10.7.2)
	osx10chrome19		Chrome 19.0.1084.54	(MacOS X 10.7.4)	linuxchrome26		Chrome 26.0.1410.19	(Linux)
	linuxchrome30		Chrome 30.0.1599.15	(Linux)
	linuxfirefox19		Firefox 19.0		(Linux)
	galaxy2chrome18		Chrome 18.0.1025.166	(Samsung Galaxy S II, Android 4.0.3)
	galaxy2chrome25		Chrome 25.0.1364.123	(Samsung Galaxy S II, Android 4.0.3)
	galaxy2chrome29		Chrome 29.0.1547.59	(Samsung Galaxy S II, Android 4.1.2)
	nexuschrome18		Chrome 18.0.1025.133	(Google Nexus, Android 4.0.4)
	ipadsafari7		Safari 7.0		(iPad, iOS 7.0.4)
	ipadchrome33		Chrome 33.0.1750.21	(iPad, iOS 7.1)
	ipadchrome35		Chrome 35.0.1916.41	(iPad, iOS 7.1.1)

It supports all kinds of user agents, allows you to send the samples directly to virustotal and gives you the option to specify different plugins. The proxy support is also a great feature.

To demo it I threw up a standard metasploit browser autopwn module and pointed thug at it without using any options.

sudo python thug.py

[2015-05-08 00:42:32] [window open redirection] about:blank ->
[2015-05-08 00:42:32] [HTTP] URL: (Status: 404, Referrer: None)
[2015-05-08 00:42:32] [File Not Found] URL:
[2015-05-08 00:42:32] Saving log analysis at ../logs/bf562b75e826f814c31d649ec22990ea/20150508004231
honeydrive@honeydrive:/honeydrive/thug/src$ sudo python thug.py
[2015-05-08 00:42:42] [window open redirection] about:blank ->
[2015-05-08 00:42:43] [HTTP] URL: (Status: 200, Referrer: None)
[2015-05-08 00:42:43] [HTTP] URL: (Content-type: text/html, MD5: c0e703784116c3367d9454be61879d2b)
[2015-05-08 00:42:44] ActiveXObject: microsoft.xmlhttp
[2015-05-08 00:42:44] [Microsoft XMLHTTP ActiveX] open('GET', '', True)
[2015-05-08 00:42:44] [Microsoft XMLHTTP ActiveX] send
[2015-05-08 00:42:44] [Microsoft XMLHTTP ActiveX] Fetching from URL (method: GET)
[2015-05-08 00:42:44] [Microsoft XMLHTTP Exploit redirection] ->
[2015-05-08 00:42:47] [HTTP] URL: (Status: 200, Referrer:
[2015-05-08 00:42:47] [HTTP] URL: (Content-type: text/html, MD5: 5c3279782850da8c61960518d4f6fcd9)
[2015-05-08 00:42:47] Saving log analysis at ../logs/6b3804e98f36d15e1bb5bc1e9cee0a75/20150508004242

Checking out the logs directy shows us some long directory names. There is the thug.csv file which tells you which url request corresponds to the directory names. The names were computed by hashing the contents of the request and timestamps of the event. Below you can see the directory structure of the thug generated record.

honeydrive@honeydrive:/honeydrive/thug/logs/6b3804e98f36d15e1bb5bc1e9cee0a75$ tree
└── 20150508004242
    ├── analysis
    │   ├── graph.svg
    │   ├── json
    │   │   └── analysis.json
    │   └── maec11
    │       └── analysis.xml
    └── text
        └── html
            ├── 5c3279782850da8c61960518d4f6fcd9
            └── c0e703784116c3367d9454be61879d2b

looking at the html files you can see that the script is fingerprinting the requester and routing it to an exploit if it’s applicable.

sudo python thug.py -u winxpie60 -J 1.1

By playing with the user agent and the plugin versions you can get the webserver to react to the request differently.

The analysis folder in the log contains a generated svg image that allows to to visualize the redirects at each hop and the method of the redirect. This can get pretty crazy and intricate. This is good place to start to see suspicious redirects or inclusions in seemly innocous domains.

Thug is a great tool for analyzing web request responses. It builds a comprehensive file structure of resources it obtains via the request and automatically beautifies any javascript found. It definitely has a lot of potential to pull some interesting artifacts out of any client side browser exploit.

Written on May 7, 2015