«

»

Jan 25 2013

How to install Thug Python client honeypot

Categories:

Honeypots, Malware

by Ion

UPDATE JULY 2014: This guide is considered “old” now. You probably want to try the new Thug-Vagrant project: http://bruteforce.gr/vagrant-configuration-thug-honeyclient.html

So, after a brief discussion with Twitter fellows @KDPryor and @Tazdrumm3r about Thug, the Python low-interaction honeyclient, I decided to write a proper installation guide for it since the official one is not quite complete.

I have already forked the project on GitHub and promise to update the official guide as well, submitting a pull request for buffer (the developer of Thug).

By the way, if you don’t want to bother installing Thug by yourself, you can find it inside HoneyDrive (0.2 Nectar edition), ready and waiting!

In the mean time, let me guide you step by step while I successfully (fortunately) install Thug on a new VPS running Ubuntu Server 12.04 LTS. Following the procedure below, Thug will be installed at “/opt/thug/”.

  1. Install Python 2.7 packages:
aptitude install python2.7 python2.7-dev
  1. Get Thug itself:
aptitude install git
cd /opt/
git clone git://github.com/buffer/thug.git
  1. Get Google’s V8 JavaScript engine and PyV8 Python wrapper:
aptitude install subversion
svn checkout http://v8.googlecode.com/svn/trunk/ v8

Patch it:

cp thug/patches/V8-patch* .
patch -p0 < V8-patch1.diff

Get PyV8:

svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8

Install PyV8:

aptitude install build-essential libboost-python-dev
export V8_HOME=/opt/v8
cd pyv8
python setup.py build
sudo python setup.py install
  1. Install Beautiful Soup 4:
aptitude install python-setuptools
easy_install beautifulsoup4
  1. Install html5lib:
easy_install html5lib
  1. Install Libemu:
aptitude install autoconf libtool
cd /tmp/
git clone git://git.carnivore.it/libemu.git
cd libemu
autoreconf -v -i
./configure --prefix=/opt/libemu
sudo make install
  1. Install Pylibemu:
cd /opt/
git clone git://github.com/buffer/pylibemu.git
cd pylibemu
python setup.py build
sudo python setup.py install
  1. Install Pefile:
easy_install pefile
  1. Install chardet:
easy_install chardet
  1. Install httplib2:
easy_install httplib2
  1. Install cssutils:
easy_install cssutils
  1. Install Zope Interface:
easy_install zope.interface
  1. Install MongoDB:
aptitude install mongodb

14: Install PyMongo:

easy_install pymongo

15: Execute Thug:

python /opt/thug/src/thug.py -h

to test if it’s working. In case you get the “ImportError: libemu.so.2: cannot open shared object file: No such file or directory” error, follow the solution as written below:

touch /etc/ld.so.conf.d/libemu.conf
echo "/opt/libemu/lib/" > /etc/ld.so.conf.d/libemu.conf
ldconfig

You are ready! Thug is installed and ready to hunt for client-side attacks!

Related posts:

  1. Vagrant configuration for Thug honeyclient
  2. Thug-Vagrant
  3. Visualizing Dionaea’s results with DionaeaFR
  4. Installing Kippo SSH Honeypot on Ubuntu
  5. HoneyDrive 0.2 Nectar edition released!
  • Multi-Mode

    Great guide just added thug to my Remnux Malware VM (Ubuntu 11.10). When building PyV8 I got the error:

    /usr/bin/ld: cannot find -lboost_thread
    /usr/bin/ld: cannot find -lboost_system

    Per your instructions I had already installed “libboost-python-dev” but I was able to fully resolve this issue with: “sudo apt-get install libboost-all-dev”

    Thanks for this guide, I was troubleshooting this libboost error for awhile using another guide and yours is the only one that mentions libboost-python-dev which is exactly what I needed to see to resolve the other libboost dependency issue I had. (I had also run into the same dependency issue on a clean Ubuntu 12.10 install)

    • Ion

      Hello Multi-Mode.

      Thanks for your comment and for sharing your experience with us. Glad it turned out alright 🙂

      You might want to try out HoneyDrive (see related page in the menu), a honeypot bundle distro where many honeypot related software is already installed and (mostly) preconfigured.

      Regards, Ion.

  • Pancho

    Whats the best way to update thug?

  • RahulBinjve

    Hi there,

    Nice post, saved me from big hassle. Something that I would like to add from my side. THUG also requires these Python packages, for running.
    requests, yara, jsbeautifier, python-magic and rarfile. These can be installed by simply running pip command. For e.g. - pip install yara.
    Hope this helps.
    Cheers. 🙂

    • Ion

      Hi Rahul, thanks for your message.

      Yes, this is somewhat of an “old” post. I have included all the new Thug requirements etc in the newer Thug-Vagrant project: http://bruteforce.gr/thug-vagrant

      Regards,
      Ion

  • Pingback: Thug – A Client Honeypot()

Powered by WordPress and the Graphene Theme.

More in Honeypots, Malware
The Kippo Kronicles - Ep1
SSH honeypot workshop @ BSides London 2013
Ανάλυση malware, για όλους! [μέρος 1]
HoneyDrive 0.2 Nectar edition released!
GÉANT: Experiences with IDS and Honeypots
Close