Linux Python

Detux – The Multiplatform Linux Sandbox

Detux is a sandbox developed to do traffic analysis of the Linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures.

The following CPUs are currently supported:

  • x86
  • x86-64
  • ARM
  • MIPS
  • MIPSEL
  • Use the Live version now: http://detux.org

What’s in this release?

This release of Detux contains the script for executing a Linux binary/script in a specified CPU arch. Don’t worry if you don’t know what platform, it’s in the script, the Magic package helps picking up the CPU arch in an automated way. x86 is the default CPU version, this can be tuned to a different one in the config file.

This release gives the analysis report in a DICT format, which can be easily customized to be inserted in to NOSQL dbs.

An example script has been provided which demonstrates the usage of the sandbox library.

Requirements:

System packages

  • python 2.7
  • qemu
  • pcaputils
  • sudo
  • libcap2-bin
  • bridge-utils

Python libraries (Preferable to use virtual environment)

  • pexpect
  • paramiko
  • python-magic
  • Kindly make sure that the above requirements are met before using Detux. A few dependencies may vary from OS to OS.

Architecture

  • Host ( The host itself can be a VM or a baremetal machine)
  • QEMU
  • dumpcap
  • DETUX Scripts

Network Arch

VM Setup:

Downloading Linux VM Images

Special thanks to aurel who has uploaded pre built QEMU Debian VM images for all possible CPU architectures. The VM images are located at : https://people.debian.org/~aurel32/qemu/, the same link contains the command examples for invoking the vm images.

You can use the following script to automatically download the VM images to the “qemu” folder of Detux.

Setting sudoers for qemu execution

Detux uses SSH to communicate with the VMs and so, this is currently required for the VMs to have networking capability. Considering that the listed binaries are in the same path, you may add the following lines to to /etc/sudoers (only if you are a non-root user):

Change the paths to the binaries if they differ for you.

Network setup:.
Add the following config to /etc/qemu-ifup, backup the original if you already have one:

Considering that eth0 is the interface you want your VMs to be bridged with, you may remove the configs for eth0 and use the following configs in /etc/network/interfaces:

You can also specify a static address you used for eth0.

Setting up your VMs
Traverse to the folder in which your VM images are located for each QEMU Images e.g. for ARM is :

For each image, follow the VM boot instructions given at “https://people.debian.org/~aurel32/”, to start the VM. However, if you are a non-root user, you will have to use sudo.

Comands for Booting the VMs (Replace with the MAC you desire):

 

Detux requires a preconfigured VM snapshot with IP addresses and ssh setup.

Steps for setting up your snapshot:

  • Choose an unconfigured VM image and start it using the above listed command in a Terminal.
  • Connect VM monitor. Connect a VNC client to 127.0.0.1:5901 and wait for the VM to boot completely.
  • Login with the default root credentials (root/root).
  • Configure the VM’s network interface such that it reachable/ accessible to the host.
  • Setup SSH server on the VM and anyother configuration if required for you.
  • Once configured, boot to a running state that accepts network connection.
  • Switch back to terminal with qemu console on, which should look like:

    Save the VM state typing the following qemu commands in the qemu console:

    Quit the QEMU console:

    — Repeat through step 1 for all the VMs

Setting capture permisisons

In order for a non-root user to be able to capture packets, Dumpcap needs capture privileges. (https://wiki.wireshark.org/CaptureSetup/CapturePrivileges).

The following command may enable the same for you:

If you are unable to capture packets, you need to check if permisions for your users are set correctly and the dumpcap path is right.

Detux Config

The detux.cfg files in the main directory needs to be configured. Each VM section has to be configured with correct Network Params and SSH credentials. You can choose root/non-root user depending on your need.

Running Detux

The Detux library located in “core” directory can be used to suit your need of analysis. The repo contains “detux.py” which analyses the given binary and saves pcap in pcap folder and writes JSON output to a specified filepath.

Usage:

Example:

Download Detux at Github

I started blogging around 2011 at #Ubuntupirates, #ProjectX and #pir8geek, I’m currently working as Network/Linux SysAdmin.

I’m a Linux,opensource advocate and interested in network security and InfoSec.

Leave a Reply