Pentest Tools

Published on May 9th, 2016 📆 | 8296 Views ⚑

0

Detux — Multiplatform Linux Sandbox


iSpeech.org
Detux is a sandbox developed to do traffic analysis of the Linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures. This release of Detux contains the script for executing a Linux binary/script in a specified CPU arch. Don’t worry if you don’t know what platform, it’s in the script, the Magic package helps picking up the CPU arch in an automated way. x86 is the default CPU version, this can be tuned to a different one in the config file. This release gives the analysis report in a DICT format, which can be easily customized to be inserted in to NOSQL dbs.  An example script has been provided which demonstrates the usage of the sandbox library.

The following CPUs are currently supported:

  • x86
  • x86-64
  • ARM
  • MIPS
  • MIPSEL

 

Multiplatform Linux Sandbox: Detux demo

 

What’s in the report?

  • – Static Analysis
    • — Basic strings extracted from binary
    • — ELF information generated by readelf commands
    • — the report.py can be modified to add more 3rd party commands to analyse the binary and add the result to DICT.
  • – Dynamic Analysis
    • The captured pcaps are parsed with DPKT to extract the IOC’s and readable info from the packets.

 

Requirements

  • System packages
    • python 2.7
    • qemu
    • pcaputils
    • sudo
    • libcap2-bin
    • bridge-utils
  • Python libraries (Preferable to use virtual environment)
    • pexpect
    • paramiko
    • python-magic

Kindly make sure that the above requirements are met before using Detux. A few dependencies may vary from OS to OS.

[adsense size='1']

Architecture

  • Host ( The host itself can be a VM or a baremetal machine)
    • QEMU
    • dumpcap
    • DETUX Scripts

 

Network Arch

  • NIC1 : This interface is for accessing the Host
  • NIC2 : Interface bridged with the the QEMU Sandbox VMs. One can redirect the traffic from the interface to WHONIX or REMNUX or a custom Gateway to filter/allow internet access for the Sandboxed VMs.

 

Usage

usage: detux.py [-h] --sample SAMPLE [--cpu {x86,x86-64,arm,mips,mipsel}]
                [--int {python,perl,sh,bash}] --report REPORT

optional arguments:
  -h, --help            show this help message and exit
  --sample SAMPLE       Sample path (default: None)
  --cpu {x86,x86-64,arm,mips,mipsel}
                        CPU type (default: auto)
  --int {python,perl,sh,bash}
                        Architecture type (default: None)
  --report REPORT       JSON report output path (default: None)

Example:

python detux.py --sample test_script/example_binary1 --report reports/example_report1.json

 

Source && Download

https://github.com/detuxsandbox/detux



Leave a Reply

Your email address will not be published.