Detux The Multiplatform Linux Sandbox

Detuxis a sandbox developed to do traffic analysis of the linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures.

The following CPUs are currently supported: x86 x86-64 ARM MIPS MIPSEL Use the Live version now: http://detux.org What’s in this release?

This release of Detux contains the script for executing a Linux binary/script in a specified CPU arch. Don’t worry if you don’t know what platform, it’s in the script, the Magic package helps picking up the CPU arch in an automated way. x86 is the default CPU version, this can be tuned to a different one in the config file.

This release gives the analysis report in a DICT format, which can be easily customized to be inserted in to NOSQL dbs.

An example script has been provided which demonstrates the usage of the sandbox library.

- Static Analysis -- Basicstringsextractedfrombinary -- ELFinformationgeneratedbyreadelfcommands -- thereport.pycanbemodifiedto addmore 3rd partycommandsto analysethebinaryand addtheresultto DICT. - DynamicAnalysis -- ThecapturedpcapsareparsedwithDPKTto extracttheIOC's and readableinfofromthepackets.

Requirements: System packages python 2.7 qemu pcaputils sudo libcap2-bin bridge-utils Python libraries (Preferable to use virtual environment) pexpect paramiko python-magic Kindly make sure that the above requirements are met before using Detux. A few dependencies may vary from OS to OS.

Architecture

Host ( The host itself can be a VM or a baremetal machine) QEMU dumpcap DETUX Scripts Network Arch

- NIC1 : This interface is for accessingtheHost - NIC2 : Interface bridgedwiththetheQEMUSandboxVMs. Onecanredirectthetrafficfromtheinterface to WHONIXor REMNUXor a customGatewayto filter/allowinternetaccessfor theSandboxedVMs.

VM Setup:

Downloading Linux VM Images

Special thanks to aurel who has uploaded pre built QEMU Debian VM images for all possible CPU architectures. The VM images are located at : https://people.debian.org/~aurel32/qemu/, the same link contains the command examples for invoking the vm images.

You can use the following script to automatically download the VM images to the “qemu” folder of Detux.

#x86 wgethttps://people.debian.org/~aurel32/qemu/i386/debian_wheezy_i386_standard.qcow2 -P qemu/x86/1/ #x86-64 wgethttps://people.debian.org/~aurel32/qemu/amd64/debian_wheezy_amd64_standard.qcow2 -P qemu/x86-64/1/ #arm wgethttps://people.debian.org/~aurel32/qemu/armel/debian_wheezy_armel_standard.qcow2 -P qemu/arm/1/ wgethttps://people.debian.org/~aurel32/qemu/armel/initrd.img-3.2.0-4-versatile -P qemu/arm/1/ wgethttps://people.debian.org/~aurel32/qemu/armel/vmlinuz-3.2.0-4-versatile -P qemu/arm/1/ #mips wgethttps://people.debian.org/~aurel32/qemu/mips/vmlinux-3.2.0-4-4kc-malta -P qemu/mips/1/ wgethttps://people.debian.org/~aurel32/qemu/mips/debian_wheezy_mips_standard.qcow2 -P qemu/mips/1/ #mipsel wgethttps://people.debian.org/~aurel32/qemu/mipsel/vmlinux-3.2.0-4-4kc-malta -P qemu/mipsel/1/ wgethttps://people.debian.org/~aurel32/qemu/mipsel/debian_wheezy_mipsel_standard.qcow2 -P qemu/mipsel/1/

Setting sudoers for qemu execution

Detux uses SSH to communicate with the VMs and so, this is currently required for the VMs to have networking capability. Considering that the listed binaries are in the same path, you may add the following lines to to /etc/sudoers (only if you are a non-root user):

Cmnd_AliasQEMU_CMD=/usr/bin/qemu-*, /sbin/ip, /sbin/ifconfig, /sbin/brctl ALL = (ALL) NOPASSWD: QEMU_CMD

Change the paths to the binaries if they differ for you.

Network setup:.

Add the following config to /etc/qemu-ifup, backup the original if you already have one:

#! /bin/sh # Script to bring a network (tap) device for qemu up. # The idea is to add the tap device to the same bridge # as we have default routing to. # in order to be able to find brctl PATH=$PATH:/sbin:/usr/sbin ip=$(whichip) ifconfig=$(whichifconfig) echo "Starting"$1 if [ -n "$ip" ]; then iplinkset "$1" up else brctl=$(whichbrctl) if [ ! "$ip" -o ! "$brctl" ]; then echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2 exit 0 fi ifconfig "$1" 0.0.0.0 up fi switch=$(iproutels | \ awk '/^default / { for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } } }' ) if [ -d /sys/class/net/br0/bridge/. ]; then if [ -n "$ip" ]; then iplinkset "$1" masterbr0else brctladdifbr0 "$1" fiexit # exit with status of the previous command fi echo "W: $0: no bridge for guest interface found" >&2

Considering that eth0 is the interface you want your VMs to be bridged with, you may remove the configs for eth0 and use the following configs in /etc/network/interfaces:

autobr0 ifacebr0inetdhcp bridge_portseth0 bridge_maxwait 0

You can also specify a static address you used for eth0.

Setting up your VMs

Traverse to the folder in which your VM images are located for each QEMU Images e.g. for ARM is :

/qemu/arm/1/

For each image, follow the VM boot instructions given at “https://people.debian.org/~aurel32/”, to start the VM. However, if you are a non-root user, you will have to use sudo.

Comands for Booting the VMs (Replace with the MAC you desire):

#x86 sudoqemu-system-i386 -hdaqemu/x86/1/debian_wheezy_i386_standard.qcow2 -vnc 127.0.0.1:5901 -netnic,macaddr=<MACADDR> -nettap -monitorstdio #x86-64 sudoqemu-system-x86_64 -hdaqemu/x86-64/1/debian_wheezy_amd64_standard.qcow2 -vnc 127.0.0.1:5901 -netnic,macaddr=<MACADDR> -nettap -monitorstdio #arm sudoqemu-system-arm -M versatilepb -kernelqemu/arm/1/vmlinuz-3.2.0-4-versatile -initrdqemu/arm/1/initrd.img-3.2.0-4-versatile -hdaqemu/arm/1/debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -vnc 127.0.0.1:5901 -netnic,macaddr=<MACADDR> -nettap -monitorstdio #mips sudoqemu-system-mips -M malta -kernelqemu/mips/1/vmlinux-3.2.0-4-4kc-malta -hdaqemu/mips/1/debian_wheezy_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 127.0.0.1:5901 -netnic,macaddr=<MACADDR> -nettap -monitorstdio #mipsel sudoqemu-system-mipsel -M malta -kernelqemu/mipsel/1/vmlinux-3.2.0-4-4kc-malta -hdaqemu/mipsel/1/debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 127.0.0.1:5901 -netnic,macaddr=<MACADDR> -nettap -monitorstdio

Detux requires a preconfigured VM snapshot with IP addresses and ssh setup.

Steps for setting up your snapshot: Choose an unconfigured VM image and start it using the above listed command in a Terminal. Connect VM monitor. Connect a VNC client to 127.0.0.1:5901 and wait for the VM to boot completely. Login with the default root credentials (root/root). Configure the VM’s network interface such that it reachable/ accessible to the host. Setup SSH server on the VM and anyother configuration if required for you. Once configured, boot to a running state that accepts network connection. Switch back to terminal with qemu console on, which should look like:

(qemu)

Save t