After having played around with REMnux, a Linux distro geared towards malware analysis, I came across a tool called “Thug”, a self-described “honeyclient”. Thug is a CLI-based tool for visiting suspicious URLs while masquerading as a real-world browser, in an attempt to coerce the execution of any malicious scripts in a safe environment.
This tool, while included with REMnux, was also available in containerized form as a Docker image. This would theoretically make it a lot easier to run as part of a regular workflow when examining suspicious URLs, without having to boot up a virtual machine strictly for that purpose. This drove me to get Docker (and one of its two dependency options, WSL) installed on my Windows machine.
One of two prerequisites will need to be met in order to run Docker on Windows. We’ll either need to enable WSL (Windows Subsystem for Linux) or Hyper-V & Windows Containers. After doing a lot of reading on the pros & cons of either option, and considering the historical incompatibilities caused by VMware and Hyper-V existing on the same machine, I opted for the use of WSL.
To get started, we’ll find the “Turn Windows features on or off” menu by searching for “windows features” in the Windows search bar.
We’ll then scroll down to the bottom, and check “Windows Subsystem for Linux”
It’ll spend some time preparing and enabling, after which it will prompt you to restart. Do so, and return to the Windows Features menu following the steps outlined above. This time, we’ll be enabling the “Virtual Machine Platform” feature, pictured here:
Restart again, log back in, and proceed to the “Updating to WSL2” section.
Open a Command Prompt or PowerShell session as admin, and run the following commands, one after the other:
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
Restart your computer after having successfully completed the second command. Once you log back in, proceed to “Updating to WSL2”.
Updating to WSL2
Run the install wizard found here.
Next, we’ll set WSL2 as our default version of WSL using PowerShell. Start up PowerShell as an adminstrator.
And run the following command:
wsl --set-default-version 2
Download the Docker Installer found here. Stick with the default configuration.
Click “Close and log out” at the end of the installer.
Docker should automatically be added to your PATH variables, but we can verify this by starting a PowerShell session and running the “docker –version” command. We can also try and start up an Ubuntu Bash shell container, using the following command:
docker run --rm -it ubuntu bash
You should now be able to use Bash commands in the containerized environment.
More information about how to use Docker can be found here.
Bonus: Using Thug
To get started using Thug, we can run the following command:
docker run --rm -it buffer/thug bash
This will pull an image of Thug if you do not already have it on your system, and will proceed to initialize it. We can now enumerate suspicious URLs by typing in “thug <URL>”. In the picture below, I’ve used it to safely visit a URL one of my coworkers had received in a spam email. We don’t see too many suspicious things right off the bat, outside of the redirect. You can also see that we are given MD5 hashes for the HTML and CSS assets themselves, which is incredibly useful for running through VirusTotal or another similar database.
There of course is a lot more you can do with Thug, such as specify the specific UserAgent you would like to masquerade as. The list of these can be found by running the command “thug –list-ua”
More on Thug can be found on ReadTheDocs’ Thug page.