commit
0e51172697
|
@ -0,0 +1,36 @@
|
|||
# Malware Bunny
|
||||
## Overview
|
||||
This Bash Bunny module is used to install many tools used for reverse engineering and malware analysis.
|
||||
|
||||
|
||||
2 Operation Modes
|
||||
* Web UI for quick access to samples
|
||||
* SSH access for analysis sessions
|
||||
|
||||
|
||||
## Getting Started
|
||||
1. Get Bunny to access the Internet
|
||||
2. Install all tools and components
|
||||
* or - run setup.sh to install everything
|
||||
* or - manually install every tool from setup scripts
|
||||
3. Boot Bunny in Arming mode and upload payload files to switch1 and switch2
|
||||
4. Boot Bunny in switch1 mode to access web interface
|
||||
5. Boot Bunny in switch2 mode to access ssh interface
|
||||
|
||||
Web interface is meant long analysis sessions with minimal use, therefore CUCUMBER is enabled.
|
||||
|
||||
|
||||
## Software Installed
|
||||
1. viper v1.2
|
||||
2. ssdeep v2.14.1
|
||||
3. yara v3.7.0
|
||||
4. pyew
|
||||
6. featherduster
|
||||
7. capstone
|
||||
8. binwalk
|
||||
9. dshell
|
||||
10. wabt
|
||||
11. peepdf
|
||||
12. unzip
|
||||
13. punbup
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: binwalk install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
apt-get install -y python-lzma python-crypto libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord zlib1g-dev liblzma-dev liblzo2-dev liblzo2-dev python-lzo
|
||||
pip install cstruct
|
||||
|
||||
cd /tools/
|
||||
git clone https://github.com/ReFirmLabs/binwalk
|
||||
cd binwalk
|
||||
|
||||
|
||||
git clone https://github.com/devttys0/sasquatch
|
||||
cd sasquatch/
|
||||
ls
|
||||
# edit build file to fix lack of sudo error on make install
|
||||
# vi build.sh
|
||||
./build.sh
|
||||
|
||||
cd ..
|
||||
git clone https://github.com/sviehb/jefferson
|
||||
cd jefferson
|
||||
python setup.py install
|
||||
|
||||
cd ..
|
||||
git clone https://github.com/jrspruitt/ubi_reader
|
||||
cd ubi_reader
|
||||
python setup.py install
|
||||
|
||||
cd ..
|
||||
git clone https://github.com/devttys0/yaffshiv
|
||||
cd yaffshiv
|
||||
python setup.py install
|
||||
|
||||
cd ..
|
||||
wget -O - http://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv
|
||||
cp bin/unstuff /usr/local/bin/
|
||||
|
||||
python setup.py install
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: capstone install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
cd /tmp/
|
||||
wget https://github.com/aquynh/capstone/archive/3.0.5-rc2.tar.gz
|
||||
tar xf 3.0.5-rc2.tar.gz
|
||||
rm 3.0.5-rc2.tar.gz
|
||||
mv capstone-3.0.5-rc2/ /tools/capstone
|
||||
|
||||
cd /tools/capstone
|
||||
make
|
||||
make install
|
||||
|
||||
cd bindings/python
|
||||
make install
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: dshell install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
apt-get install -y python-dpkt python-ipy python-pypcap
|
||||
pip install pygeoip
|
||||
|
||||
cd /tools/
|
||||
git clone https://github.com/USArmyResearchLab/Dshell dshell
|
||||
cd dshell
|
||||
|
||||
cd share/GeoIP/
|
||||
wget http://geolite.macxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
|
||||
gunzip -d GeoIP.dat.gz
|
||||
wget http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz
|
||||
gunzip -d GeoIPv6.dat.gz
|
||||
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
|
||||
gunzip -d GeoIPASNum.dat.gz
|
||||
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz
|
||||
gunzip -d GeoIPASNumv6.dat.gz
|
||||
cd ../../
|
||||
|
||||
make
|
|
@ -0,0 +1,17 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: featherduster install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
apt-get install -y libgmp3-dev
|
||||
apt-get install -y libncurses-dev
|
||||
|
||||
cd /tools
|
||||
git clone https://github.com/nccgroup/featherduster
|
||||
cd featherduster
|
||||
|
||||
python setup.py install
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: peepdf install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
apt-get install -y unzip python-libemu
|
||||
|
||||
cd /tmp/
|
||||
wget http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip
|
||||
unzip peepdf_0.3.zip
|
||||
mv peepdf_0.3 /tools/peepdf
|
||||
cd /tools/peepdf
|
||||
|
||||
#mkdir dpt
|
||||
#cd dpt
|
||||
#wget https://storage.googleapis.com/chrome-infra/depot_tools.zip
|
||||
#unzip depot_tools.zip
|
||||
#cd ..
|
||||
#mv dpt /tools/depot_tools
|
||||
#echo 'export PATH=$PATH:$HOME/../tools/depot_tools' >> ~/.bashrc
|
||||
#gclient
|
||||
#mkdir /tools/v8
|
||||
#cd /tools/v8
|
||||
#fetch v8
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: punbup install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
cd /tools
|
||||
git clone https://github.com/herrcore/punbup
|
||||
cd punbup
|
||||
python setup.py install
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: main install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
# Install System Dependencies
|
||||
apt-get install -y automake libtool make gcc flex bison libmagic-dev libssl-dev python-dev swig libfuzzy-dev exiftool
|
||||
|
||||
# Install Python Dependencies
|
||||
pip install SQLAlchemy PrettyTable python-magic
|
||||
|
||||
# Other Tools
|
||||
apt-get -y install python-scapy pyew unzip
|
||||
|
||||
# Setup Custom Tools
|
||||
./ssdeep.sh
|
||||
./yara.sh
|
||||
./viper.sh
|
||||
./dshell.sh
|
||||
./capstone.sh
|
||||
./binwalk.sh
|
||||
./featherduster.sh
|
||||
./wabt.sh
|
||||
./peepdf.sh
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: ssdeep install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
cd /tmp
|
||||
|
||||
wget https://github.com/ssdeep-project/ssdeep/archive/release-2.14.1.tar.gz
|
||||
tar xf release-2.14.1.tar.gz
|
||||
rm release-2.14.1.tar.gz
|
||||
mv ssdeep-release-2.14.1/ /tools/ssdeep
|
||||
cd /tools/ssdeep
|
||||
|
||||
./bootstrap
|
||||
./configure
|
||||
make
|
||||
make install
|
||||
|
||||
pip install pydeep
|
|
@ -0,0 +1,17 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: viper install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
cd /tmp
|
||||
wget https://github.com/viper-framework/viper/archive/v1.2.tar.gz
|
||||
tar xf v1.2.tar.gz
|
||||
rm v1.2.tar.gz
|
||||
mv viper-1.2/ /tools/viper
|
||||
|
||||
cd /tools/viper
|
||||
pip install -r requirements.txt
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: web assembly binary toolkit install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
apt-get install cmake clang
|
||||
|
||||
cd /tools/
|
||||
git clone --recursive https://github.com/WebAssembly/wabt
|
||||
cd wabt
|
||||
make
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
# Title: Malware Bunny
|
||||
# Description: yara install script
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
# Firmware: 1.5
|
||||
|
||||
|
||||
cd /tmp
|
||||
wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz
|
||||
tar xf v3.7.0.tar.gz
|
||||
rm v3.7.0.tar.gz
|
||||
mv yara-3.7.0/ /tools/yara
|
||||
|
||||
cd /tools/yara
|
||||
./bootstrap.sh
|
||||
./configure --enable-magic --enable-dotnet
|
||||
make
|
||||
make install
|
||||
|
||||
pip install yara-python
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/bash
|
||||
# Title: MalwareBunny
|
||||
# Description: Malware Analysis on Bash Bunny
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
#
|
||||
# LED State Descriptions
|
||||
# Magenta Blinking - setup in progress
|
||||
# Blue Blinking - ready to use
|
||||
|
||||
LED M SLOW
|
||||
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
sleep 3
|
||||
|
||||
cd /tools/viper/
|
||||
python web.py -H 0.0.0.0 -p 8080 &
|
||||
|
||||
CUCUMBER ENABLE
|
||||
sleep 3
|
||||
|
||||
LED B SLOW
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/bash
|
||||
# Title: MalwareBunny
|
||||
# Description: Malware Analysis on Bash Bunny
|
||||
# Author: Zappus
|
||||
# Version: 1.0
|
||||
# Category: Incident-Response
|
||||
# Attackmodes: Ethernet
|
||||
#
|
||||
# LED State Descriptions
|
||||
# Magenta Blinking - setup in progress
|
||||
# Blue Blinking - ready to use
|
||||
|
||||
LED M SLOW
|
||||
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
sleep 5
|
||||
|
||||
LED B SLOW
|
Loading…
Reference in New Issue