Decompiling Malware: InfoSec Docker [2 of 2]

If you've read our previous blog post on decompiling malware, you'll note that we pointed out a Docker image to make decompiling malware slightly easier for non-experts.  

In this post, we aim to provide you with an outline of Docker containers that can be used to kick-start a security program or help elevate an existing program.  

The technologies here can be run by a single individual in an SMB sized organization to provide a decent start to a security program. Or used by an individual who is looking to advance their career in security with a no-cost lab environment using existing hardware.  

That said, just because it's easy to deploy does not mean its a set it and forget it solution. As a matter of fact, it will likely be the complete opposite.  These containers are not the solution to a robust security strategy including a SOC and routine penetration testing.  

Warning Label  

Importantly, we should point out that Docker in itself is not a security boundary. Like any "easy button" technology, you must use common sense and system isolation when deploying. 

You should change all passwords and harden the appliance after installation.  

You should use Docker Containers from trusted individuals or audit those containers and monitor for backdoors that may impact your organization.  

All containers noted here are only recommended by the author not necessarily endorsed by Emagined Security.  

Install 

Grab a copy of Docker for your platform.  

Follow the installation guide and tune the Docker system to run with as much memory and CPU as you're willing to feed to it. Just like any solution, the more you give, the more it will return.  

Docker Containers I find useful for general security tasks: 

There are a number of security containers that are available from dozens of resources.  

I like Docker because I can have the same containerized environments regardless of platform (Windows/OSX/Linux) and for an individual who has different laptops for different clients and engagements, I appreciate a consistent set of tools.  

Among those tools are: 

  • Local Debian instance: debian:latest 
  • Metasploit: remnux/metasploit 
  • Chrome via VNC: siomiz/chrome 
  • WordPress Scan: wpscanteam/wpscan 
  • OpenVAS Scanner: mikesplain/openvas 
  • Splunk Enterprise: store/splunk/enterprise 
  • Google Rapid Response: grrdocker/grr:latest 

All instances can be acquired with docker pull - For example: docker pull debian:latest 

If you neglect to perform a docker pull and launch a container you don't have, Docker will automatically install that container for you.  

General Notes/Cheat sheet on Docker: 

Whenever I look at a new technology I try to build a quick "cheat sheet" of commands that will help me be productive with that technology. I've adapted my early notebook on Docker for you below. 

If you want to save the state of a container, use : docker commit <container id> yourname/containername:latest 

Once you create a container, you can delete the original repository you pulled it from with: docker rmi [original/location] - If its a local container you can keep overwriting the name. 

  • To Pause a docker instance: docker pause [containerid] 
  • To Stop a docker instance: docker stop [containerid/name] 
  • To purge it from running processes: docker rm [container id/name] 
  • To restart a stopped/paused instance: docker start [container id/name] 
  • To execute an interactive session when a machine is already up and running another cmd: docker exec -it [container id/name] 
  • To Detach from an interactive session but leave running: CTRL-SHIFT-P then CTRL-SHIFT-Q 
  • Resume from a detached session with: docker attach [container id/name] 
  • Copy Docker Containers from one Host to another (via USB/ETC): docker save -o fileimage [container id/name] 
  • Then on the new host: docker load -I fileimage 
  • Get a list of running docker containers with: docker ps 
  • You can adjust networking settings within docker using: docker network 

While those are useful commands, please note that all docker commands come with a very useful help. For example: docker network help 

Individual Docker Container Usage 

SPLUNK LOG COLLECTOR (Comes with 20GB/day license valid for 1 Year!): 

There are other Log Collection technologies out there, such as Graylog, ELK, OSSIM, etc.  

However, in my opinion, Splunk is the Microsoft of log collecting, and you're likely to encounter it at most businesses; so it's a good tool to learn. This doesn't mean you shouldn't use the others too! 

Splunk is kind enough to provide a free docker template for Temporary/IR/Labs/Training usage.  

This container allows the collection of up to 20GB/Day of any type of log, and the license is valid for a full year. 

First, you need to create a persistent data store for logging; without this, the logs will disappear when you stop the container: docker run --name vsplunk -v /opt/splunk/etc -v /opt/splunk/var busybox 

Then you should start Splunk. Read the license agreement here.

If you accept the license agreement: docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "514:514/udp" -p "1514:1514/udp" -p "514:514" -p "1514:1514" -p "8089:8089" -p "9997:9997" --volumes-from=vsplunk store/splunk/enterprise 

Then you can connect to it by visiting http://127.0.0.1:8000 

You can only have one user with this license and the password is default at admin:changeme 

You can make your updates, such as change the hostname, install Applications, change the web password, update the system, etc. Once finished, use:  docker commit <container id> yourname/splunk_image:latest 

CHROME VIA VNC -- Starts a secure Chrome browser accessible via localhost port 5900: 

This is especially useful if you're a Windows user and want to investigate a suspicious site without the risk of infecting your local machine. 

The browser is not high performance and CUT/PASTE is buggy with VNC - but it gets the job done. 

docker run -p -id 127.0.0.1:5900:5900 siomiz/chrome 

OpenVAS - Security Scanner 

OpenVAS is a community fork of Tenable Nessus; shortly before Nessus went commercial some folks forked it and built their own platform.  

Its a decent "free" competitor to the Nessus product, with a community of security folks developing plugins. 

The web interface makes it easy for anyone with just a little experience scanning to get started. 

docker run -d -p 443:443 --name openvas mikesplain/openvas 

Once launched, login to the web interface via https://localhost:443 and accept the certificate. You can adjust the -p 443:443 to be 9443:443 if you need to use a different port. Credentials are simply:  Username: admin Password: admin 

Metasploit - Exploitation Framework 

Because, what security micro-services package would be complete without Metasploit? 

docker run --rm -it -p 4444:4444 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/met 

Set the data directories (.msf and /tmp/msf) and port (4444) to match your needs.  

The updates (gems/plugins/etc) will take 2-5 minutes. Once done you'll be in your tmp/data directory. 

Run: ./msfconsole and pwn away. (Legally of course!) 

GRR (Google Rapid Response) 

Google Rapid Response is an excellent tool for remote host system analysis.  

There is a host of things you can do with this tool and the good folks maintaining it are adding more capabilities every week. 

We wont tell OpenText you're using it instead of Encase. :) 

docker run -e EXTERNAL_HOSTNAME="grrdocker.yourcompany.com" -e ADMIN_PASSWORD="GoogleRapidResponse" --ulimit nofile=1048576:1048576 -p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 grrdocker/grr:latest 

WPScan (Wordpress Scan) 

For folks running Wordpress - its probably a pretty good idea to also check it with WPSCAN pretty regularly. 

Maintaining WPSCAN takes time and resources.  

Or you can just use the Docker Image and let the folks over at WPScanTeam take care of the maint for you: 

Launching a scan is as simple as: docker run -it --rm wpscanteam/wpscan -u https://yoururl.com 

RetDec (Retargetable Decompiler) 

Just in case you haven't read our previous blog post on Malware reversing... 

Malware reverse engineering is a highly specialized skill - but the folks at Avast are trying to help by providing a decompiler that converts 32bit binaries into human understandable C or Python representations. 

Its not always perfect, but it does an excellent job and is even integrated into various threat intelligence platforms. 

To output a python representation of a Win32 Bit binary: 

docker run --rm -v `pwd`:/samples blacktop/retdec -k -l py --cleanup [file] 

Or just run it without -l py if you prefer C. 

You will need to change `pwd` to reflect the path you're using if you run this on Windows. OSX/Linux will interpret that as your current working directory. 

NOTE: This image is pretty large - at ~5 GB. it is the largest in this list. 

EveBox (Suricata Event Viewer) 

EveBox is a web-based Suricata "eve" event viewer for Elastic Search. By pushing Suricata events to an Elastic Search cluster you can easily view the events hitting the Suricata IDS and most importantly query on DNS Queries, which essentially gives you a poor man's Passive DNS (PDNS) solution. 

Configuration specific information is available here: https://github.com/jasonish/evebox 

docker run -it -p 5636:5636 jasonish/evebox -e http://elasticsearch:9200 

Then visit http://localhost:5636 with your browser. 

---- 

There are so many other Docker packages available, you should look at https://store.docker.com for the packages you're interested in. 

From IDS (Suricata/Snort) to Honeypots (Dionaea, ModernHoneyNet) to full blown images of Kali Linux. 

The only limit to Docker containers is your imagination.  

With Docker being a free and low resource alternative to virtual machines, this is an ideal option for a lab environment that you can maintain on the go; take with you to the next security conference or use during your next customer engagement.

Decompiling Malware Without Previous Experience [1 of 2]