install cuckoo

1. Skip to content
2.  
3. The Rffuste blog
4.  
5. Un blog sobre seguridad informática y otras cosas
6. Cuckoo Sandbox Install Guideline – Preparing the host (1/2)
7. Cuckoo Sandbox Install Guideline
8.  
9. Cuckoo Sandbox is an open source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
10.  
11. Cuckoo Sandbox has been recently updated to the version 2.0 and the steps to install it have changed a lot.
12.  
13. For this reason I’m re-writing my tutorial to explain how to install it.
14.  
15. It is based on my own experience and taking commands I used to setup new Cuckoo’s version.
16. Basic structure is based on the official Cuckoo Sandbox documentation.
17. Cuckoo Sandbox architecture
18.  
19. Host: runs the main components to manage the whole analysis process.
20.  
21. Analysis guest: isolated virtual environments where the samples are executed.
22. Preparing the host
23. Requirements
24.  
25. The following topics describes the main requirements to install Cuckoo Sandbox.
26. Python libraries
27.  
28. The following software packages from the apt repositories are required to get Cuckoo to install and run properly (currently only Python 2.7 is supported):
29.  
30. $ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
31. $ sudo apt-get install python-virtualenv python-setuptools
32. $ sudo apt-get install libjpeg-dev zlib1g-dev swig
33.  
34. In order to use the Django-based Web Interface, MongoDB is required:
35. $ sudo apt-get install mongodb
36. Yara
37.  
38. YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. Yara is an optional package.
39.  
40. Yara previous requirements:
41.  
42. $ sudo apt-get install automake libtool make gcc libjansson-dev libmagic-dev
43.  
44. Currently needed (future version of cuckoo won’t need it)
45. $ pip install yara-python
46.  
47. Yara package:
48. $ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
49. $ tar -zxf yara-3.5.0.tar.gz
50. $ cd yara-3.5.0
51. $ ./bootstrap.sh
52. $ ./configure --enable-cuckoo --enable-magic
53. $ make
54. $ sudo make install
55.  
56. Run the test cases to make sure that everything is fine:
57. $ make check
58. Pydeep
59.  
60. It is a Python/C binding’s library for the Ssdeep. Pydeep is an optional package:
61.  
62. $ sudo apt-get install ssdeep libfuzzy-dev
63.  
64. Pydeep package installation:
65. $ wget https://github.com/kbandla/pydeep/archive/0.2.tar.gz
66. $ tar –zxf 0.2.tar.gz
67. $ cd pydeep-0.2/
68. $ python setup.py build
69. $ sudo python setup.py install
70. Virtualization Software
71.  
72. Virtualboox is the virtualization software used to allocate the isolated guests machines:
73. $ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
74. $ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add –
75. $ sudo apt-get update
76. $ sudo apt-get install virtualbox-5.1
77. Tcpdump
78.  
79. Tcpdump is a network sniffer used to capture and to dump the network activity performed by the malware sample executed:
80. $ sudo apt-get install tcpdump apparmor-utils
81. $ sudo aa-disable /usr/sbin/tcpdump
82.  
83. For Linux platforms with AppArmor disabled (e.g., Debian) the following command will suffice to install Tcpdump:
84. $ sudo apt-get install tcpdump
85.  
86. Due to Cuckoo must be executed as non-root user; Tcpdump must be configured to run without root privileges:
87. sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
88.  
89. You can verify the results of the last command:
90. $ getcap /usr/sbin/tcpdump
91. /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
92. Volatility
93.  
94. The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples:
95. $ sudo apt-get install volatility
96. WeasyPrint
97.  
98. WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF.
99. It will help us generating pdf reports of the analyses.
100. $ sudo pip install weasyprint
101. Installing M2Crypto
102.  
103. M2Crypto is a crypto and SSL toolkit for Python. M2Crypto library is only supported when SWIG has been installed (if SWIG is present on the system, Cuckoo will automatically install the M2Crypto dependency upon installation):
104. $ sudo apt-get install swig
105. Installing Cuckoo
106. Create a user
107.  
108. To run Cuckoo as non-root user we must create a new user:
109. $ sudo adduser cuckoo
110.  
111. Make sure the new user belongs to the “vboxusers” group (or the group you used to run VirtualBox):
112. $ sudo usermod -a -G vboxusers cuckoo
113. Install Cuckoo
114.  
115. Cuckoo package needs to be installed in a virtual environment (virtualenv):
116. $ virtualenv venv
117. $ . venv/bin/activate
118. (venv)$ pip install -U pip setuptools
119. (venv)$ pip install -U cuckoo
120. Host Network Routing
121.  
122. The following iptables rules will allow the VMs access to the Cuckoo host machine
123.  
124. $ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
125. $ sudo iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.56.0/24 -j MASQUERADE
126. # Default drop.
127. $ sudo iptables -P FORWARD DROP
128. # Existing connections.
129. $ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
130. # Accept connections from vboxnet to the whole internet.
131. $ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
132. # Internal traffic.
133. $ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
134. # Log stuff that reaches this point (could be noisy).
135. $ sudo iptables -A FORWARD -j LOG
136.  
137. Modify interface name by the name obtained from the command sudo ifconfig.
138.  
139. For an automatic loading on every server startup, these rules must be stored.
140. Save the rules:
141.  
142. $ sudo iptables-save > /etc/firewall.conf
143.  
144. Open /etc/network/if-up.d/interfaces and add:
145. #!/bin/sh
146. Iptables-restore < /etc/firewall.conf
147.  
148. Provide it execution privileges
149. $ sudo chmod +x /etc/network/if-up.d/iptables
150.  
151. If you need to save changes to your rules in the future, you can manually edit /etc/firewall.conf or you can adjust your rules live and run:
152. $ sudo iptables-save > /etc/firewall.conf
153.  
154. IP forwarding must be enabled in kernel configuration:
155. $ echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
156. $ sudo sysctl -w net.ipv4.ip_forward=1
157.  
158. Other option to make ip forwarding permanent is edit /etc/sysctl.conf and search for the following lines:
159.  
160. # Uncomment the next line to enable packet forwarding for IPv4
161. #net.ipv4.ip_forward=1
162. Cuckoo Working Directory
163.  
164. All configurable components, generated data, and results of Cuckoo are stored in Cuckoo Working Directory.
165.  
166. By default, this directory is located at /home/cuckoo/.cuckoo as it defaults to ~/.cuckoo (CWD can be modified if needed)
167. Cuckoo configuration files
168.  
169. All documents are located in Cuckoo Working Directory $CWD/conf
170. cuckoo.conf
171.  
172. The cuckoo.conf file contains generic configuration options.
173.  
174. machinery in [cuckoo]:
175.  
176. This option defines which Machinery module you want Cuckoo to use to interact with your analysis machines.
177.  
178. The value must be the name of the module without extension.
179.  
180. machinery = virtualbox
181.  
182. ip and port in [resultserver]:
183.  
184. These define the local IP address and port that Cuckoo is going to try to bind the result server on.
185.  
186. Make sure this matches the network configuration of your analysis machines or they won’t be able to return any results.
187.  
188. ip = 192.168.56.1
189.  
190. connection in [database]:
191.  
192. The database connection string defines how Cuckoo will connect to the internal database.
193. If empty, defaults to a SQLite3 database at $CWD/cuckoo.db. (our case)
194. auxiliary.conf
195.  
196. Auxiliary modules are scripts that run concurrently with malware analysis.
197.  
198. Activation in [sniffer]:
199.  
200. Enable or disable the use of an external sniffer (tcpdump)
201. enabled = yes
202.  
203. Activation in [mitm]
204.  
205. Enable man in the middle proxying (mitmdump)
206. Enabled = yes
207. virtualbox.conf
208.  
209. Virtualbox module is the script that define how Cuckoo should interact with your virtualization software of choice.
210.  
211. Mode in [Virtualbox]
212.  
213. Specify which VirtualBox mode you want to run your machines on. Can be “gui” or “headless”.
214. mode = headless
215.  
216. Virtual machine config in [machineName]
217.  
218. Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
219. machines = Cuckoo
220.  
221. [Cuckoo]
222.  
223. Specify the label name of the current machine as specified in your VirtualBox configuration.
224. label = Cuckoo
225.  
226. Specify the operating system platform used by current machine [windows/darwin/linux].
227. platform = windows
228.  
229. Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail.
230. ip = 192.168.56.101
231. memory.conf
232.  
233. The memory.conf file contains the Volatility configuration.
234. processing.conf
235.  
236. This file allows you to enable, disable and configure all processing modules. These modules are located under the cuckoo processing module and define how to digest the raw data collected during the analysis.
237. reporting.conf
238.  
239. This file contains information on the reports generation.
240.  
241. Configuration in [mongodb]
242.  
243. enabled = yes
244.  
245. Configuration in [elasticsearch]
246.  
247. enabled = no
248.  
249. In the next article we will cover the last step of the installation.
250. Share this:
251.  
252. Share
253.  
254. Author rubenPosted on July 11, 2017Categories ManualesTags Cuckoo sandbox, Malware
255. 2 thoughts on “Cuckoo Sandbox Install Guideline – Preparing the host (1/2)”
256.  
257. MonkeyK says:
258. November 5, 2017 at 11:31 pm
259.  
260. Thanks! Probably the most complete notes that I have seen so far.
261. Can you comment on whether Cuckoo can run from a guest OS as well? If so what special considerations should be made? Or does it need to run on the host?
262. Reply
263. kiara gupta says:
264. November 12, 2017 at 9:13 am
265.  
266. How to set network connection between host ubuntu and guest window 7
267. Reply
268.  
269. Leave a Reply
270.  
271. Your email address will not be published. Required fields are marked *
272.  
273. Comment
274.  
275. Name *
276.  
277. Email *
278.  
279. Website
280.  
281. Notify me of follow-up comments by email.
282.  
283. Notify me of new posts by email.
284. Post navigation
285. Previous Previous post: JsDetox installation
286. Next Next post: Cuckoo Sandbox Guideline – Preparing the guest (2/2)
287. Search for:
288. Twitter
289. Pages
290.  
291. Sobre mí
292.  
293. Recent Posts
294.  
295. How to “clear” a used port in a linux system using a Django application.
296. How to enable 32 bit support to a 64 bit Ubuntu system
297. Cuckoo Sandbox Guideline – Preparing the guest (2/2)
298. Cuckoo Sandbox Install Guideline – Preparing the host (1/2)
299. JsDetox installation
300.  
301. Tags
302.  
303. Análisis Comandos Cuckoo sandbox Debian e-mail Gdm Javascript Kali Lightdm Linux Malware Network NetworkManager Seguridad Terminal tools Ubuntu Virus
304.  
305. Archives
306.  
307. September 2017
308. July 2017
309. December 2016
310. October 2016
311. September 2016
312.  
313. The Rffuste blog Proudly powered by WordPress