Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Skip to content
- The Rffuste blog
- Un blog sobre seguridad informática y otras cosas
- Cuckoo Sandbox Install Guideline – Preparing the host (1/2)
- Cuckoo Sandbox Install Guideline
- Cuckoo Sandbox is an open source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
- Cuckoo Sandbox has been recently updated to the version 2.0 and the steps to install it have changed a lot.
- For this reason I’m re-writing my tutorial to explain how to install it.
- It is based on my own experience and taking commands I used to setup new Cuckoo’s version.
- Basic structure is based on the official Cuckoo Sandbox documentation.
- Cuckoo Sandbox architecture
- Host: runs the main components to manage the whole analysis process.
- Analysis guest: isolated virtual environments where the samples are executed.
- Preparing the host
- Requirements
- The following topics describes the main requirements to install Cuckoo Sandbox.
- Python libraries
- The following software packages from the apt repositories are required to get Cuckoo to install and run properly (currently only Python 2.7 is supported):
- $ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
- $ sudo apt-get install python-virtualenv python-setuptools
- $ sudo apt-get install libjpeg-dev zlib1g-dev swig
- In order to use the Django-based Web Interface, MongoDB is required:
- $ sudo apt-get install mongodb
- Yara
- YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. Yara is an optional package.
- Yara previous requirements:
- $ sudo apt-get install automake libtool make gcc libjansson-dev libmagic-dev
- Currently needed (future version of cuckoo won’t need it)
- $ pip install yara-python
- Yara package:
- $ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
- $ tar -zxf yara-3.5.0.tar.gz
- $ cd yara-3.5.0
- $ ./bootstrap.sh
- $ ./configure --enable-cuckoo --enable-magic
- $ make
- $ sudo make install
- Run the test cases to make sure that everything is fine:
- $ make check
- Pydeep
- It is a Python/C binding’s library for the Ssdeep. Pydeep is an optional package:
- $ sudo apt-get install ssdeep libfuzzy-dev
- Pydeep package installation:
- $ wget https://github.com/kbandla/pydeep/archive/0.2.tar.gz
- $ tar –zxf 0.2.tar.gz
- $ cd pydeep-0.2/
- $ python setup.py build
- $ sudo python setup.py install
- Virtualization Software
- Virtualboox is the virtualization software used to allocate the isolated guests machines:
- $ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
- $ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add –
- $ sudo apt-get update
- $ sudo apt-get install virtualbox-5.1
- Tcpdump
- Tcpdump is a network sniffer used to capture and to dump the network activity performed by the malware sample executed:
- $ sudo apt-get install tcpdump apparmor-utils
- $ sudo aa-disable /usr/sbin/tcpdump
- For Linux platforms with AppArmor disabled (e.g., Debian) the following command will suffice to install Tcpdump:
- $ sudo apt-get install tcpdump
- Due to Cuckoo must be executed as non-root user; Tcpdump must be configured to run without root privileges:
- sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
- You can verify the results of the last command:
- $ getcap /usr/sbin/tcpdump
- /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
- Volatility
- The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples:
- $ sudo apt-get install volatility
- WeasyPrint
- WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF.
- It will help us generating pdf reports of the analyses.
- $ sudo pip install weasyprint
- Installing M2Crypto
- M2Crypto is a crypto and SSL toolkit for Python. M2Crypto library is only supported when SWIG has been installed (if SWIG is present on the system, Cuckoo will automatically install the M2Crypto dependency upon installation):
- $ sudo apt-get install swig
- Installing Cuckoo
- Create a user
- To run Cuckoo as non-root user we must create a new user:
- $ sudo adduser cuckoo
- Make sure the new user belongs to the “vboxusers” group (or the group you used to run VirtualBox):
- $ sudo usermod -a -G vboxusers cuckoo
- Install Cuckoo
- Cuckoo package needs to be installed in a virtual environment (virtualenv):
- $ virtualenv venv
- $ . venv/bin/activate
- (venv)$ pip install -U pip setuptools
- (venv)$ pip install -U cuckoo
- Host Network Routing
- The following iptables rules will allow the VMs access to the Cuckoo host machine
- $ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
- $ sudo iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.56.0/24 -j MASQUERADE
- # Default drop.
- $ sudo iptables -P FORWARD DROP
- # Existing connections.
- $ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Accept connections from vboxnet to the whole internet.
- $ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
- # Internal traffic.
- $ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
- # Log stuff that reaches this point (could be noisy).
- $ sudo iptables -A FORWARD -j LOG
- Modify interface name by the name obtained from the command sudo ifconfig.
- For an automatic loading on every server startup, these rules must be stored.
- Save the rules:
- $ sudo iptables-save > /etc/firewall.conf
- Open /etc/network/if-up.d/interfaces and add:
- #!/bin/sh
- Iptables-restore < /etc/firewall.conf
- Provide it execution privileges
- $ sudo chmod +x /etc/network/if-up.d/iptables
- If you need to save changes to your rules in the future, you can manually edit /etc/firewall.conf or you can adjust your rules live and run:
- $ sudo iptables-save > /etc/firewall.conf
- IP forwarding must be enabled in kernel configuration:
- $ echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
- $ sudo sysctl -w net.ipv4.ip_forward=1
- Other option to make ip forwarding permanent is edit /etc/sysctl.conf and search for the following lines:
- # Uncomment the next line to enable packet forwarding for IPv4
- #net.ipv4.ip_forward=1
- Cuckoo Working Directory
- All configurable components, generated data, and results of Cuckoo are stored in Cuckoo Working Directory.
- By default, this directory is located at /home/cuckoo/.cuckoo as it defaults to ~/.cuckoo (CWD can be modified if needed)
- Cuckoo configuration files
- All documents are located in Cuckoo Working Directory $CWD/conf
- cuckoo.conf
- The cuckoo.conf file contains generic configuration options.
- machinery in [cuckoo]:
- This option defines which Machinery module you want Cuckoo to use to interact with your analysis machines.
- The value must be the name of the module without extension.
- machinery = virtualbox
- ip and port in [resultserver]:
- These define the local IP address and port that Cuckoo is going to try to bind the result server on.
- Make sure this matches the network configuration of your analysis machines or they won’t be able to return any results.
- ip = 192.168.56.1
- connection in [database]:
- The database connection string defines how Cuckoo will connect to the internal database.
- If empty, defaults to a SQLite3 database at $CWD/cuckoo.db. (our case)
- auxiliary.conf
- Auxiliary modules are scripts that run concurrently with malware analysis.
- Activation in [sniffer]:
- Enable or disable the use of an external sniffer (tcpdump)
- enabled = yes
- Activation in [mitm]
- Enable man in the middle proxying (mitmdump)
- Enabled = yes
- virtualbox.conf
- Virtualbox module is the script that define how Cuckoo should interact with your virtualization software of choice.
- Mode in [Virtualbox]
- Specify which VirtualBox mode you want to run your machines on. Can be “gui” or “headless”.
- mode = headless
- Virtual machine config in [machineName]
- Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
- machines = Cuckoo
- [Cuckoo]
- Specify the label name of the current machine as specified in your VirtualBox configuration.
- label = Cuckoo
- Specify the operating system platform used by current machine [windows/darwin/linux].
- platform = windows
- Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail.
- ip = 192.168.56.101
- memory.conf
- The memory.conf file contains the Volatility configuration.
- processing.conf
- This file allows you to enable, disable and configure all processing modules. These modules are located under the cuckoo processing module and define how to digest the raw data collected during the analysis.
- reporting.conf
- This file contains information on the reports generation.
- Configuration in [mongodb]
- enabled = yes
- Configuration in [elasticsearch]
- enabled = no
- In the next article we will cover the last step of the installation.
- Share this:
- Share
- Author rubenPosted on July 11, 2017Categories ManualesTags Cuckoo sandbox, Malware
- 2 thoughts on “Cuckoo Sandbox Install Guideline – Preparing the host (1/2)”
- MonkeyK says:
- November 5, 2017 at 11:31 pm
- Thanks! Probably the most complete notes that I have seen so far.
- Can you comment on whether Cuckoo can run from a guest OS as well? If so what special considerations should be made? Or does it need to run on the host?
- Reply
- kiara gupta says:
- November 12, 2017 at 9:13 am
- How to set network connection between host ubuntu and guest window 7
- Reply
- Leave a Reply
- Your email address will not be published. Required fields are marked *
- Comment
- Name *
- Email *
- Website
- Notify me of follow-up comments by email.
- Notify me of new posts by email.
- Post navigation
- Previous Previous post: JsDetox installation
- Next Next post: Cuckoo Sandbox Guideline – Preparing the guest (2/2)
- Search for:
- Twitter
- Pages
- Sobre mí
- Recent Posts
- How to “clear” a used port in a linux system using a Django application.
- How to enable 32 bit support to a 64 bit Ubuntu system
- Cuckoo Sandbox Guideline – Preparing the guest (2/2)
- Cuckoo Sandbox Install Guideline – Preparing the host (1/2)
- JsDetox installation
- Tags
- Análisis Comandos Cuckoo sandbox Debian e-mail Gdm Javascript Kali Lightdm Linux Malware Network NetworkManager Seguridad Terminal tools Ubuntu Virus
- Archives
- September 2017
- July 2017
- December 2016
- October 2016
- September 2016
- The Rffuste blog Proudly powered by WordPress
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement