Download - gwallgofi
gwallgofisecurity. hacking. all fun stuff.
HOME
RESUME
FAQ ABOUT ME
Cuckoo Sandbox Part 2 :: installing05 NOVEMBER 2014
This continues the series of posts about the Cuckoo Sandbox that I am doing for
my course at Leeds Beckett University. They are posted on the invitation-only
blog named DFA1415. As a result of that, I am making my posts public on my
own site and I welcome all comments and feedback.
To start at the beginning, go to Part 1.
This will detail how Cuckoo Sandbox is installed and configured to work on
a Ubuntu 14.04 LTS x64 system. The focus is on the latest version of Cuckoo
Sandbox which at time of writing is 1.1.1.
Particular care is taken with the virtual machine being analysed.Sandboxing is a
useful technique that allows for the opening of unknown software or files inside
an isolated environment. This can then be monitored for information gathering on
what a particular file or software does.
On the download page - it warns that installing Cuckoo Sandbox is a delicate
operation and need careful attention to details. The main focus of this post will
then be about installing Cuckoo Sandbox to ensure a working system and the
details of the Test Lab where tests can be carried out on Cuckoo Sandbox.
Lab Setup
The machine:
Intel i5-4690K CPU
VT-x & VT-d extensions enabled via BIOS
16GB RAM
Ubuntu 14.04 LTS (Linux ubuntu 3.13.0-39-generic #66-Ubuntu SMP Tue
Oct 28 13:30:27 UTC 2014 x8664 x8664 x86_64 GNU/Linux)
VirtualBox 4.3.18 r96516
Cuckoo Sandbox 1.1.1
In addition, the VT-x and VT-d extensions in the CPU was enabled via the BIOS
(required for 64 bit virtual machines).
Documentation
Cuckoo Sandbox provide a very comprehensive documentation for the tool. The
documentation are also available offline in PDF, ePub andHTML. In addition to
that, documentations for past versions of Cuckoo are also available including in
offline format as shown:
Finally - documentation are also available on Github so you could keep it in sync
via git or even fork it to make edits to it and then submit a pull request to the
owner. If they approve of your changes, it can be pulled into the original
repository.
Preparing the system
The instruction assumes that you are running Ubuntu 14.04 LTS. The
documentation is used to install Cuckoo. It does require you to install additional
packages as outlined in the requirements.
Most packages are optional, but three packages are essential for Cuckoo:
Python 2.7, SQLAlchemy and Python BSON. For the purpose of testing, all
optional packages were selected for installation to get the most out of Cuckoo
Sandbox.
Ubuntu 14.04 does come with Python 2.7 by default:
ubuntu:~$ python --version
Python 2.7.6
Installing required packages
In terminal, the following command is used to install all essential and optional
packages (including tcpdump) - all on one line.
ubuntu:~$ sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y
tcpdump is configured to allow Cuckoo to make use of it without requiring root.
ubuntu:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
To test, this is the expected output:
ubuntu:~$ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
Two additional software are also recommended (but optional) - Yaraand Pydeep.
The documentation states these need to be installed separately, however Yara is
provided in the Ubuntu universe repository:
ubuntu:~$ apt-cache show yara
Package: yara
Priority: optional
Section: universe/utils
Installed-Size: 85
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian Forensics <[email protected]>
Architecture: amd64
Version: 2.0.0-2
Depends: libc6 (>= 2.4), libyara2 (>= 2.0.0)
Filename: pool/universe/y/yara/yara_2.0.0-2_amd64.deb
Cuckoo require Yara 1.7 or higher so this is fine. To install yara - run the
command sudo apt-get install yara -y.
PYDEEP
Pydeep depends on ssdeep 2.8+. Ubuntu's repository for ssdeep is version 2.7
so this will not be installed. instead ssdeep need to be compiled from source and
likewise for Pydeep. Before doing so, a few packages are needed. The following
commands was executed:
Install ssdeep from source
ubuntu:~$ sudo apt-get install build-essential git python-dev -y
ubuntu:~$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz
ubuntu:~$ tar -xf ssdeep.tar.gz
ubuntu:~$ cd ssdeep-2.12
ubuntu:~$ ./configure
ubuntu:~$ make
ubuntu:~$ sudo make install
ubuntu:~$ ssdeep -V
2.12
Install pydeep via pip
ubuntu:~$ sudo apt-get install python-pip -y
ubuntu:~$ sudo pip install pydeep
The current stable release of pydeep is version 0.2.
ubuntu:~$ pip show pydeep
---
Name: pydeep
Version: 0.2
Location: /usr/local/lib/python2.7/dist-packages
Requires:
With thanks to Sandpox
If you have installed pydeep but got an error: WARNING: Unable to import
pydeep (install with pip install pydeep)
then run sudo apt-get install libfuzzy-dev because libfuzzy.so.2 is missing.
Volatility
Volatility is a volatile memory extraction utility framework that runs in Python. It's
an optional requirement but as the documentationstates, Cuckoo's analyser can
miss some rootkits and using Volatility allow for the further visibility into any deep
modifications in the operating system being analysed including looking at the
memory, catching those that might otherwise be missed by Cuckoo.
The documentation states that version 2.3 of Volatility is required and that it need
to be installed separately however it is available in the Ubuntu universe
repository and is version 2.3.1-7
ubuntu:~$ apt-cache show volatility
Package: volatility
Priority: optional
Section: universe/utils
Installed-Size: 9188
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian Forensics <[email protected]>
Architecture: all
Version: 2.3.1-7
Depends: python (>= 2.7), python (<< 2.8), python:any (>= 2.7.1-0ubuntu2), python-crypto, python-imaging, python-openpyxl, python-yara, volatility-tools (>= 2.3.1-5)
Recommends: volatility-profiles
Suggests: lime-forensics-dmks, libraw1394-11
Filename: pool/universe/v/volatility/volatility_2.3.1-7_all.deb
To install: sudo apt-get install volatility -y
Virtualization Software
Cuckoo make use of a virtualization software to run Windows client. Cuckoo is
flexible enough to work with most virtualization software of your choice such
as KVM, VMware, VirtualBox and others. However the documentation
is geared toward using VirtualBox so this will be used.
Install VirtualBox
The documentation does not cover installing the virtualization software as this
would be outside the scope. Since the documentation make use of VirtualBox,
the post will also make use of VirtualBox. The following commands was used to
install the software:
ubuntu:~$ sudo echo "deb http://download.virtualbox.org/virtualbox/debian trusty contrib" >> /etc/apt/sources.list
ubuntu:~$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
ubuntu:~$ sudo apt-get update
ubuntu:~$ sudo apt-get install virtualbox-4.3 dkms
ubuntu:~$ sudo adduser your_username vboxusers
This will install the latest version of VirtualBox from Oracle (4.3.18 r96516 at time
of posting) and add your primary account to the vboxusers group, allowing you to
use the VirtualBox host kernel modules (vboxdrv, vboxnetflt and vboxnetadp).
Log out and back in before using VirtualBox.
Creating a Virtual Machine
Cuckoo Sandbox works with a Windows virtual machine to analyse malware. It
is recommended to use Windows XP SP3 however Windows 7 can be used
providing User Account Control is turned off.
The following screenshots shows some suggested options for creating a
Windows XP SP3 image:
Make sure if it is 32 bit or 64 bit version of Windows XP to be used.
512MB is allocated. 2048MB is recommended if running a number of applications
on the image.
The default option is VDI.
The last step is to add an ISO image of Windows XP SP3. Make sure the boot
order is for CD first (this is the default option).
Select the option "Choose a virtual CD/DVD disk file..." On starting the VM,
continue to setup Windows.
In order to have a working network connection for the Windows XP image -
change the network adaptor to PCnet-FAST III.
Install the VirtualBox Guest Additions - this install the necessary network and
video and other hardware drivers.
The guest need to be prepared before Cuckoo can work with it. It need a copy
of Python 2.7 to be running on the guest. Install the Python Imaging Library as
well - this allows for the taking of screenshots.
(Note: In some cases, Python.org will not load in Internet Explorer 6 on Windows
XP SP3. It is easier to download the files needed on the host system and use a
Shared Folder to transfer it over to the guest.)
Turn off Windows Firewall and Automatic Update - the idea is to have an "pre-
update version" of Windows. The last step is to install the Cuckoo Agent which
runs a XMLRPC server, listening for connections. This file is found in
the ./cuckoo/agent folder and is named agent.py. When this is run, it shows a
Python window. Renaming the file toagent.pyw will hide the window.
Place this file in the Startup folder of the guest system so that it will start
automatically.
This is the template image that you can work forward from. Shut down the virtual
machine and save this as a snapshot:
With this snapshot - you have a template image from which you can install
various software such as Chrome, Firefox, Adobe PDF Reader and so on for
testing malware with Cuckoo and can easily roll back any changes.
This image can be cloned if additional virtual machines are needed but make
sure the static IP addresses are changed.
NETWORKING
The recommended setup is using a Host-Only networking layout with proper
forwarding and filtering configuration done with iptables on the Host. The
documentation give details of this.
As this is an initial look at Cuckoo Sandbox, the iptables rule was not used at this
point VirtualBox was used instead. A new NAT network, named Cuckoo was
created with DHCP disabled. Virtual machines being analysed by Cuckoo should
use only static IP addresses - Cuckoo does not support DHCP.
The IP address of the test virtual machine is assigned 192.168.56.10
Note: The Host system will have the IP address of 192.168.56.1:
ubuntu:~$ ifconfig
vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00
inet addr:192.168.56.1 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::800:27ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:28538 (28.5 KB)
Install Cuckoo Sandbox
The last step is to install Cuckoo itself.
ubuntu:~$ wget http://downloads.cuckoosandbox.org/cuckoo-current.tar.gz
ubuntu:~$ tar -xf cuckoo-current.tar.gz
ubuntu:~$ cd cuckoo
ubuntu:~$ ./cuckoo.py
ubuntu:~/Downloads/cuckoo$ ./cuckoo.py
Cuckoo Sandbox 1.1
www.cuckoosandbox.org
Copyright (c) 2010-2014
Checking for updates...
Good! You have the latest version available.
2014-11-04 02:49:56,352 [root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errno 99] Cannot assign requested address
At this point it shows that Cuckoo does run - all dependencies are present and
available for Cuckoo, but does not work yet. At least threeconfiguration files need
to be modified so that Cuckoo can run. These three files
are: auxiliary.conf, cuckoo.conf and <machinery>.conf. It is important for the user
to read the documentation covering these files carefully.
cuckoo.conf
This is extensively commented for every option. This make configuring such a file
much easier without needing to refer to a manual every time.
For this post, the following options need to be checked:
machinery = virtualbox
[resultserver]
ip = 192.168.56.1 #This is the VirtualBox host IP address
port = 2042 #leave as default if you have no services running on this port
All other options left at default.
auxiliary.conf
Again this configuration file is well commented.
[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
# You can check this using the command: whereis tcpdump
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
# The ifconfig command will show you the interface name.
interface = vboxnet0
<machinery>.conf / virtualbox.conf
<machinery>.conf - the <machinery> is really the configuration file for the
virtualization software you have selected to use. Thus in this case, it is named
the virtualbox.conf. If you use a different virtualization software such as VMware
Player - the file should be vmware.conf and the machinery line in cuckoo.conf file
will read asmachinery = vmware.
Again the configuration file is well commented.
Before editing the virtualbox.conf file - the name of the virtual machine is needed.
This can be changed as necessary:
The name of the virtual machine to be used is "WindowsXPSP3Cuckoo1". The
virtualbox.conf file is changed to have this:
machines = WindowsXP_SP3_Cuckoo1
[WindowsXP_SP3_Cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = WindowsXP_SP3_Cuckoo1
platform = windows
ip = 192.168.56.10
# snapshot = Snapshot1 # If commented out, use the current "in use" snapshot.
tags = windows_xp_sp3,32_bit,testing,university
Checking if it all works...
Go to the directory where you put Cuckoo.
ubuntu:~$ ./cuckoo.py
Cuckoo Sandbox 1.1
www.cuckoosandbox.org
Copyright (c) 2010-2014
Checking for updates...
Good! You have the latest version available.
2014-11-05 23:07:42,599 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2014-11-05 23:07:42,830 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2014-11-05 23:07:42,831 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
Cuckoo is now running and ready for use!
Next post will go into details about using Cuckoo Sandbox including the web
reporting module.
http://gwallgofi.com/cuckoo-sandbox-part-2-installing/