gwallgofisecurity. hacking. all fun stuff.

HOME  

RESUME  

FAQ ABOUT ME

Cuckoo Sandbox Part 2 :: installing05 NOVEMBER 2014

This continues the series of posts about the Cuckoo Sandbox that I am doing for

my course at Leeds Beckett University. They are posted on the invitation-only

blog named DFA1415. As a result of that, I am making my posts public on my

own site and I welcome all comments and feedback.

To start at the beginning, go to Part 1.

This will detail how Cuckoo Sandbox is installed and configured to work on

a Ubuntu 14.04 LTS x64 system. The focus is on the latest version of Cuckoo

Sandbox which at time of writing is 1.1.1.

Particular care is taken with the virtual machine being analysed.Sandboxing is a

useful technique that allows for the opening of unknown software or files inside

an isolated environment. This can then be monitored for information gathering on

what a particular file or software does.

On the download page - it warns that installing Cuckoo Sandbox is a delicate

operation and need careful attention to details. The main focus of this post will

then be about installing Cuckoo Sandbox to ensure a working system and the

details of the Test Lab where tests can be carried out on Cuckoo Sandbox.

Lab Setup

The machine:

Intel i5-4690K CPU

VT-x & VT-d  extensions enabled via BIOS

16GB RAM

Ubuntu 14.04 LTS (Linux ubuntu 3.13.0-39-generic #66-Ubuntu SMP Tue

Oct 28 13:30:27 UTC 2014 x8664 x8664 x86_64 GNU/Linux)

VirtualBox 4.3.18 r96516

Cuckoo Sandbox 1.1.1

In addition, the VT-x and VT-d extensions in the CPU was enabled via the BIOS

(required for 64 bit virtual machines).

Documentation

Cuckoo Sandbox provide a very comprehensive documentation for the tool. The

documentation are also available offline in PDF, ePub andHTML. In addition to

that, documentations for past versions of Cuckoo are also available including in

offline format as shown:

Finally - documentation are also available on Github so you could keep it in sync

via git or even fork it to make edits to it and then submit a pull request to the

owner. If they approve of your changes, it can be pulled into the original

repository.

Preparing the system

The instruction assumes that you are running Ubuntu 14.04 LTS. The

documentation is used to install Cuckoo. It does require you to install additional

packages as outlined in the requirements.

Most packages are optional, but three packages are essential for Cuckoo:

Python 2.7, SQLAlchemy and Python BSON. For the purpose of testing, all

optional packages were selected for installation to get the most out of Cuckoo

Sandbox.

Ubuntu 14.04 does come with Python 2.7 by default:

ubuntu:~$ python --version

Python 2.7.6

Installing required packages

In terminal, the following command is used to install all essential and optional

packages (including tcpdump) - all on one line.

ubuntu:~$ sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y

tcpdump is configured to allow Cuckoo to make use of it without requiring root.

ubuntu:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

To test, this is the expected output:

ubuntu:~$ getcap /usr/sbin/tcpdump

/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Two additional software are also recommended (but optional) - Yaraand Pydeep.

The documentation states these need to be installed separately, however Yara is

provided in the Ubuntu universe repository:

ubuntu:~$ apt-cache show yara

Package: yara

Priority: optional

Section: universe/utils

Installed-Size: 85

Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>

Original-Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>

Architecture: amd64

Version: 2.0.0-2

Depends: libc6 (>= 2.4), libyara2 (>= 2.0.0)

Filename: pool/universe/y/yara/yara_2.0.0-2_amd64.deb

Cuckoo require Yara 1.7 or higher so this is fine. To install yara - run the

command sudo apt-get install yara -y.

PYDEEP

Pydeep depends on ssdeep 2.8+. Ubuntu's repository for ssdeep is version 2.7

so this will not be installed. instead ssdeep need to be compiled from source and

likewise for Pydeep. Before doing so, a few packages are needed. The following

commands was executed:

Install ssdeep from source

ubuntu:~$ sudo apt-get install build-essential git python-dev -y

ubuntu:~$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz

ubuntu:~$ tar -xf ssdeep.tar.gz

ubuntu:~$ cd ssdeep-2.12

ubuntu:~$ ./configure

ubuntu:~$ make

ubuntu:~$ sudo make install

ubuntu:~$ ssdeep -V

2.12

Install pydeep via pip

ubuntu:~$ sudo apt-get install python-pip -y

ubuntu:~$ sudo pip install pydeep

The current stable release of pydeep is version 0.2.

ubuntu:~$ pip show pydeep

---

Name: pydeep

Version: 0.2

Location: /usr/local/lib/python2.7/dist-packages

Requires:

With thanks to Sandpox

If you have installed pydeep but got an error: WARNING: Unable to import

pydeep (install with pip install pydeep)

then run sudo apt-get install libfuzzy-dev because libfuzzy.so.2 is missing.

Volatility

Volatility is a volatile memory extraction utility framework that runs in Python. It's

an optional requirement but as the documentationstates, Cuckoo's analyser can

miss some rootkits and using Volatility allow for the further visibility into any deep

modifications in the operating system being analysed including looking at the

memory, catching those that might otherwise be missed by Cuckoo.

The documentation states that version 2.3 of Volatility is required and that it need

to be installed separately however it is available in the Ubuntu universe

repository and is version 2.3.1-7

ubuntu:~$ apt-cache show volatility

Package: volatility

Priority: optional

Section: universe/utils

Installed-Size: 9188

Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>

Original-Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>

Architecture: all

Version: 2.3.1-7

Depends: python (>= 2.7), python (<< 2.8), python:any (>= 2.7.1-0ubuntu2), python-crypto, python-imaging, python-openpyxl, python-yara, volatility-tools (>= 2.3.1-5)

Recommends: volatility-profiles

Suggests: lime-forensics-dmks, libraw1394-11

Filename: pool/universe/v/volatility/volatility_2.3.1-7_all.deb

To install: sudo apt-get install volatility -y

Virtualization Software

Cuckoo make use of a virtualization software to run Windows client. Cuckoo is

flexible enough to work with most virtualization software of your choice such

as KVM, VMware, VirtualBox and others. However the documentation

is geared toward using VirtualBox so this will be used.

Install VirtualBox

The documentation does not cover installing the virtualization software as this

would be outside the scope. Since the documentation make use of VirtualBox,

the post will also make use of VirtualBox. The following commands was used to

install the software:

ubuntu:~$ sudo echo "deb http://download.virtualbox.org/virtualbox/debian trusty contrib" >> /etc/apt/sources.list

ubuntu:~$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

ubuntu:~$ sudo apt-get update

ubuntu:~$ sudo apt-get install virtualbox-4.3 dkms

ubuntu:~$ sudo adduser your_username vboxusers

This will install the latest version of VirtualBox from Oracle (4.3.18 r96516 at time

of posting) and add your primary account to the vboxusers group, allowing you to

use the VirtualBox host kernel modules (vboxdrv, vboxnetflt and vboxnetadp).

Log out and back in before using VirtualBox.

Creating a Virtual Machine

Cuckoo Sandbox works with a Windows virtual machine to analyse malware. It

is recommended to use Windows XP SP3 however Windows 7 can be used

providing User Account Control is turned off.

The following screenshots shows some suggested options for creating a

Windows XP SP3 image:

Make sure if it is 32 bit or 64 bit version of Windows XP to be used. 

512MB is allocated. 2048MB is recommended if running a number of applications

on the image. 

The default option is VDI. 

The last step is to add an ISO image of Windows XP SP3. Make sure the boot

order is for CD first (this is the default option).

Select the option "Choose a virtual CD/DVD disk file..." On starting the VM,

continue to setup Windows.

In order to have a working network connection for the Windows XP image -

change the network adaptor to PCnet-FAST III.

Install the VirtualBox Guest Additions - this install the necessary network and

video and other hardware drivers.

The guest need to be prepared before Cuckoo can work with it. It need a copy

of Python 2.7 to be running on the guest. Install the Python Imaging Library as

well - this allows for the taking of screenshots.

(Note: In some cases, Python.org will not load in Internet Explorer 6 on Windows

XP SP3. It is easier to download the files needed on the host system and use a

Shared Folder to transfer it over to the guest.)

Turn off Windows Firewall and Automatic Update - the idea is to have an "pre-

update version" of Windows. The last step is to install the Cuckoo Agent which

runs a XMLRPC server, listening for connections. This file is found in

the ./cuckoo/agent folder and is named agent.py. When this is run, it shows a

Python window. Renaming the file toagent.pyw will hide the window.

Place this file in the Startup folder of the guest system so that it will start

automatically.

This is the template image that you can work forward from. Shut down the virtual

machine and save this as a snapshot:

With this snapshot - you have a template image from which you can install

various software such as Chrome, Firefox, Adobe PDF Reader and so on for

testing malware with Cuckoo and can easily roll back any changes.

This image can be cloned if additional virtual machines are needed but make

sure the static IP addresses are changed.

NETWORKING

The recommended setup is using a Host-Only networking layout with proper

forwarding and filtering configuration done with iptables on the Host. The

documentation give details of this.

As this is an initial look at Cuckoo Sandbox, the iptables rule was not used at this

point VirtualBox was used instead. A new NAT network, named Cuckoo was

created with DHCP disabled. Virtual machines being analysed by Cuckoo should

use only static IP addresses - Cuckoo does not support DHCP.

The IP address of the test virtual machine is assigned 192.168.56.10

Note: The Host system will have the IP address of 192.168.56.1:

ubuntu:~$ ifconfig

vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00

inet addr:192.168.56.1 Bcast:192.168.56.255 Mask:255.255.255.0

inet6 addr: fe80::800:27ff:fe00:0/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:184 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:28538 (28.5 KB)

Install Cuckoo Sandbox

The last step is to install Cuckoo itself.

ubuntu:~$ wget http://downloads.cuckoosandbox.org/cuckoo-current.tar.gz

ubuntu:~$ tar -xf cuckoo-current.tar.gz

ubuntu:~$ cd cuckoo

ubuntu:~$ ./cuckoo.py

ubuntu:~/Downloads/cuckoo$ ./cuckoo.py

Cuckoo Sandbox 1.1

www.cuckoosandbox.org

Copyright (c) 2010-2014

Checking for updates...

Good! You have the latest version available.

2014-11-04 02:49:56,352 [root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errno 99] Cannot assign requested address

At this point it shows that Cuckoo does run - all dependencies are present and

available for Cuckoo, but does not work yet. At least threeconfiguration files need

to be modified so that Cuckoo can run. These three files

are: auxiliary.conf, cuckoo.conf and <machinery>.conf. It is important for the user

to read the documentation covering these files carefully.

cuckoo.conf

This is extensively commented for every option. This make configuring such a file

much easier without needing to refer to a manual every time.

For this post, the following options need to be checked:

machinery = virtualbox

[resultserver]

ip = 192.168.56.1 #This is the VirtualBox host IP address

port = 2042 #leave as default if you have no services running on this port

All other options left at default.

auxiliary.conf

Again this configuration file is well commented.

[sniffer]

# Enable or disable the use of an external sniffer (tcpdump) [yes/no].

enabled = yes

# Specify the path to your local installation of tcpdump. Make sure this

# path is correct.

# You can check this using the command: whereis tcpdump

tcpdump = /usr/sbin/tcpdump

# Specify the network interface name on which tcpdump should monitor the

# traffic. Make sure the interface is active.

# The ifconfig command will show you the interface name.

interface = vboxnet0

<machinery>.conf / virtualbox.conf

<machinery>.conf - the <machinery> is really the configuration file for the

virtualization software you have selected to use. Thus in this case, it is named

the virtualbox.conf. If you use a different virtualization software such as VMware

Player - the file should be vmware.conf and the machinery line in cuckoo.conf file

will read asmachinery = vmware.

Again the configuration file is well commented.

Before editing the virtualbox.conf file - the name of the virtual machine is needed.

This can be changed as necessary:

The name of the virtual machine to be used is "WindowsXPSP3Cuckoo1". The

virtualbox.conf file is changed to have this:

machines = WindowsXP_SP3_Cuckoo1

[WindowsXP_SP3_Cuckoo1]

# Specify the label name of the current machine as specified in your

# VirtualBox configuration.

label = WindowsXP_SP3_Cuckoo1

platform = windows

ip = 192.168.56.10

# snapshot = Snapshot1 # If commented out, use the current "in use" snapshot.

tags = windows_xp_sp3,32_bit,testing,university

Checking if it all works...

Go to the directory where you put Cuckoo.

ubuntu:~$ ./cuckoo.py

Cuckoo Sandbox 1.1

www.cuckoosandbox.org

Copyright (c) 2010-2014

Checking for updates...

Good! You have the latest version available.

2014-11-05 23:07:42,599 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager

2014-11-05 23:07:42,830 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s

2014-11-05 23:07:42,831 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...

Cuckoo is now running and ready for use!

Next post will go into details about using Cuckoo Sandbox including the web

reporting module.

http://gwallgofi.com/cuckoo-sandbox-part-2-installing/