This is the first time that I am setting up Cuckoo in my lab, so I've found the docs to be highly useful in getting it up and running. I have also listed a few reference blog pages and documents at the end of this post, without those the set up wouldn't have been so easy.
There are a few steps to be taken in order to get Cuckoo up and running;
- Get yourself a copy of Linux up and running as the Cuckoo host, I have used Ubuntu server 12.10 running in a VMWare workstation virtual machine. All updates have been applied to Ubuntu before proceeding with the installation;
- Install all the prerequisites for Cuckoo, there are quite a few. You also might want to consider install openssh if you want to make life easier and use SSH to administer the virtual machine;
- Install Virtualbox and configure the Analysis Guest virtual machines; and
- Install Cuckoo and configure to use the appropriate Analysis Guest VMs.
The Cuckoo documentation includes the following diagram that explains the setup extremely well.
Cuckoo virtual network environment - linked from http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture |
1. Building Your Cuckoo Host
Cuckoo documentation recommends Ubuntu as their syntax revolves around that distribution, but realistically your favourite distro will do the job. I used Ubuntu Server 12.10 as I already had a copy of the ISO downloaded, and I did not want the added overhead of using the Desktop version. I've set this up using VMware Workstation. Ensure you give the VM enough disk space as you will be building additional virtual hosts within your Cuckoo Host box.2. Install The Required Prerequisites for Cuckoo
This is probably the most time consuming part of the whole set-up, Cuckoo has a fair few dependencies that need to be installed before you can continue with the installation of Cuckoo, check the docs for the latest list, but as of writing the post the following packages need to be installed (I've provided code for easy installation and in case I need to come back and redo this part of the lab work);- Python 2.7
- SQLAlchemy
- tcpdump
Python 2.7 is required as Cuckoo is built in python, you'll need this installed to get Cuckoo running, the documentation specifically calls for the current release Python 2.7, so don't grab Python 3 at this stage. SQLAlchemy is also required for Cuckoo to function, and tcpdump needs to be installed and configured to record network traffic during analysis.
2.1 Install The Recommended Packages
The following libraries are not strictly required, but their installation is recommended by the cuckoo team and included in the documentation (referenced here):- Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
- Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
- Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
- Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
- Pymongo (Optional): for storing the results in a MongoDB database.
- Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
- Bottlepy (Optional): for using the web.py and api.py utilities.
- Pefile (Optional): used for static analysis of PE32 binaries.
- Python-pip: to download python modules
- Subversion: to download additional modules such as Yara
- Automake: for installing the latest Yara through svn
- Python-dev: to install yara-python
$ sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo mongodb python-bottle python-pefile python-pip subversion automake python-dev git libcap2-bin unzip
2.2 Installing Yara and Yara Python
YARA is a tool aimed at helping malware researchers to identify and classify malware samples. Yara needs to be installed before Yara Python and can be obtained in the following way;
$ sudo apt-get install libpcre3 libpcre3-dev
$ wget https://yara-project.googlecode.com/files/yara-1.7.tar.gz
$ wget https://yara-project.googlecode.com/files/yara-1.7.tar.gz
$ $ tar -zxvf yara-1.7.tar.gz
$ cd yara-1.7
$ ./configure
$ ./configure
$ make
$ make check
$ make check
$ sudo make install
now to install yara-python
$ cd ..
now to install yara-python
$ cd ..
$ wget https://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
$ tar -zxvf yara-python-1.7.tar.gz
$ cd yara-python-1.7
$ python setup.py build
$ sudo python setup.py install
To check its installed correctly
>>> import yara
>>> yara.Error
<class 'yara.Error'>
In some operating systems (e.g: Ubuntu) you can get an error message like this one:
Traceback (most recent call last):
File "<stdin>", line 1, in ?
ImportError: libyara.so.0: cannot open shared object file: No such file or directory
If you get the previous error you should add the path /usr/local/lib to the loader
configuration file:
$ sudo su
$ echo "/usr/local/lib" >> /etc/ld.so.conf
$ ldconfig
2.3 Installing ssdeep and Pydeep
$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.10/ssdeep-2.10.tar.gz
$ tar -xvzf ssdeep-2.10.tar.gz
$ cd ssdeep-2.10
$ ./configure
$ make
$ sudo make install
$ cd ..
$ wget https://github.com/kbandla/pydeep/archive/master.zip
$ unzip master.zip
$ cd pydeep-master
$ python setup.py build
$ sudo python setup.py build install
$ wget https://github.com/kbandla/pydeep/archive/master.zip
$ unzip master.zip
$ cd pydeep-master
$ python setup.py build
$ sudo python setup.py build install
2.4 Configuring tcpdump
I have already chosen to install tcpdump earlier in the process, but we want the cuckoo user to be able to run tcpdump without elevated privileges, so we need to modify the tcpdump running privileges.
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump
3. Install Virtualbox
There is a very detailed and fantastic blog post over on Santi's blog that details setting up Virtualbox on Ubuntu, I'll only be repeating his process, so credit where credit is due and go and check out his work over here.
Note: I skipped doing "apt-get dist-upgrade" as there seem to be some issues with the Virtualbox repository for 13.10 and I had errors installing and using Virtualbox installed this way, so I kept my distro at 12.10 for the installation.
Update: As there are a couple of changes to some of the steps taken (for example phpvirtualbox has moved) I will include the steps I took here for future reference. I also used the latest version of Virtualbox for my Ubuntu distribution, not the one from the Ubuntu Repositories;
Firstly making sure i can set up a shared folder between my host computer and the cuckoo server (accepting the defaults);
$ sudo vmware-config-tools.pl
Now I want to set up the repository for the VirtualBox downloads site
$ sudo vi /etc/apt/sources.listadded deb http://download.virtualbox.org/virtualbox/debian quantal contrib
$ wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install virtualbox-4.1 dkms
Check the version of virtualbox installed
$ vboxmanage -v
mine is 4.1.28r89849
Install the extensions pack that will allow remote access to the host machines
$ wget http://download.virtualbox.org/virtualbox/4.1.28/Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack$ sudo vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack
Add cuckoo user to the vbox usergroup
$ sudo usermod -a -G vboxusers cuckoo
$ id cuckoo
3.1 Setting up the virtual guests
Now to begin installation of the Analysis Guest Machine, we're going to set up WindowsXP with SP3 on it with 1 Gig of RAM, and 10GB Harddrive space;
$ vboxmanage createvm --name "WindowsXP-1" --ostype WindowsXP --register $ vboxmanage modifyvm "WindowsXP-1" --memory 1000 --acpi on --boot1 dvd --nic1 nat --hwvirtex off
$ vboxmanage createhd --filename "WinXP-1.vdi" --size 10000
$ vboxmanage storagectl "WindowsXP-1" --name "IDE Controller" --add ide --controller PIIX4
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP-1.vdi"
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /mnt/hgfs/share_name/windowsxp.iso
Once the setup is complete we can start the virtual machine
$ vboxheadless --startvm "WindowsXP-1" &
vboxheadless started and listening for RDP connections |
Open up RDP (or your choice) and connect to the Linux host on 3389 to complete the installation of Windows XP.
Windows XP installation |
This could take a while remember .....
Once the operating system installation has finished we need to do a few things to get the guest ready for analysis.
3.1.1 Set up shared folders between the cuckoo host and the analysis guest.
Turn off the virtual machine for this;
$ vboxmanage controlvm "WindowsXP-1" poweroff
$ mkdir -p /home/cuckoo/shares/WindowsXP-1
$ vboxmanage sharedfolder add "WindowsXP-1" --name "WindowsXP-1" --hostpath /home/cuckoo/shares/WindowsXP-1 --automount
$ vboxmanage sharedfolder add "WindowsXP-1" --name setup --hostpath /home/cuckoo/shares/setup --automount --readonly
$ vboxmanage modifyvm "WindowsXP-1" --nictrace1 on --nictracefile1 /home/cuckoo/shares/WindowsXP-1/dump.pcap
3.1.2 Install Guest Additions on WindowsXP
You're going to notice that it is fairly painful trying to navigate with the mouse in the virtual machine, so we need to install the guest additions;
$ cd /home/cuckoo/shares/WindowsXP-1
$ wget http://download.virtualbox.org/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso
3.1.3 Start the virtual machine and connect with RDP
$ vboxheadless --startvm "WindowsXP-1" &
3.1.4 Mount the ISO file in Windows XP
Mount the Guest Additions ISO in Windows XP and follow the installation prompts.
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /home/cuckoo/shares/WindowsXP-1/VBoxGuestAdditions_4.1.12.iso
Enjoy the use of your mouse again.
4. Finally ready to install Cuckoo
Now we have our requirements and optional extras installed plus VirtualBox and a Windows XP virtual machine, it's time to get to business and install cuckoo itself.
$ cd /home/cuckoo
$ sudo git clone git://github.com/cuckoobox/cuckoo.git
4.1.1 Configure the host only adapter
At this point i refer back to Santi's blog post and his steps for configuring the host only adapter. We have the shared folder set up, so any additional packages that need to be installed from this point on can be downloaded on the cuckoo server;
$ vboxmanage hostonlyif create
$ vboxmanage controlvm "WindowsXP-1" poweroff
$ vboxmanage modifyvm "WindowsXP-1" --nic1 hostonly
$ vboxmanage modifyvm "WindowsXP-1" --hostonlyadapter1 vboxnet0
$ vboxheadless --startvm WindowsXP-1 &
4.1.2 Set up gateway and DNS on Windows XP guest
4.1 Preparing the virtual guest
A few final tasks remain to get the Windows XP guest ready for cuckoo, we need to install the cuckoo agent and make sure it starts up on reboot and install any vulnerable applications you like, then we'll take a snapshot.4.1.1 Configure the host only adapter
At this point i refer back to Santi's blog post and his steps for configuring the host only adapter. We have the shared folder set up, so any additional packages that need to be installed from this point on can be downloaded on the cuckoo server;
$ vboxmanage hostonlyif create
$ vboxmanage controlvm "WindowsXP-1" poweroff
$ vboxmanage modifyvm "WindowsXP-1" --nic1 hostonly
$ vboxmanage modifyvm "WindowsXP-1" --hostonlyadapter1 vboxnet0
$ vboxheadless --startvm WindowsXP-1 &
4.1.2 Set up gateway and DNS on Windows XP guest
Need to set up the default gateway and DNS on the Windows guest so that we can get external access for things like VirusTotal;
- My network is 192.168.56.0/24 so I'll set my default route to 192.168.56.1
- I'll use the Google DNS of 8.8.8.8
ipconfig |
While I'm here I'm also going to ensure that the Windows firewall is disabled and automatic updates are switched off.
4.1.3 Install the cuckoo agent in Windows XP guest
In order for cuckoo to work its magic we need to install Python for Windows as well as install the cuckoo agent and set it to autorun on startup;
On the cuckoo server;
$ cd /home/cuckoo/shares/setup
$ wget http://python.org/ftp/python/2.7.6/python-2.7.6.msi
$ wget http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
$ cp /home/cuckoo/cuckoo/agent/agent.py /home/cuckoo/shares/setup
On the Windows XP guest;
- Install Python for Windows
- Install PIL for Windows
- Copy agent.py to C:\Python27\agent.pyw
- Add the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Upon restart we should see the agent listening on port 8000.
At this point I am going to create a snapshot of the virtual machine and I'm ready to start using cuckoo to analyse some malware!
$ vboxmanage snapshot "WindowsXP-1" take "WindowsXP-1Snap01" --pause
$ VBoxManage controlvm "WindowsXP-1" poweroff
$ VBoxManage snapshot "WindowsXP-1" restorecurrent
$ VBoxManage showvminfo "WindowsXP-1" | grep State
$ VBoxManage controlvm "WindowsXP-1" poweroff
$ VBoxManage snapshot "WindowsXP-1" restorecurrent
$ VBoxManage showvminfo "WindowsXP-1" | grep State
Need to configure the cuckoo conf file to look for the correct virtual machines
$ sudo vi /home/cuckoo/cuckoo/conf/virtualbox.conf
- Change mode from gui to headless
- Change the name of he machines to match
- Change the name of the heading to match your virtual machine name
- Change the label
- Ensure that the IP address matches
Configure the Cuckoo Host IP forwarding and firewall filters;
$ sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE
$ sudo sysctl -w net.ipv4.ip_forward=1
Add these commands to /etc/rc.local file to be executed every time the server wakes up or restarts.
Now we can see if Cuckoo starts up happily and if you do you should see something similar to the picture below
$ cd /home/cuckoo/cuckoo
$ python cuckoo.py
References
http://docs.cuckoosandbox.org/en/latest/installation/
http://santi-bassett.blogspot.com.au/2013/01/installing-cuckoo-sandbox-on-virtualbox.html
http://santi-bassett.blogspot.com.au/2013/01/installing-cuckoo-sandbox-on-virtualbox.html