How to Install Cuckoo Sandbox? [Step3]

Configuration

Step1:修改cuckoo的設定與參數

在Cuckoo 的conf目錄下有幾個設定檔案，但是最基本、基礎的設定值只要幾個：

請先修改reporting.conf

[jsondump]
enabled = yes <== no 改為yes
indent = 4
encoding = latin-1
calls = yes

[reporthtml]
enabled = yes <== no 改為yes

[mongodb]
enabled = yes  <== no 改為yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100

再來修改virtualbox.conf

[cuckoo1]
label = Win7_32 <==虛擬機的名稱

Step2:啟動cuckoo 及 入口網頁介面

1)在cuckoo目錄下執行./cuckoo.py

2)在cuckoo\web目錄下執行./manage.py runserver

Step3:上載惡意程式測試看看囉

先到惡意程式分享網站上下載一隻來測試看看

打開firefox 輸入127.0.0.1:8000



可以看到成功上載，並開始分析了



當系統分析完成後，網頁就會顯示reported，請點選該惡意程式的MD5欄位就可以看分析報告




以上就是個人測試與安裝的過程，提供各位試試囉。

How to Install Cuckoo Sandbox? [Step2]

Install VirtualBox on Window7

1. Install Windows 7 OS (Don't Update !)

2.Install Office 2003 or 2010 (Don't Update !)

3.Install AdbeRdr9.exe (Don't Update !)

4.Install flash-player9.msi  (Don't Update !) 

5.shutdown firewall and UAC 

 

6.shutdown[OS][office][Adobe] auto update function

7. Install  Python 2.7 (注意要將python加入作業系統PAHT環境變數)

8.Install  Python Imaging Library (PIL)

9.安裝 cuckoo 的 agent.py 到自動啟動目錄、修改 agent.py檔名成agent.pyw

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

10.關閉網路自動探測功能

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

直接把EnableActiveProbing從1改成0

 

11.關閉Teredo IPv6 Tunneling in Microsoft Windows功能

Open a command prompt with administrator privileges

(Start->Accessories->right click on Command Prompt,

choose Run as Administrator):

C:\netsh interface teredo set state disabled [Enter]

 

12.設定網路環境

1)在ubuntu下到cuckoo目錄下執行 sudo ./udate_ip_tables.sh

2)在ubuntu下開啟Virtualbox 網路設定，新增一組HostOnly的網路介面 [vboxnet0]

3)在ubuntu下開啟虛擬機的網路設定，使用HostOnly的網路介面 [vboxnet0]

虛擬機的網路設定如下圖

4)測試ubuntu與虛擬機間的網路是否正常 

 ubuntu:  Ping 192.168.56.101

 vm: Ping 192.168.56.1

        Ping www.google.com

5)當vm的設定與測試都正常後，請將虛擬機儲存一個 [snapshot] <==很重要、很重要、很重要

How to Install Cuckoo Sandbox? [Step1]

Install All Packages dependencies and libraries

Step1: update

$ sudo apt-get update 

Step2: Install the dependencies and libraries

$ sudo apt-get install -y python python-pip python-dev python-sqlalchemy python-dpkt python-jinja2 python-magic python-pymongo python-libvirt subversion git build-essential git libpcre3 libpcre3-dev libpcre++-dev python-bottle libffi-dev libssl-dev libxml2-dev libxslt-dev libxslt1-dev libjpeg-dev libfuzzy-dev ssdeep  autoconf automake libtool make gcc 

Step3: Upgrade pip-9.0.1-py2.py3-none-any.whlc

$ sudo pip install --upgrade pip

$ sudo pip install -U pip setuptools

Step4: Install Pefile Python Modulec

$ wget https://github.com/erocarrera/pefile/files/192316/pefile-2016.3.28.tar.gz

$ tar zxvf pefile-2016.3.28.tar.gz

$ cd pefile-2016.3.28/

$ sudo python setup.py build

$ sudo python setup.py install

$ cd ..

Step5: Install pydeept Python Module

$ git clone https://github.com/kbandla/pydeep.git pydeep

$ cd pydeep

$ sudo python setup.py build

$ sudo python setup.py install

$ cd ..

Step6: Install jasson-2.10

$ wget http://www.digip.org/jansson/releases/jansson-2.10.tar.gz

$ tar zxvf jansson-2.10.tar.gz

$ cd jansson-2.10/

$ ./configure

$ make

$ sudo make install

$ cd ..

Step7: Install swing-3.0.12

$ wget http://downloads.sourceforge.net/swig/swig-3.0.12.tar.gz

$ tar zxvf swig-3.0.12.tar.gz

$ cd swig-3.0.12/

$ ./configure

$ make

$ sudo make install

$ cd ..

Step8: Install M2Crypto==0.24.0

$ wget https://pypi.python.org/packages/58/75/362faac80a1bc2742b4b696dc350518312043d568bfd2687a9270f18da88/M2Crypto-0.24.0.tar.gz#md5=8e87235942c76d1ba9f999ee33764fdb

$ tar zxvf M2Crypto-0.24.0.tar.gz

$ cd M2Crypto-0.24.0/

$ sudo python setup.py build

$ sudo python setup.py install

$ cd ..

Step9: \Install YARA 3.5

$ sudo apt-get install -y flex bison

$ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz

$ tar xvfz v3.5.0.tar.gz

$ cd yara-3.5.0/

$ ./bootstrap.sh

$ ./configure --enable-cuckoo --enable-magic

$ make

$ sudo make install

Step10: Install Tcpdump

$ sudo apt-get -y install tcpdump libpcap-dev

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

$ getcap /usr/sbin/tcpdump

Step11:  "Create ip_tables.sh"

$ echo '#!/bin/bash' >update_ip_tables.sh

$ echo 'iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT' >> update_ip_tables.sh

$ echo 'iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> update_ip_tables.sh

$ echo 'iptables -A POSTROUTING -t nat -j MASQUERADE' >> update_ip_tables.sh

$ echo 'sysctl -w net.ipv4.ip_forward=1' >> update_ip_tables.sh

$ chmod +x ./update_ip_tables.sh

$ sudo ./update_ip_tables.sh

Step12:  "Install Dnsmasq"

$ sudo apt-get install -y dnsmasq

$ sudo service dnsmasq start

Step13: "Install volatility、MongoDB、tesseract-oct"

$ sudo apt-get install -y volatility mongodb tesseract-ocr

Step 14: "Install Cuckoo Sandbox"

$ git clone https://github.com/cuckoosandbox/cuckoo

Step 15:  "Install Cuckoo Sandbox requirement modules"

$ cd cuckoo/

$ sudo -H pip install -r requirements.txt

Step16: "Install Cuckoo Sandbox utilitys"

$ cd utils/

$ ./community.py -a -f -w

Step17:  "Install Install Oracle VM VirtualBox"

$ sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian xenial contrib" >> /etc/apt/sources.list.d/virtualbox.list'

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

$ sudo apt update && sudo apt-get -y install virtualbox-5.1

Step18: "Install Install Oracle VM VirtualBox Extension Pack"

$ wget http://download.virtualbox.org/virtualbox/5.1.18/Oracle_VM_VirtualBox_Extension_Pack-5.1.18-114002.vbox-extpack

$ VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.1.18-114002.vbox-extpack

Step19 : "Add cuckoo to Vboxusers Grops"

$ sudo usermod -aG vboxusers cuckoo

========================================================================

install.sh

#!/bin/bash

mkdir install_tmp

cd install_tmp/

echo "====================================="

echo "Ubuntu Packages Update"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get update 

echo "====================================="

echo "Install the dependencies and libraries"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get install -y python python-pip python-dev python-sqlalchemy python-dpkt python-jinja2 python-magic python-pymongo python-libvirt subversion git build-essential git libpcre3 libpcre3-dev libpcre++-dev python-bottle libffi-dev libssl-dev libxml2-dev libxslt-dev libxslt1-dev libjpeg-dev libfuzzy-dev ssdeep  autoconf automake libtool make gcc 

echo ""

echo ""

echo "====================================="

echo "Upgrade pip-9.0.1-py2.py3-none-any.whlc"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo pip install --upgrade pip

sudo pip install -U pip setuptools

echo ""

echo ""

echo "====================================="

echo "Install Pefile Python Module"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

wget https://github.com/erocarrera/pefile/files/192316/pefile-2016.3.28.tar.gz

tar zxvf pefile-2016.3.28.tar.gz

cd pefile-2016.3.28/

sudo python setup.py build

sudo python setup.py install

cd ..

echo ""

echo ""

echo "====================================="

echo "Install pydeept Python Module"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

git clone https://github.com/kbandla/pydeep.git pydeep

cd pydeep

sudo python setup.py build

sudo python setup.py install

cd ..

echo ""

echo ""

echo "====================================="

echo "Install jasson-2.10"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

wget http://www.digip.org/jansson/releases/jansson-2.10.tar.gz

tar zxvf jansson-2.10.tar.gz

cd jansson-2.10/

./configure

make

sudo make install

cd ..

echo ""

echo ""

echo "====================================="

echo "Install swing-3.0.12"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

wget http://downloads.sourceforge.net/swig/swig-3.0.12.tar.gz

tar zxvf swig-3.0.12.tar.gz

cd swig-3.0.12/

./configure

make

sudo make install

cd ..

echo ""

echo ""

echo "====================================="

echo "Install M2Crypto==0.24.0"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

wget https://pypi.python.org/packages/58/75/362faac80a1bc2742b4b696dc350518312043d568bfd2687a9270f18da88/M2Crypto-0.24.0.tar.gz#md5=8e87235942c76d1ba9f999ee33764fdb

tar zxvf M2Crypto-0.24.0.tar.gz

cd M2Crypto-0.24.0/

sudo python setup.py build

sudo python setup.py install

cd ..

echo ""

echo ""

echo "====================================="

echo "Install YARA 3.5"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get install -y flex bison

wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz

tar xvfz v3.5.0.tar.gz

cd yara-3.5.0/

./bootstrap.sh

./configure --enable-cuckoo --enable-magic

make

sudo make install

cd ~

echo ""

echo ""

echo "====================================="

echo "Install Tcpdump"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get -y install tcpdump libpcap-dev

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

getcap /usr/sbin/tcpdump

echo ""

echo ""

echo "====================================="

echo "Create ip_tables.sh"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

echo '#!/bin/bash' >update_ip_tables.sh

echo 'iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT' >> update_ip_tables.sh

echo 'iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> update_ip_tables.sh

echo 'iptables -A POSTROUTING -t nat -j MASQUERADE' >> update_ip_tables.sh

echo 'sysctl -w net.ipv4.ip_forward=1' >> update_ip_tables.sh

chmod +x ./update_ip_tables.sh

sudo ./update_ip_tables.sh

echo ""

echo ""

echo "====================================="

echo "Install Dnsmasq"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get install -y dnsmasq

sudo service dnsmasq start

echo ""

echo ""

echo "====================================="

echo "Install volatility,MongoDB,tesseract-oct"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo apt-get install -y volatility mongodb tesseract-ocr

echo ""

echo ""

echo "====================================="

echo "Install Cuckoo Sandbox"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

git clone https://github.com/cuckoosandbox/cuckoo

echo ""

echo ""

echo "====================================="

echo "Install Cuckoo Sandbox requirement modules"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

cd cuckoo/

sudo -H pip install -r requirements.txt

echo ""

echo ""

echo "====================================="

echo "Install Cuckoo Sandbox utilitys"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

cd utils/

./community.py -a -f -w

echo ""

echo ""

echo "Cuckoo Sandbox Installed!"

cd ~

cd install_tmp/

echo ""

echo ""

echo "====================================="

echo "Install Install Oracle VM VirtualBox"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian xenial contrib" >> /etc/apt/sources.list.d/virtualbox.list'

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

sudo apt update && sudo apt-get -y install virtualbox-5.1

echo ""

echo ""

echo "====================================="

echo "Install Install Oracle VM VirtualBox Extension Pack"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

wget http://download.virtualbox.org/virtualbox/5.1.18/Oracle_VM_VirtualBox_Extension_Pack-5.1.18-114002.vbox-extpack

VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.1.18-114002.vbox-extpack

cd ~

echo ""

echo ""

echo "====================================="

echo "Add cuckoo to Vboxusers Grops"

echo "====================================="

read -rsp $'Press [Enter] key to continue....\n'

sudo usermod -aG vboxusers cuckoo

echo ""

echo ""

echo "==========================================="

echo "                Finished!!                 "

echo "==========================================="

sudo rm -fr install_tmp/

如何自行架設惡意程式分析沙盒(Cuckoo Sandbox) _介紹篇

若需要分析一堆的惡意程式，減少人工分析的時間與精力，自動化惡意程式沙箱分析系統，是一個很好的解決方案，其中是不錯的選擇，因為它是"開源、免費"的。

Cuckoo Sandbox惡意程式分析沙箱

網路上有很多的Cuckoo安裝介紹與手冊等等，但是個人覺得都是寫給"專業人士"看的，在試過好幾種網路上介紹的安裝方法都講的不清不楚，再來就是給你不斷出錯，結果cuckoo 永遠Run不起來!@#@!$!@!$%%，所以決定好好的研究一番寫一篇詳盡安裝步驟(包含每步驟的安裝畫面)，順便也寫個全自動安裝的 Install Bash。

基本上我分為三個大方向

1. 安裝cuckoo所需要得所有套件和相關程式
2. 安裝惡意程式要執行的Client VM 並定好與Server端(Ccuckoo)的網路連線
3. 設定cuckoo的啟動參數

若看官們按上述的方式一步步的做完，基本上就可以把cuckoo 跑起來囉!

由於提供的步驟極為詳盡，所以將分三篇來寫。