gwallgofi security. hacking. all fun stuff. HOME RESUME FAQ ABOUT ME Cuckoo Sandbox Part 2 :: installing 05 NOVEMBER 2014 This continues the series of posts about the Cuckoo Sandbox that I am doing for my course at Leeds Beckett University. They are posted on the invitation-only blog named DFA1415. As a result of that, I am making my posts public on my own site and I welcome all comments and feedback. To start at the beginning, go to Part 1 .
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
gwallgofisecurity. hacking. all fun stuff.
HOME
RESUME
FAQ ABOUT ME
Cuckoo Sandbox Part 2 :: installing05 NOVEMBER 2014
This continues the series of posts about the Cuckoo Sandbox that I am doing for
my course at Leeds Beckett University. They are posted on the invitation-only
blog named DFA1415. As a result of that, I am making my posts public on my
own site and I welcome all comments and feedback.
To start at the beginning, go to Part 1.
This will detail how Cuckoo Sandbox is installed and configured to work on
a Ubuntu 14.04 LTS x64 system. The focus is on the latest version of Cuckoo
Sandbox which at time of writing is 1.1.1.
Particular care is taken with the virtual machine being analysed.Sandboxing is a
useful technique that allows for the opening of unknown software or files inside
an isolated environment. This can then be monitored for information gathering on
what a particular file or software does.
On the download page - it warns that installing Cuckoo Sandbox is a delicate
operation and need careful attention to details. The main focus of this post will
then be about installing Cuckoo Sandbox to ensure a working system and the
details of the Test Lab where tests can be carried out on Cuckoo Sandbox.
2014-11-04 02:49:56,352 [root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errno 99] Cannot assign requested address
At this point it shows that Cuckoo does run - all dependencies are present and
available for Cuckoo, but does not work yet. At least threeconfiguration files need
to be modified so that Cuckoo can run. These three files
are: auxiliary.conf, cuckoo.conf and <machinery>.conf. It is important for the user
to read the documentation covering these files carefully.
cuckoo.conf
This is extensively commented for every option. This make configuring such a file
much easier without needing to refer to a manual every time.
For this post, the following options need to be checked:
machinery = virtualbox
[resultserver]
ip = 192.168.56.1 #This is the VirtualBox host IP address
port = 2042 #leave as default if you have no services running on this port
All other options left at default.
auxiliary.conf
Again this configuration file is well commented.
[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
# You can check this using the command: whereis tcpdump
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
# The ifconfig command will show you the interface name.
interface = vboxnet0
<machinery>.conf / virtualbox.conf
<machinery>.conf - the <machinery> is really the configuration file for the
virtualization software you have selected to use. Thus in this case, it is named
the virtualbox.conf. If you use a different virtualization software such as VMware
Player - the file should be vmware.conf and the machinery line in cuckoo.conf file
will read asmachinery = vmware.
Again the configuration file is well commented.
Before editing the virtualbox.conf file - the name of the virtual machine is needed.
This can be changed as necessary:
The name of the virtual machine to be used is "WindowsXPSP3Cuckoo1". The
virtualbox.conf file is changed to have this:
machines = WindowsXP_SP3_Cuckoo1
[WindowsXP_SP3_Cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = WindowsXP_SP3_Cuckoo1
platform = windows
ip = 192.168.56.10
# snapshot = Snapshot1 # If commented out, use the current "in use" snapshot.
tags = windows_xp_sp3,32_bit,testing,university
Checking if it all works...
Go to the directory where you put Cuckoo.
ubuntu:~$ ./cuckoo.py
Cuckoo Sandbox 1.1
www.cuckoosandbox.org
Copyright (c) 2010-2014
Checking for updates...
Good! You have the latest version available.
2014-11-05 23:07:42,599 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager