Cuckoo Introduction: Cuckoo based on virtual machine technology, the use of central control system and module design, combined with the automation characteristics of Python, has been quite automated malware behavior research environment. Unique Honeypot Network research and development skills, so that cuckoo can easily carry out the URL analysis, network communication analysis, program analysis, PDF analysis. A personal recommendation is to use Debian or Ubuntu host installation VirtualBox as Cuckoo Host,winxp as guest.
Operating Environment: Ubuntu 14.04 LTS Desktop (64Bit), Virtualbox,windows Xp SP3
References:
cuckoo.pdf(especially important, the official website can download www.cuckoosandbox.org), Http://arisri.tistory.com/m/post/127,http://github.com/cuckoobox/cuckoo,
1, configuring the host:
first download Some of the required software and libraries:
Install Python and dependent libraries
$ sudo apt-get install python
$ sudo apt-get install python-sqlalchemy Python-bson
$sudo apt-get Install python-dpkt python-jinja2 python-magic Python-pymongo Python-gridfs
Install tcpdump and configure run permissions to root
$ sudo apt-get install tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip/usr/sbin/tcpdump
You can verify the results with the following actions:
$ getcap/usr/sbin/tcpdump
/usr/sbin/tcpdump = Cap_net_admin,cap_net_raw+eip
if Setcap is not installed, you can download it first Setcap
$ sudo apt-get install Libcap2-bin
or manually modify:
$ sudo chmod +s/usr/sbin/tcpdump
Installing Volatility
$ sudo apt-get install volatility
Install git
$ sudo apt-get install git
2, create user
You must ensure that the user running Cuckoo is the same as the user who created and runs the virtual machine, otherwise cuckoo will not recognize the virtual machine and cannot log on. You can run the current user cuckoo or create a new user for cuckoo.
To create a new user:
$ sudo adduser cuckoo
If you are using VirtualBox to run a virtual machine, make sure that the user running Cuckoo belongs to the Vboxusers group (or the group you use to run VirtualBox)
$ sudo usermod-g vboxusers Cuckoo
3, download Cuckoo
$ git clone git://github.com/cuckoobox/cuckoo.git
4, Configuration Cuckoo
Cuckoo relies on 6 configuration files:
CUCKOO.CONF: Configuring common operations and Analysis options
AUXILIARY.CONF: Enable and configure auxiliary modules
<machinery>.conf: The option to define native virtualization software, the name of the file is the same as the name of the machine module defined in the cuckoo.conf
Memory.conf:Volatility Configuration
PROCESSING.CONF: Enable and configure processing modules
Reporting.conf: Enable and close report formats
You typically only need to edit the three files of cuckoo.conf, auxiliary.conf, and <machinery>.conf.
cuckoo.conf
Most of the files are comments and explanations, focusing on the following options:
Machinery in [Cuckoo]: This defines the machine module that you want to use to interact with the virtual machine, the default value is VirtualBox, and the name is exactly the same as the module name Cuckoo
IP and port in [Resultserver]: This is the local IP and Ports of the Cuckoo analysis machine. This machine uses Ubuntu, you can use Ifconfig to view
auxiliary.conf
This file follows the default configuration to
<machinery>.conf
Machines in [VirtualBox]: This option specifies the name of the virtual machine created with VirtualBox
label in [CUCKOO1]: Defines the label name of the current machine specified by the VirtualBox configuration
IP in [cuckoo1]: Defines the IP address of the current virtual machine
5, configure the client:
Install VirtualBox:
$ sudo apt-get install VirtualBox
To install a virtual machine:
Install XP virtual machine, omit .....
Install the required software:
Install Python. Running cuckoo requires Python
Depending on the file you are analyzing, install the appropriate software, note that
Turn off Automatic Updates and check for update options for all additional software。
Configure the virtual Machine network: Use NAT to
turn off the firewall and Automatic Updates options for the operating system.
Install Agent:
In the Cuckoo agent/directory, there is a agent.py file, copy it to the start folder of the virtual machine operating system so that it can run
To save a virtual machine:
Before saving, make sure that the virtual machine after the configuration has been restarted and is currently running, the Cuckoo Agent is running and XP is fully booted.
To generate a snapshot:
$ vboxmanage Snapshot "<name of vm>" take "<name of snapshot>"--pause
When the snapshot is complete, shut down the virtual machine and store
$ vboxmanage CONTROLVM "<name of Vm>" Poweroff
$ vboxmanage Snapshot "<name of vm>" restorecurrent
all the basic configuration of cuckoo is now complete.
Use of 6,cuckoo:
Start Cuckoo:
$./cuckoo.py
Note that cuckoo.py does not have to be run with sudo, be sure to use the user previously set to run Cuckoo
Then open a separate command-line window
Submit the parsed file to the host:
$ python/home/kevin/cuckoo-master/utils/submit.py--url http://www.baidu.com
A report will then be generated under the corresponding ID directory of the storage/analyses.
error in output and solution:
TcpDump is isn't accessible from this user, network capture aborted
This section of code can be found in the code hosted on GitHub, which can be seen in the comments as cuckoo unresolved issues. The temporary solution is to download the latest version of Cuckoo from GitHub.
Vboxmanage exited with error restoring the machine ' s snapshot
Note the sequence of operations, save the virtual machine first, then run Cuckoo, and finally submit the analysis task. Otherwise, this problem may occur.
cuckoocriticalerror:unable to bind resultserver on 192.168.1.89:2042 [Errno] cannot assign requested address
This means that Resultserver IP is inconsistent with host IP.
cuckoo1:the Guest initialization hits the critical timeout, analysis aborted.
The problem is being solved ....
Cuckoo configuration with use of Ubuntu + VirtualBox + Windows Xp SP3
