Cuckoo 설명서 보다 잘 적어놨네요.
System Requirements: Install Ubuntu Enter new ‘root’ password Upgrade all your Ubuntu packages Install Python packages Install tcpdump (Ubuntu already has this, so you may not need it) Install git to download from repositories Install Cuckoo Sandbox Cloning into ‘cuckoo’… Install Oracle VirtualBox (All Distributions) Verifying archive integrity… All good. Install Oracle VirtualBox (SDK) Traceback (most recent call last): Opps! Add the required ‘VBOX_INSTALL_PATH’ path running install Relocate SDK files into VirtualBox install directory Modify Cuckoo Configuration File Enable Sniffer Option :: This pertains to the number of VMs you will configure later in the .conf file :: Make sure the ‘username’ and ‘password’ matches the default logged in user in the Guest OS Creating Virtual Machine :: Under ‘File/Preferences’ change the Default Virtual Machine Folder to -> ‘/opt/vms’ Install the Guest OS Please Note: Make sure you create or change your default user account in Windows to match what we configured in the cuckoo.conf file. Make sure you also change the user account password to reflect what is in the .conf file. Download Python 2.7 for Guest OS http://www.python.org/getit/releases/2.7/ Disable Guest OS Firewall Install VirtualBox Oracle VM VirtualBox Guest Additions Configuring Virtual Machine for Cuckoo Sandbox Creating Guest OS Shared Folders (to obtain Host OS Python scripts access used by Cuckoo) Installing Guest OS Vulnerable Applications Download old versions of applications from http://www.oldapps.com/ :: Make sure you disable all auto update features in the OS and Applications Verify Guest OS shares are accessible to Host OS Verify Guest OS is ready for malware analysis Create a Guest OS Clean Snapshot Testing Cuckoo Sandbox (for the First Time) www.cuckoobox.org [2012-02-20 18:58:19,311] [Core.Init] INFO: Started. Opps! Seems like my cuckoo.conf has a typo. Make sure your VM name (inc. Case) matches ‘exactly’ is in the .conf file. Let’s try again: www.cuckoobox.org [2012-02-20 19:02:22,059] [Core.Init] INFO: Started. ————————————[ERROR]————————————- ———————————-[TRACEBACK]———————————– Opps! Seems like it is not finding the VirtualBox SDK APIs. Let’s put the proper environment variables in. Add the following line: Close the terminal and re-open it. Let’s try again: www.cuckoobox.org [2012-02-20 19:01:24,894] [Core.Init] INFO: Started. Success! No Errors… Let’s continue. Testing Cuckoo Sandbox w/ Malware *** WARNING *** Cuckoo Sandbox Submission Utility Submit a local binary Submit a local binary and specify an higher priority Submit a local binary and specify a custom analysis timeout of 60 seconds Submit a local binary and specify a custom analysis package Submit an URL to be downloaded locally and analyzed Submit an URL to be analyzed within Internet Explorer Submit a local binary to be run on virtual machine cuckoo1 :: If the VM closes very quickly, after spawning, it is a result of either: :: You can also enable debug logging to help you out [Logging] Cuckoo Sandbox Malware Results :: Now launch Firefox in Ubuntu and go to http://127.0.0.1:8080 That’s it folks! For any other issues, please leave a comment below. If anyone managed to get Cuckoo running in non-root mode, tell me how.
Ubuntu 12.04 LTS Desktop (64Bit) w/ 2 CPU, 2GB Memory, and 20GB Partition
:: Once Ubuntu is launched, press Ctrl-Alt-t for a Terminal
# sudo passwd
# su – <Enter root password>
# apt-get update
# apt-get upgrade
# apt-get install python python-magic python-dpkt python-mako
# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
# apt-get install git
# cd /opt
# git clone git://github.com/cuckoobox/cuckoo.git
remote: Counting objects: 3363, done.
remote: Compressing objects: 100% (1250/1250), done.
remote: Total 3363 (delta 2137), reused 3229 (delta 2008)
Receiving objects: 100% (3363/3363), 3.71 MiB | 438 KiB/s, done.
Resolving deltas: 100% (2137/2137), done.
# wget http://download.virtualbox.org/virtualbox/4.1.16/VirtualBox-4.1.16-78094-Linux_amd64.run
# chmod u+x VirtualBox-4.1.16-78094-Linux_amd64.run
# ./VirtualBox-4.1.16-78094-Linux_amd64.run
Uncompressing VirtualBox for Linux installation………..
VirtualBox Version 4.1.16 r78094 (2012-02-20T13:13:38Z) installer
Installing VirtualBox to /opt/VirtualBox
# wget http://download.virtualbox.org/virtualbox/4.1.16/VirtualBoxSDK-4.1.16-78094.zip
# unzip VirtualBoxSDK-4.1.16-78094.zip
# cd /opt/sdk/installer
# python vboxapisetup.py install
File “vboxapisetup.py”, line 76, in <module>
main(sys.argv)
File “vboxapisetup.py”, line 50, in main
raise Exception(“No VBOX_INSTALL_PATH defined, exiting”)
Exception: No VBOX_INSTALL_PATH defined, exiting
# VBOX_INSTALL_PATH=/opt/VirtualBox python vboxapisetup.py install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/vboxapi
copying vboxapi/VirtualBox_constants.py -> build/lib.linux-x86_64-2.7/vboxapi
copying vboxapi/__init__.py -> build/lib.linux-x86_64-2.7/vboxapi
running install_lib
copying build/lib.linux-x86_64-2.7/vboxapi/VirtualBox_constants.py -> /usr/local/lib/python2.7/dist-packages/vboxapi
copying build/lib.linux-x86_64-2.7/vboxapi/__init__.py -> /usr/local/lib/python2.7/dist-packages/vboxapi
byte-compiling /usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py to __init__.pyc
running install_egg_info
Removing /usr/local/lib/python2.7/dist-packages/vboxapi-1.0.egg-info
Writing /usr/local/lib/python2.7/dist-packages/vboxapi-1.0.egg-info
# mv sdk /opt/VirtualBox/sdk
# cd /opt/cuckoo/conf
# vi cuckoo.conf
[Sniffer]
# Enable or disable the following option by assigning a True or False value.
# In case you decide to disable it, you’re supposed to either not have any
# network dump or to used VirtualBox’s (or any other virtualization engine
# you are using) to handle the network monitoring instead of using an external
# sniffer such as tcpdump. [on/off]
sniffer = on
…
[VirtualMachines]
# List virtual machines IDs separated by commas.
enabled = cuckoo1
…
:: Leave the ‘share’ section alone, as this is where the Host OS scripts will be stored to share with the Guest OS
[cuckoo1]
name = cuckoo1
username = myWindowsUsername
password = myWindowsPassword
# Please notice that the shared folder name must coincide with the current
# virtual machine id, which is the name you assigned between the square
# brackets (e.g. [cuckoo1]).
share = shares/cuckoo1
:: This is were the majority of your problems may occur. Try to follow the instructions in detail.
# mkdir /opt/vms
# virtualbox
:: Make sure you create a VM name ‘cuckoo1′ running Windows XP (SP3) or Windows 7; For Windows XP use 256 MB or Windows 7 use 1024 MB of memory. For the Hard Drive (HD) parameters, select ‘fixed storage’ for better performance. The HD storage space will depend on what you want to install, meaning the ‘vulnerable’ application to use (ie. MS Office, Adobe Reader, etc.)
:: Install Python into the default location C:\Python2.7\
:: Go to the Network Adapter Advanced Settings and disable the running Guest OS Windows Firewall
:: Select Devices/Install Guest Additions… (Reboot of OS is required)
Enable Network .PCAP Dump
# mkdir /opt/cuckoo/shares/cuckoo1
# VBoxManage controlvm “cuckoo1″ poweroff
# VBoxManage modifyvm “cuckoo1″ –nictrace1 on –nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap
# VBoxManage sharedfolder add “cuckoo1″ –name “setup” –hostpath “/opt/cuckoo/shares/setup”
# VBoxManage sharedfolder add “cuckoo1″ –name “cuckoo1″ –hostpath “/opt/cuckoo/shares/cuckoo1″
# VBoxManage startvm “cuckoo1″
:: You may want to consider installing:
Microsoft Office 2003/2007; Adobe Reader 9; Adobe Flash 10; Oracle Java 6; Mozilla Firefox 11;
Please Note: Remove anything unnecessary registry keys in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, however leave the ‘VirtualBox Guest Additions’ key
:: Start/Run, then type in ‘\\vboxsvr’. You should see two shares ‘\\vboxsvr\setup’ & ‘\\vboxsvr\cuckoo1′
Please Note: I found connecting to the shares important. If I didn’t, Cuckoo would quickly close the VM afterwards, without analyzing code.
:: Reboot the Guest OS, log in and leave it running for 5 – 10 minutes.
Make sure:
1) All OS or Application Updates are disabled.
2) All Applications are launched at least once, to accept default Licensing Agreements.
3) Make sure you disabled the Guest OS Firewall.
Once you are satisfied that nothing unwanted will pop-up or prompt you during the malware analysis stage continue to the next step.
# VBoxManage snapshot “cuckoo1″ take “baseImage” –pause
# VBoxManage controlvm “cuckoo1″ poweroff
# VBoxManage snapshot “cuckoo1″ restorecurrent
# cd /opt/cuckoo
# ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.2
Copyright (C) 2010-2012
[2012-02-20 18:58:19,386] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.16″, good!
[2012-02-20 18:58:19,387] [Core.Init] INFO: Populating virtual machines pool…
[2012-02-20 18:58:19,390] [VirtualMachine] ERROR: Virtual machine “Cuckoo1″ not found: 0x80bb0001 (Could not find a registered machine named ‘Cuckoo1′)
[2012-02-20 18:58:19,390] [VirtualMachine.Restore] ERROR: No virtual machine handle.
[2012-02-20 18:58:19,390] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2012-02-20 18:58:19,390] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.
# ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.2
Copyright (C) 2010-2012
Cuckoo stumbled in an unhandled error!
Before reporting the problem, please run with latest release from the development
Git repository at:
http://github.com/cuckoobox/cuckoo
If the exception persists, please send the following traceback to:
cuckoo@public.honeynet.org
The developers will try to reproduce the bug, fix it and get in touch with you.
Cuckoo version: v0.3.2
Python version: 2.7.3 (default, Jan 20 2012, 22:39:59)
[GCC 4.6.3]
OS: linux2
Command line: ./cuckoo.py
Traceback (most recent call last):
File “./cuckoo.py”, line 665, in <module>
if not VirtualMachine().check():
File “/opt/cuckoo/cuckoo/core/virtualbox.py”, line 54, in __init__
vbm = vboxapi.VirtualBoxManager(None, None)
File “/usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py”, line 513, in __init__
exec “self.platform = Platform”+style+”(platparams)”
File “<string>”, line 1, in <module>
File “/usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py”, line 349, in __init__
import xpcom.vboxxpcom
ImportError: No module named xpcom.vboxxpcom
——————————————————————————–
# vi /etc/environment
PYTHONPATH=”/opt/VirtualBox/:/opt/VirtualBox/sdk/bindings/xpcom/python/”
Open a new Terminal (Ctrl-Alt-T)
# su – <Enter root password>
# cd /opt/cuckoo
# ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.2
Copyright (C) 2010-2012
[2012-02-20 19:01:24,925] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.16″, good!
[2012-02-20 19:01:24,926] [Core.Init] INFO: Populating virtual machines pool…
[2012-02-20 19:01:24,996] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1″ successfully restored to current snapshot.
[2012-02-20 19:01:25,441] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1″ information:
[2012-02-20 19:01:25,442] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2012-02-20 19:01:25,442] [VirtualMachine.Infos] INFO: | ID: d959f177-8a5f-4bf5-8e5c-2197fa63aa30
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO: | Memory Size: 256 MB
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO: | State: Saved
[2012-02-20 19:01:25,444] [VirtualMachine.Infos] INFO: | Current Snapshot: “baseImage”
[2012-02-20 19:01:25,444] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:01:02:03:04
[2012-02-20 19:01:25,444] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-02-20 19:01:25,488] [Database.Init] INFO: Generated database “db/cuckoo.db” which didn’t exist before.
Open a new Terminal (Ctrl-Alt-T)
# su – <Enter root password>
# cd /opt/cuckoo
The next step is considered dangerous. If you do not know what you are doing, it is recommended you DO NOT continue. There are various websites which contain a list of recently discovered websites containing malicious URLs, which can be submitted to Cuckoo Sandbox for analysis. If you do not feel comfortable looking for these sites, then search through your mail inbox, as you are bound to have a malicious attachments, which can be used to test out Cuckoo Sandbox.
*** WARNING ***
:: The easiest way to submit an analysis is to use the provided submit.py command-line utility. The following are some submission examples:
# ./submit.py /path/to/binary
# ./submit.py /path/to/binary –priority 5
# ./submit.py /path/to/binary –timeout 60
# ./submit.py /path/to/binary –package <name of package>
# ./submit.py –download http://www.website.tld/file.exe
# ./submit.py –url http://maliciousurl.tld/exploit.php
# ./submit.py /path/to/binary –machine cuckoo1
A) Guest OS username or password does not match what is in the cuckoo.conf file.
B) You did not manually connect to the \\vboxsvr\setup and \\vboxsvr\cuckoo1 shares, to cache the session.
C) Your \\vboxsvr shares are not mapped to the proper Host OS (ie. /opt/cuckoo/shares) paths.
D) Something is not correct when you enabled your .pcap dump file.
# vi /opt/cuckoo/conf/cuckoo.conf
# Enable/Disable additional debugging messages. This messages won’t wrote to
# log file but just printed on screen. [on/off]
debug = on
All the results are kept in the /opt/cuckoo/analysis directory. You can also spawn the Cuckoo Sandbox Web Analyzer, which is very pretty:
# cd /opt/cuckoo
# ./web.pl
'툴 정보 및 사용법 > ETC' 카테고리의 다른 글
| Cuckoo 0.5 Debian Squeeze installation (0) | 2013.01.30 |
|---|---|
| 아파치에서 파이썬 돌리기(Configuring the Apache Web Server to Run Python) (0) | 2013.01.23 |
| Linux에서 파일 내에 특정 문자열을 검색 (0) | 2012.03.07 |
| 대용량 DB를 빠르게 import 하거나 조회하는 방법 (0) | 2012.02.08 |
| mysql 큰용량 import 할때.. (1) | 2012.02.08 |
