Cuckoo Sandbox <http://www.cuckoosandbox.org/>
_. auto install script
Cuckoo Sandbox is a malware analysis system.
It means that you can throw any suspicious file at it and get a report with details about the file's behavior inside an isolated environment.
We created this at Buguroo Offensive Security <http://www.buguroo.com>
_ initially to make the painful
cuckoo installation quicker, easier and painless
Most of this script is not distro dependant (tough of course you've got to run it on GNU/Linux), but package installation, at this moment supports only debian derivatives.
Also, given that we use the propietary virtualbox version (most of the time OSE
edition doesn't fulfill our needs), this script requires that they've got
a debian repo in Virtualbox Downloads <http://downloads.virtualbox.org>
_
for your distro. Forcing the distro in config file should make it work in
unsupported ones.
David Reguera García - Dreg <http://github.com/David-Reguera-Garcia-Dreg>
- dreguera@buguroo.com <mailto:dreguera@buguroo.com>
- @fr33project <https://twitter.com/fr33project>
_
David Francos Cuartero - XayOn <http://github.com/Xayon>
- dfrancos@buguroo.com <mailto:dfrancos@buguroo.com>
- @davidfrancos <https://twitter.com/davidfrancos>
_
.. image:: /../screenshots/cuckooautoinstall.png?raw=true
If you trust us, your network setup and a lot of more variables enough (which is totally not-recommended) and you're as lazy as it gets, you can execute as a normal user if you've got sudo configured:
::
wget -O - https://raw.githubusercontent.com/buguroo/cuckooautoinstall/master/cuckooautoinstall.bash | bash
The script does accept a configuration file in the form of a simple bash script with options such as:
::
SUDO="sudo"
TMPDIR=$(mktemp -d)
RELEASE=$(lsb_release -cs)
CUCKOO_USER="cuckoo"
CUSTOM_PKGS=""
ORIG_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
VOLATILITY_URL="http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.tar.gz"
VIRTUALBOX_REP="deb http://download.virtualbox.org/virtualbox/debian $RELEASE contrib"
CUCKOO_REPO='https://github.com/cuckoobox/cuckoo'
YARA_REPO="https://github.com/plusvic/yara"
JANSSON_REPO="https://github.com/akheron/jansson"
LOG=$(mktemp)
UPGRADE=false
You can override any of these variables in the config file.
It accepts parameters
::
┌─────────────────────────────────────────────────────────┐
│ CuckooAutoInstall 0.2 │
│ David Reguera García - Dreg <dreguera@buguroo.com> │
│ David Francos Cuartero - XayOn <dfrancos@buguroo.com> │
│ Buguroo Offensive Security - 2015 │
└─────────────────────────────────────────────────────────┘
Usage: cuckooautoinstall.bash [--verbose|-v] [--help|-h] [--upgrade|-u]
--verbose Print output to stdout instead of temp logfile
--help This help menu
--upgrade Use newer volatility, yara and jansson versions (install from source)
For most setups, --upgrade is recommended always.
::
passwd cuckoo
http://docs.cuckoosandbox.org/en/latest/installation/guest/
or import virtual machines::
VBoxManage import virtual_machine.ova
::
vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0
Configure cuckoo (http://docs.cuckoosandbox.org/en/latest/installation/host/configuration/
)
Execute cuckoo
::
cd ~cuckoo/cuckoo python cuckoo.py
.. image:: /../screenshots/github%20cuckoo%20working.png?raw=true
::
cd ~cuckoo/cuckoo/web python manage.py runserver 0.0.0.0:6969
.. image:: /../screenshots/github%20django.png?raw=true
::
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
Enables run tcpdump from nonroot user
::
sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
Fixes the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py
::
TEMPLATE_DIRS = (
"templates"
)
becomes
::
TEMPLATE_DIRS = (
("templates"),
)
For this, we recommend supervisor usage.
Install supervisor
::
sudo apt-get install supervisor
Edit /etc/supervisor/conf.d/cuckoo.conf , like
::
[program:cuckoo]
command=python cuckoo.py
directory=/home/cuckoo
User=cuckoo
[program:cuckoo-api]
command=python api.py
directory=/home/cuckoo/utils
user=cuckoo
Reload supervisor
::
sudo supervisorctl reload
As you probably have already noticed, iptables rules don't stay there after a reboot. If you want to make them persistent, we recommend iptables-save & iptables-restore
::
iptables-save > your_custom_iptables_rules
iptables-restore < your_custom_iptables_rules
You may want to read:
Remote <./doc/Remote.rst>
_ - Enabling remote administration of VMS and VBoxOVA <./doc/OVA.rst>
_ - Working with OVA imagesAntivm <./doc/Antivm.rst>
_ How to deal with malware that has VM detection techniquesVMcloak <./doc/Vmcloak.rst>
_ VMCloak - Cuckoo windows virtual machines managementThis project is licensed as GPL3+ as you can see in "LICENSE" file. All pull requests are welcome, having in mind that:
We'd probably be answering to PRs in a 7-14 day period, please be patient.