search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.7k forks source link

Cuckoo Rooter not routing #2206

Open Mokatsu opened 6 years ago

Mokatsu commented 6 years ago

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is:

I have a inetsim running on my cuckoo sandbox at the virtual interface , then I have the routing.conf configured to use that up. When I use rooter, it writes new iptables and when I run my analysis my VM's cant connect to my inetsim server, same thing happens when i try to use the dirty line.

What is weird is that it worked yasterday and then no settings were changed. Even if I set the iptables manually, my vm's get internet access but after I start the analysis, the connect is cut off.

My Cuckoo version and operating system are:

2.0.5 Host: Ubuntu 16.04 Guest: Windows 7

This can be reproduced by:
The log, error, files etc can be found at:

routing.conf route = inetsim internet = eth0 rt_table = main auto_rt = yes drop = no [inetsim] enabled = yes server = 192.168.1.1

doomedraven commented 6 years ago

post log post iptables -L and iptables -L -t -nat

Mokatsu commented 6 years ago 
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere            
ACCEPT     all  --  192.168.1.0/24       192.168.1.0/24      
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  192.168.1.0/24       anywhere            
MASQUERADE  all  --  anywhere             anywhere
virtualbox for the hypervisor
Mokatsu commented 6 years ago

The default iptables are the ones that are defined in the cuckoo documentation as simple routing

Mokatsu commented 6 years ago

So I got it to where my internet option in rooter works (if I use a public dns) but the inetsim does not, i cannot get the inetsim webpage. The service is running (inetsim).

doomedraven commented 6 years ago

You cant use simple routing and router, wipe all iptables and restar cuxkoo and try again

Mokatsu commented 6 years ago

That did not work, I also thought that rooter creates ip tables based on the analysis type (routing type)

jpalanco commented 6 years ago

Can you activate iptables log with -j LOG?

doomedraven commented 6 years ago

@Mokatsu it does that, but you can't use custom rules and router rules in the same time