search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

Need Help With Physical Set Up #2979

Open BenRhesius opened 4 years ago

BenRhesius commented 4 years ago

Im new to Cuckoo. Ive set up a working FOG server running on Debian 10.3 that helps me capture & deploy images to 4 other PCs that I will run malware in for analysis. All devices are connected to a switch. My advisor told me that I could use Cuckoo to run the malware in a sandbox & it will help me send the details and also automate the imaging from FOG. But, other than telling me it can be done, he did not know how to get it done & so do I. Therefore, I need help on how to do set up my Cuckoo files for host & also set up the four physical agents. I tried running on a virtual box, but, I fail to understand how to set up the conf files and the agents. I got my host successfully installed with Cuckoo but thats as far as I can go because most of the guides online are running their agents in a virtual box.

Server: -Debian 10.3 running FOG server & DHCP -2 NIC connected by cables (one connected to the internet & another to a switch with a static IP of its own) Clients: -Win_10, Win_8.1, Win_7, Win_XP respectively (cannot be connected to the internet to maintain consistency) -each has its own static IP address

Currently, I need to run my FOG & Cuckoo simultaneously for automation. Its been already a week of trial & error but Im not progressing forward anymore. Hence, this is why, my last resort is to post it in the GitHub space since there's no proper forum dedicated to Cuckoo. I hope I receive some guidance & help. Thank you.

RedWolf74 commented 4 years ago

Hi BenRhesius,

maybe you are out of the topic in the meanwhile, but in some case it could be of any help for others. I have an current Cuckoo 2.0.7 in conjunction with an current FOG 1.5.9 and a Win 7x64 based physical machinery up and running.

I know (and preferred it for the last years by myself), that the main aspect was on the virtual infrastructure. But as long as "Anti-Debugging-Checks" for a virtual machine keep raising (who would ever has said, a VM to work on, is a better malware protection than an AV), I tried to go back to physical infrastructure for analysis. Everything is going virtual, except malware.

But regarding your ask for help. As of the the time of your writing, I assume, you are using cuckoo 2.0.x and FOG 1.5.x. This and the description of your environment leeds to 3 "no goes" from my point of view.

  1. Do not use Win 8.x or Win 10. The recomended Windows version is Win 7x64. As you submit samples for dedicated applications, these applications are the intrusion vector, not the OS. But the OS can stop them in higher versions.

  2. Use the "OLD" Agent on the clients. The "NEW" agent, does not work with physical machinery! I doen't know for shure, whats OLD or NEW, I use an agent from 2016. PLS just use the search machine of your choice to find out the latest OLD agent, if needed.

  3. The cuckoo supported versions of FOG are limited to two explicite versions, which are a bit outdated and verified by a HTML-Parsing. To overcome this, I modified my /usr/local/lib/python2.7/dist-packages/cuckoo/machinery/physical.py to use the current FOG API system. For this I added an "import json" to the import section and replaced the FOG related functions with the following code:

    def fog_query(self, uri, headers={}): """Wrapper around requests for simplifying FOG API access. Assuming you can call what FOG is providing an API.""" url = "http://%s/fog/%s" % ( self.options.fog.hostname, uri, )

    headers.update({
    "fog-user-token": self.options.fog.username,
    "fog-api-token": self.options.fog.password,
})

# Return the JSON Output as String if Result Code is 200, else "ERROR + Code"
res = requests.get(url, headers=headers)
if res.status_code == 200:
    return json.dumps(res.json())
else:
    return "ERROR " + res.status_code

    def fog_init(self): """Initiate by indexing FOG regarding all available machines.""" self.fog_machines = {} if self.options.fog.hostname == "none": return

    # Query the FOG Hosts and load the JSON structure if the query retuned no error
r = self.fog_query("host")
err = re.match("(^ERROR )",r)
if err == "ERROR ":
    raise CuckooCriticalError(
        "The supplied FOG user- and/or api-token do not allow us "
        "to login into FOG, or the server is unreachable ("+ r +")."
    )
else:
    r = json.loads(r)

# Mapping for physical machine hostnames to their mac address and host-ID
# for "downloading" a safe image onto the host. Great piece of FOG API
# usage here.
for i in range(r['count']):
    if r['hosts'][i]['imagename'] != "":
        self.fog_machines[r['hosts'][i]['name']] = (
            r['hosts'][i]['primac'],
            r['hosts'][i]['id'],
        )

# Check whether all our machines are available on FOG.
for machine in self.machines():
    if machine.label not in self.fog_machines:
        raise CuckooMachineError(
            "The physical machine %s has not been defined in FOG, "
            "please investigate and configure the configuration "
            "correctly." % machine.label
        )

    def fog_queue_task(self, hostname): """Queue a task with FOG to deploy the given machine after reboot."""

    # Get the tasktypeID for "Deploy" from FOG
tasktypeid=""
r = self.fog_query("tasktype")
err = re.match("(^ERROR )",r)
if err == "ERROR ":
    raise CuckooCriticalError(
        "The supplied FOG user- and/or api-token do not allow us "
        "to login into FOG, or the server is unreachable ("+ r +")."
    )
else:
    r = json.loads(r)

for i in range(r['count']):
    if r['tasktypes'][i]['name'] == "Deploy":
        tasktypeid = r['tasktypes'][i]['id']
if tasktypeid == "":
    raise CuckooCriticalError(
        "Could not determine the TaskTypeID for the Deploy Task "
        "from the FOG-Server."
    )

if hostname in self.fog_machines:
    macaddr, fogid = self.fog_machines[hostname]
    headers={}
    data={}
    url = "http://%s/fog/host/%s/task" % (
        self.options.fog.hostname, fogid,
    )
    headers.update({
        "fog-user-token": self.options.fog.username,
        "fog-api-token": self.options.fog.password,
    })
    # The request.post() did not work for me with "data=json.dumps(data)" or "json=data", so this little workaround
    data={'taskTypeID': '' + tasktypeid + '', 'Hostname': '' + hostname + '', 'isForced': '1', 'wol': '1'} 
    jsondata = json.dumps(data)
    res = requests.post(url, headers=headers, data=jsondata)
    if res.status_code != 200:
        raise CuckooMachineError(
            "The re-image task for the physical machine %s has not "
            "been scheduled successfully (Error %s) "
            "Please investigate and configure the configuration "
            "correctly." % (hostname, res.status_code,)
        )

    def wake_on_lan(self, hostname): """Start a machine that's currently shutdown.""" if hostname in self.fog_machines: macaddr, fogid = self.fog_machines[hostname] wakeonlan.wol.send_magic_packet(macaddr)

This is a quick'n'dirty solution, but works for me very well. The USER and API token are just hold in the predefined conf vars fog username and password in the physical.conf file.

Please ensure that the "label" in your machine definition matches the machine name in your FOG system. On the other hand check, if the network setup of your cuckoo instance and clients meet the documentation (client setup for gateway and DNS-Server, cuckoo routing, forwarding and nat, maybe you have to install a DNS server i.e. dnsmasq on the cuckoo server).

Then setup your client and do the adjustments as documented, ensure the agent will be auto started, take an image with FOG, edit your physical.conf accordingly and you are good to go.

Regards, Red