doomedraven
commented
1 year ago 122 range is nat range, i guess you need to dig into the bad network configuration, review virtbr1 ip range
Closed CassieXx0215 closed 1 year ago
doomedraven
commented
1 year ago 122 range is nat range, i guess you need to dig into the bad network configuration, review virtbr1 ip range
CassieXx0215
commented
1 year ago 122 range is nat range, i guess you need to dig into the bad network configuration, review virtbr1 ip range
@doomedraven Thanks for the quick reply! I have tried to change the network to 55 range (host:192.168.55.1, guest:192.168.55.231), but the problem remains the same.
Furthermore, this is the output from the agent in the guest, it sends several GET and POST requests, and then forever loops GET /status, which all requests return 200. Is this expected behavior?
doomedraven
commented
1 year ago Yes expected, ok range is fine, but what about network interfaces in kvm.conf and virt-manager/libvirt for that vm?
CassieXx0215
commented
1 year ago Here are the relevant conf files:
virbr2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.55.1 netmask 255.255.255.0 broadcast 192.168.55.255
ether 52:54:00:1c:11:b5 txqueuelen 1000 (Ethernet)
RX packets 10293 bytes 1764983 (1.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11604 bytes 125261291 (125.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[cuckoo]
# Which category of tasks do you want to analyze?
categories = static, pcap, url, file
# If turned on, Cuckoo will delete the original file after its analysis
# has been completed.
delete_original = off
# Archives are not deleted by default, as it extracts and "original file" become extracted file
delete_archive = on
# If turned on, Cuckoo will delete the copy of the original file in the
# local binaries repository after the analysis has finished. (On *nix this
# will also invalidate the file called "binary" in each analysis directory,
# as this is a symlink.)
delete_bin_copy = off
# Specify the name of the machinery module to use, this module will
# define the interaction between Cuckoo and your virtualization software
# of choice.
machinery = kvm
# Enable creation of memory dump of the analysis machine before shutting
# down. Even if turned off, this functionality can also be enabled at
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = off
# When the timeout of an analysis is hit, the VM is just killed by default.
# For some long-running setups it might be interesting to terminate the
# moinitored processes before killing the VM so that connections are closed.
terminate_processes = off
# Enable automatically re-schedule of "broken" tasks each startup.
# Each task found in status "processing" is re-queued for analysis.
reschedule = off
# Fail "unserviceable" tasks as they are queued.
# Any task found that will never be analyzed based on the available analysis machines
# will have its status set to "failed".
fail_unserviceable = on
# Limit the amount of analysis jobs a Cuckoo process goes through.
# This can be used together with a watchdog to mitigate risk of memory leaks.
max_analysis_count = 0
# Limit the number of concurrently executing analysis machines.
# This may be useful on systems with limited resources.
# Set to 0 to disable any limits.
max_machines_count = 10
# Limit the amount of VMs that are allowed to start in parallel. Generally
# speaking starting the VMs is one of the more CPU intensive parts of the
# actual analysis. This option tries to avoid maxing out the CPU completely.
max_vmstartup_count = 5
# Minimum amount of free space (in MB) available before starting a new task.
# This tries to avoid failing an analysis because the reports can't be written
# due out-of-diskspace errors. Setting this value to 0 disables the check.
# (Note: this feature is currently not supported under Windows.)
freespace = 50000
# Process tasks, but not reach out of memory
freespace_processing = 15000
# Temporary directory containing the files uploaded through Cuckoo interfaces
# (web.py, api.py, Django web interface).
tmppath = /tmp
# Delta in days from current time to set the guest clocks to for file analyses
# A negative value sets the clock back, a positive value sets it forward.
# The default of 0 disables this option
# Note that this can still be overridden by the per-analysis clock setting
# and it is not performed by default for URL analysis as it will generally
# result in SSL errors
daydelta = 0
# Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter
# Enable if you want to see a DEBUG log periodically containing backlog of pending tasks, locked vs unlocked machines.
# NOTE: Enabling this feature adds 4 database calls every 10 seconds.
periodic_log = off
# Max filename length for submissions, before truncation. 196 is arbitrary.
max_len = 196
# If it is greater than this, call truncate the filename further for sanitizing purposes.
# Length truncated to is controlled by sanitize_to_len.
#
# This is to prevent long filenames such as files named by hash.
sanitize_len = 32
sanitize_to_len = 24
[resultserver]
# The Result Server is used to receive in real time the behavioral logs
# produced by the analyzer.
# Specify the IP address of the host. The analysis machines should be able
# to contact the host through such address, so make sure it's valid.
# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
# `resultserver_ip` for all your virtual machines in machinery configuration.
ip = 192.168.55.1
# Specify a port number to bind the result server on.
port = 3042
# Force the port chosen above, don't try another one (we can select another
# port dynamically if we can not bind this one, but that is not an option
# in some setups)
force_port = yes
pool_size = 0
# Should the server write the legacy CSV format?
# (if you have any custom processing on those, switch this on)
store_csvs = off
# Maximum size of uploaded files from VM (screenshots, dropped files, log)
# The value is expressed in bytes, by default 100MB.
upload_max_size = 100000000
# To enable trimming of huge binaries go to -> web.conf -> general -> enable_trim
# Prevent upload of files that passes upload_max_size?
do_upload_max_size = no
[processing]
# Set the maximum size of analyses generated files to process. This is used
# to avoid the processing of big files which may take a lot of processing
# time. The value is expressed in bytes, by default 200MB.
analysis_size_limit = 200000000
# Enable or disable DNS lookups.
resolve_dns = on
# Enable or disable reverse DNS lookups
# This information currently is not displayed in the web interface
reverse_dns = off
# Enable PCAP sorting, needed for the connection content view in the web interface.
sort_pcap = on
[database]
# Specify the database connection string.
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, default is a SQLite in db/cuckoo.db.
# SQLite doens't support database upgrades!
# For production we strongly suggest go with PostgreSQL
connection =
# Database connection timeout in seconds.
# If empty, default is set to 60 seconds.
timeout =
[timeouts]
# Set the default analysis timeout expressed in seconds. This value will be
# used to define after how many seconds the analysis will terminate unless
# otherwise specified at submission.
default = 200
# Set the critical timeout expressed in (relative!) seconds. It will be added
# to the default timeout above and after this timeout is hit
# Cuckoo will consider the analysis failed and it will shutdown the machine
# no matter what. When this happens the analysis results will most likely
# be lost.
critical = 60
# Maximum time to wait for virtual machine status change. For example when
# shutting down a vm. Default is 300 seconds.
vm_state = 300
[tmpfs]
# only if you using volatility to speedup IO
# mkdir -p /mnt/tmpfs
# mount -t tmpfs -o size=50g ramfs /mnt/tmpfs
# chown cape:cape /mnt/tmpfs
#
# vim /etc/fstab
# tmpfs /mnt/tmpfs tmpfs nodev,nosuid,noexec,nodiratime,size=50g 0 0
#
# Add crontab with
# @reboot chown cape:cape /mnt/tmpfs -R
enabled = off
path = /mnt/tmpfs/
# in mb
freespace = 2000[kvm]
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = win10
interface = virbr2
[win10]
# Specify the label name of the current machine as specified in your
# libvirt configuration.
label = win10
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail. You may want to configure your network settings in
# /etc/libvirt/<hypervisor>/networks/
ip = 192.168.55.231
# Specify tags to display
# Tags may be used to specify on which guest machines a sample should be run
# NOTE - One of the following OS version tags MUST be included for Windows VMs:
# winxp,win7, win10, win11
# Some samples will only detonate on specific versions of Windows (see web.conf packages for more info)
# Example: MSIX - Windows >= 10
# tags = winxp,acrobat_reader_6
# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the KVM MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
# snapshot = Snapshot1
# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (virbr0 is the interface name):
interface = virbr2
# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip = 192.168.55.1
# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port = 3042
# Set the machine architecture
# Required to auto select proper machine architecture for sample
# x64 or x86
arch = x86
# (Optional) Specify whether or not the machine should be reserved, meaning that it will
# only be used for a detonation if specifically requested by its label.
# reserved = no[routing]
# Enable pcap generation for non live connections?
# If you have huge number of VMs, pcap generation can be a bottleneck
enable_pcap = no
# Default network routing mode; "none", "internet", or "vpn_name".
# In none mode we don't do any special routing - the VM doesn't have any
# network access (this has been the default actually for quite a while).
# In internet mode by default all the VMs will be routed through the network
# interface configured below (the "dirty line").
# And in VPN mode by default the VMs will be routed through the VPN identified
# by the given name of the VPN.
# Note that just like enabling VPN configuration setting this option to
# anything other than "none" requires one to run utils/rooter.py as root next
# to the CAPE instance (as it's required for setting up the routing).
route = internet
# Network interface that allows a VM to connect to the entire internet, the
# "dirty line" so to say. Note that, just like with the VPNs, this will allow
# malicious traffic through your network. So think twice before enabling it.
# (For example, to route all VMs through eth0 by default: "internet = eth0").
internet = enp0s31f6
# Routing table name/id for "dirty line" interface. If "dirty line" is
# also default gateway in the system you can leave "main" value. Otherwise add
# new routing table by adding "<id> <name>" line to /etc/iproute2/rt_tables
# (e.g., "200 eth0"). ID and name must be unique across the system (refer to
# /etc/iproute2/rt_tables for existing names and IDs).
rt_table = main
# When using "dirty line", you can reject forwarding to a certain network segment.
# For example, a request targeting 192.168.12.1/24,172.16.22.1/24 will not be
# forwarded, but will be rejected:
# "reject_segments = 192.168.12.1/24,172.16.22.1/24"
reject_segments = none
# When ussing "dirty line", you can reject guest access a certain port.
# For example, a request targeting host's port 8000 and 8080 will be rejected:
# "reject_hostports = 8000,8080"
reject_hostports = none
# To route traffic through multiple network interfaces CAPE uses
# Policy Routing with separate routing table for each output interface
# (VPN or "dirty line"). If this option is enabled CAPE on start will try
# to automatically initialise routing tables by copying routing entries from
# main routing table to the new routing tables. Depending on your network/vpn
# configuration this might not be sufficient. In such case you would need to
# initialise routing tables manually. Note that enabling this option won't
# affect main routing table.
auto_rt = no
# The drop route basically drops any outgoing network (except for CAPE
# traffic) whereas the regular none route still allows a VM to access its own
# subnet (e.g., 192.168.122.1/24). It is disabled by default as it does require
# the optional rooter to run (unlike the none route, where literally nothing
# happens). One can either explicitly enable the drop route or if the rooter
# is enabled anyway, it is automatically enabled.
drop = no
# Should check if the inteface is up
verify_interface = yes
[inetsim]
# Inetsim quick deploy, chose your vm manager if is not kvm
# wget https://googledrive.com/host/0B6fULLT_NpxMQ1Rrb1drdW42SkE/remnux-6.0-ova-public.ova
# tar xvf remnux-6.0-ova-public.ova
# qemu-img convert -O qcow2 REMnuxV6-disk1.vmdk remnux.qcow2
enabled = no
server = 192.168.1.2
dnsport = 53
interface = virbr1
# Redirect TCP ports (should we also support UDP?). If specified, this should
# represent whitespace-separated src:dst pairs. E.g., "80:8080 443:8080" will
# redirect all 80/443 traffic to 8080 on the specified InetSim host.
# Source port range redirection is also supported. E.g., "996-2041:80" will
# redirect all traffic directed at ports between 996 and 2041 inclusive to port 80
# on the specified InetSim host.
ports =
[tor]
enabled = no
dnsport = 5353
proxyport = 9040
interface = virbr1
[vpn]
# By default we disable VPN support as it requires running utils/rooter.py as
# root next to cuckoo.py (which should run as regular user).
enabled = no
# select one of the configured vpns randomly
random_vpn = no
# Comma-separated list of the available VPNs.
vpns = vpn0
[vpn0]
# Name of this VPN. The name is represented by the filepath to the
# configuration file, e.g., cuckoo would represent /etc/openvpn/cuckoo.conf
# Note that you can't assign the names "none" and "internet" as those would
# conflict with the routing section in cuckoo.conf.
name = vpn0
# The description of this VPN which will be displayed in the web interface.
# Can be used to for example describe the country where this VPN ends up.
description = openvpn_tunnel
# The tun device hardcoded for this VPN. Each VPN *must* be configured to use
# a hardcoded/persistent tun device by explicitly adding the line "dev tunX"
# to its configuration (e.g., /etc/openvpn/vpn1.conf) where X in tunX is a
# unique number between 0 and your lucky number of choice.
interface = tun0
# Routing table name/id for this VPN. If table name is used it *must* be
# added to /etc/iproute2/rt_tables as "<id> <name>" line (e.g., "201 tun0").
# ID and name must be unique across the system (refer /etc/iproute2/rt_tables
# for existing names and IDs).
rt_table = tun0
[socks5]
# By default we disable socks5 support as it requires running utils/rooter.py as
# root next to cuckoo.py (which should run as regular user).
enabled = no
# select one of the configured socks5 proxies randomly
random_socks5 = no
# Comma-separated list of the available proxies.
proxies = socks_ch
[socks_ch]
name = ch_socks
description = ch_socks
proxyport = 5008
dnsport = 10053Everything looks correcto to me
El vie, 12 may 2023 22:22, Cassie Xu @.***> escribió:
Here are the relevant conf files: ifconfig from the host:
virbr2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.55.1 netmask 255.255.255.0 broadcast 192.168.55.255 ether 52:54:00:1c:11:b5 txqueuelen 1000 (Ethernet) RX packets 10293 bytes 1764983 (1.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11604 bytes 125261291 (125.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
cuckoo.conf:
[cuckoo]
Which category of tasks do you want to analyze?
categories = static, pcap, url, file
If turned on, Cuckoo will delete the original file after its analysis
has been completed.
delete_original = off
Archives are not deleted by default, as it extracts and "original file" become extracted file
delete_archive = on
If turned on, Cuckoo will delete the copy of the original file in the
local binaries repository after the analysis has finished. (On *nix this
will also invalidate the file called "binary" in each analysis directory,
as this is a symlink.)
delete_bin_copy = off
Specify the name of the machinery module to use, this module will
define the interaction between Cuckoo and your virtualization software
of choice.
machinery = kvm
Enable creation of memory dump of the analysis machine before shutting
down. Even if turned off, this functionality can also be enabled at
submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = off
When the timeout of an analysis is hit, the VM is just killed by default.
For some long-running setups it might be interesting to terminate the
moinitored processes before killing the VM so that connections are closed.
terminate_processes = off
Enable automatically re-schedule of "broken" tasks each startup.
Each task found in status "processing" is re-queued for analysis.
reschedule = off
Fail "unserviceable" tasks as they are queued.
Any task found that will never be analyzed based on the available analysis machines
will have its status set to "failed".
fail_unserviceable = on
Limit the amount of analysis jobs a Cuckoo process goes through.
This can be used together with a watchdog to mitigate risk of memory leaks.
max_analysis_count = 0
Limit the number of concurrently executing analysis machines.
This may be useful on systems with limited resources.
Set to 0 to disable any limits.
max_machines_count = 10
Limit the amount of VMs that are allowed to start in parallel. Generally
speaking starting the VMs is one of the more CPU intensive parts of the
actual analysis. This option tries to avoid maxing out the CPU completely.
max_vmstartup_count = 5
Minimum amount of free space (in MB) available before starting a new task.
This tries to avoid failing an analysis because the reports can't be written
due out-of-diskspace errors. Setting this value to 0 disables the check.
(Note: this feature is currently not supported under Windows.)
freespace = 50000
Process tasks, but not reach out of memory
freespace_processing = 15000
Temporary directory containing the files uploaded through Cuckoo interfaces
(web.py, api.py, Django web interface).
tmppath = /tmp
Delta in days from current time to set the guest clocks to for file analyses
A negative value sets the clock back, a positive value sets it forward.
The default of 0 disables this option
Note that this can still be overridden by the per-analysis clock setting
and it is not performed by default for URL analysis as it will generally
result in SSL errors
daydelta = 0
Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter
Enable if you want to see a DEBUG log periodically containing backlog of pending tasks, locked vs unlocked machines.
NOTE: Enabling this feature adds 4 database calls every 10 seconds.
periodic_log = off
Max filename length for submissions, before truncation. 196 is arbitrary.
max_len = 196
If it is greater than this, call truncate the filename further for sanitizing purposes.
Length truncated to is controlled by sanitize_to_len.
#
This is to prevent long filenames such as files named by hash.
sanitize_len = 32 sanitize_to_len = 24
[resultserver]
The Result Server is used to receive in real time the behavioral logs
produced by the analyzer.
Specify the IP address of the host. The analysis machines should be able
to contact the host through such address, so make sure it's valid.
NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
resultserver_ipfor all your virtual machines in machinery configuration.ip = 192.168.55.1
Specify a port number to bind the result server on.
port = 3042
Force the port chosen above, don't try another one (we can select another
port dynamically if we can not bind this one, but that is not an option
in some setups)
force_port = yes
pool_size = 0
Should the server write the legacy CSV format?
(if you have any custom processing on those, switch this on)
store_csvs = off
Maximum size of uploaded files from VM (screenshots, dropped files, log)
The value is expressed in bytes, by default 100MB.
upload_max_size = 100000000
To enable trimming of huge binaries go to -> web.conf -> general -> enable_trim
Prevent upload of files that passes upload_max_size?
do_upload_max_size = no
[processing]
Set the maximum size of analyses generated files to process. This is used
to avoid the processing of big files which may take a lot of processing
time. The value is expressed in bytes, by default 200MB.
analysis_size_limit = 200000000
Enable or disable DNS lookups.
resolve_dns = on
Enable or disable reverse DNS lookups
This information currently is not displayed in the web interface
reverse_dns = off
Enable PCAP sorting, needed for the connection content view in the web interface.
sort_pcap = on
[database]
Specify the database connection string.
Examples, see documentation for more:
sqlite:///foo.db
@.***:5432/mydatabase
@.***/mydatabase
If empty, default is a SQLite in db/cuckoo.db.
SQLite doens't support database upgrades!
For production we strongly suggest go with PostgreSQL
connection =
Database connection timeout in seconds.
If empty, default is set to 60 seconds.
timeout =
[timeouts]
Set the default analysis timeout expressed in seconds. This value will be
used to define after how many seconds the analysis will terminate unless
otherwise specified at submission.
default = 200
Set the critical timeout expressed in (relative!) seconds. It will be added
to the default timeout above and after this timeout is hit
Cuckoo will consider the analysis failed and it will shutdown the machine
no matter what. When this happens the analysis results will most likely
be lost.
critical = 60
Maximum time to wait for virtual machine status change. For example when
shutting down a vm. Default is 300 seconds.
vm_state = 300
[tmpfs]
only if you using volatility to speedup IO
mkdir -p /mnt/tmpfs
mount -t tmpfs -o size=50g ramfs /mnt/tmpfs
chown cape:cape /mnt/tmpfs
#
vim /etc/fstab
tmpfs /mnt/tmpfs tmpfs nodev,nosuid,noexec,nodiratime,size=50g 0 0
#
Add crontab with
@reboot chown cape:cape /mnt/tmpfs -R
enabled = off path = /mnt/tmpfs/
in mb
freespace = 2000
kvm.conf
[kvm]
Specify a comma-separated list of available machines to be used. For each
specified ID you have to define a dedicated section containing the details
on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = win10
interface = virbr2
[win10]
Specify the label name of the current machine as specified in your
libvirt configuration.
label = win10
Specify the operating system platform used by current machine
[windows/darwin/linux].
platform = windows
Specify the IP address of the current virtual machine. Make sure that the
IP address is valid and that the host machine is able to reach it. If not,
the analysis will fail. You may want to configure your network settings in
/etc/libvirt/
/networks/ ip = 192.168.55.231
Specify tags to display
Tags may be used to specify on which guest machines a sample should be run
NOTE - One of the following OS version tags MUST be included for Windows VMs:
winxp,win7, win10, win11
Some samples will only detonate on specific versions of Windows (see web.conf packages for more info)
Example: MSIX - Windows >= 10
tags = winxp,acrobat_reader_6
(Optional) Specify the snapshot name to use. If you do not specify a snapshot
name, the KVM MachineManager will use the current snapshot.
Example (Snapshot1 is the snapshot name):
snapshot = Snapshot1
(Optional) Specify the name of the network interface that should be used
when dumping network traffic from this machine with tcpdump. If specified,
overrides the default interface specified in auxiliary.conf
Example (virbr0 is the interface name):
interface = virbr2
(Optional) Specify the IP of the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the IP address for the Result Server as your machine sees it. If you don't specify an
address here, the machine will use the default value from cuckoo.conf.
NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
Example:
resultserver_ip = 192.168.55.1
(Optional) Specify the port for the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the port for the Result Server as your machine sees it. If you don't specify a port
here, the machine will use the default value from cuckoo.conf.
Example:
resultserver_port = 3042
Set the machine architecture
Required to auto select proper machine architecture for sample
x64 or x86
arch = x86
(Optional) Specify whether or not the machine should be reserved, meaning that it will
only be used for a detonation if specifically requested by its label.
reserved = no
routing.conf
[routing]
Enable pcap generation for non live connections?
If you have huge number of VMs, pcap generation can be a bottleneck
enable_pcap = no
Default network routing mode; "none", "internet", or "vpn_name".
In none mode we don't do any special routing - the VM doesn't have any
network access (this has been the default actually for quite a while).
In internet mode by default all the VMs will be routed through the network
interface configured below (the "dirty line").
And in VPN mode by default the VMs will be routed through the VPN identified
by the given name of the VPN.
Note that just like enabling VPN configuration setting this option to
anything other than "none" requires one to run utils/rooter.py as root next
to the CAPE instance (as it's required for setting up the routing).
route = internet
Network interface that allows a VM to connect to the entire internet, the
"dirty line" so to say. Note that, just like with the VPNs, this will allow
malicious traffic through your network. So think twice before enabling it.
(For example, to route all VMs through eth0 by default: "internet = eth0").
internet = enp0s31f6
Routing table name/id for "dirty line" interface. If "dirty line" is
also default gateway in the system you can leave "main" value. Otherwise add
new routing table by adding "
" line to /etc/iproute2/rt_tables (e.g., "200 eth0"). ID and name must be unique across the system (refer to
/etc/iproute2/rt_tables for existing names and IDs).
rt_table = main
When using "dirty line", you can reject forwarding to a certain network segment.
For example, a request targeting 192.168.12.1/24,172.16.22.1/24 will not be
forwarded, but will be rejected:
"reject_segments = 192.168.12.1/24,172.16.22.1/24"
reject_segments = none
When ussing "dirty line", you can reject guest access a certain port.
For example, a request targeting host's port 8000 and 8080 will be rejected:
"reject_hostports = 8000,8080"
reject_hostports = none
To route traffic through multiple network interfaces CAPE uses
Policy Routing with separate routing table for each output interface
(VPN or "dirty line"). If this option is enabled CAPE on start will try
to automatically initialise routing tables by copying routing entries from
main routing table to the new routing tables. Depending on your network/vpn
configuration this might not be sufficient. In such case you would need to
initialise routing tables manually. Note that enabling this option won't
affect main routing table.
auto_rt = no
The drop route basically drops any outgoing network (except for CAPE
traffic) whereas the regular none route still allows a VM to access its own
subnet (e.g., 192.168.122.1/24). It is disabled by default as it does require
the optional rooter to run (unlike the none route, where literally nothing
happens). One can either explicitly enable the drop route or if the rooter
is enabled anyway, it is automatically enabled.
drop = no
Should check if the inteface is up
verify_interface = yes
[inetsim]
Inetsim quick deploy, chose your vm manager if is not kvm
wget https://googledrive.com/host/0B6fULLT_NpxMQ1Rrb1drdW42SkE/remnux-6.0-ova-public.ova
tar xvf remnux-6.0-ova-public.ova
qemu-img convert -O qcow2 REMnuxV6-disk1.vmdk remnux.qcow2
enabled = no server = 192.168.1.2 dnsport = 53 interface = virbr1
Redirect TCP ports (should we also support UDP?). If specified, this should
represent whitespace-separated src:dst pairs. E.g., "80:8080 443:8080" will
redirect all 80/443 traffic to 8080 on the specified InetSim host.
Source port range redirection is also supported. E.g., "996-2041:80" will
redirect all traffic directed at ports between 996 and 2041 inclusive to port 80
on the specified InetSim host.
ports =
[tor] enabled = no dnsport = 5353 proxyport = 9040 interface = virbr1
[vpn]
By default we disable VPN support as it requires running utils/rooter.py as
root next to cuckoo.py (which should run as regular user).
enabled = no
select one of the configured vpns randomly
random_vpn = no
Comma-separated list of the available VPNs.
vpns = vpn0
[vpn0]
Name of this VPN. The name is represented by the filepath to the
configuration file, e.g., cuckoo would represent /etc/openvpn/cuckoo.conf
Note that you can't assign the names "none" and "internet" as those would
conflict with the routing section in cuckoo.conf.
name = vpn0
The description of this VPN which will be displayed in the web interface.
Can be used to for example describe the country where this VPN ends up.
description = openvpn_tunnel
The tun device hardcoded for this VPN. Each VPN must be configured to use
a hardcoded/persistent tun device by explicitly adding the line "dev tunX"
to its configuration (e.g., /etc/openvpn/vpn1.conf) where X in tunX is a
unique number between 0 and your lucky number of choice.
interface = tun0
Routing table name/id for this VPN. If table name is used it must be
added to /etc/iproute2/rt_tables as "
" line (e.g., "201 tun0"). ID and name must be unique across the system (refer /etc/iproute2/rt_tables
for existing names and IDs).
rt_table = tun0
[socks5]
By default we disable socks5 support as it requires running utils/rooter.py as
root next to cuckoo.py (which should run as regular user).
enabled = no
select one of the configured socks5 proxies randomly
random_socks5 = no
Comma-separated list of the available proxies.
proxies = socks_ch
[socks_ch] name = ch_socks description = ch_socks proxyport = 5008 dnsport = 10053
The network in virt-manager: [image: Screen Shot 2023-05-12 at 22 16 00] https://user-images.githubusercontent.com/55062168/238071215-31384341-f9e4-4039-8520-41f1dc8f478f.png ipconfig in the guest: [image: Screen Shot 2023-05-12 at 22 17 18] https://user-images.githubusercontent.com/55062168/238071282-2869f8f2-ef7b-4ac6-96cb-13414e8677d5.png
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1515#issuecomment-1546249765, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH32MZIDKCGJNWKOF47DXF2LZZANCNFSM6AAAAAAX7Y7WKI . You are receiving this because you were mentioned.Message ID: @.***>
CassieXx0215
commented
1 year ago Everything looks correcto to me
@doomedraven Do you have any more suggestions about why this is happening and where I should check? This really has been costing me a significant amount of time :(
doomedraven
commented
1 year ago Not real y, im from phone and is almost midnight here. Maybe someone el se gonna check the issue
El vie, 12 may 2023 22:40, Cassie Xu @.***> escribió:
Everything looks correcto to me El vie, 12 may 2023 22:22, Cassie Xu @.
*> escribió: … <#m6677696466823429644> Here are the relevant conf files: ifconfig from the host: virbr2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.55.1 netmask 255.255.255.0 broadcast 192.168.55.255 ether 52:54:00:1c:11:b5 txqueuelen 1000 (Ethernet) RX packets 10293 bytes 1764983 (1.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11604 bytes 125261291 (125.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 cuckoo.conf: [cuckoo] # Which category of tasks do you want to analyze? categories = static, pcap, url, file # If turned on, Cuckoo will delete the original file after its analysis # has been completed. delete_original = off # Archives are not deleted by default, as it extracts and "original file" become extracted file delete_archive = on # If turned on, Cuckoo will delete the copy of the original file in the # local binaries repository after the analysis has finished. (On nix this # will also invalidate the file called "binary" in each analysis directory, # as this is a symlink.) delete_bin_copy = off # Specify the name of the machinery module to use, this module will # define the interaction between Cuckoo and your virtualization software # of choice. machinery = kvm # Enable creation of memory dump of the analysis machine before shutting # down. Even if turned off, this functionality can also be enabled at # submission. Currently available for: VirtualBox and libvirt modules (KVM). memory_dump = off # When the timeout of an analysis is hit, the VM is just killed by default. # For some long-running setups it might be interesting to terminate the # moinitored processes before killing the VM so that connections are closed. terminate_processes = off # Enable automatically re-schedule of "broken" tasks each startup. # Each task found in status "processing" is re-queued for analysis. reschedule = off # Fail "unserviceable" tasks as they are queued. # Any task found that will never be analyzed based on the available analysis machines # will have its status set to "failed". fail_unserviceable = on # Limit the amount of analysis jobs a Cuckoo process goes through. # This can be used together with a watchdog to mitigate risk of memory leaks. max_analysis_count = 0 # Limit the number of concurrently executing analysis machines. # This may be useful on systems with limited resources. # Set to 0 to disable any limits. max_machines_count = 10 # Limit the amount of VMs that are allowed to start in parallel. Generally # speaking starting the VMs is one of the more CPU intensive parts of the # actual analysis. This option tries to avoid maxing out the CPU completely. max_vmstartup_count = 5 # Minimum amount of free space (in MB) available before starting a new task. # This tries to avoid failing an analysis because the reports can't be written # due out-of-diskspace errors. Setting this value to 0 disables the check. # (Note: this feature is currently not supported under Windows.) freespace = 50000 # Process tasks, but not reach out of memory freespace_processing = 15000 # Temporary directory containing the files uploaded through Cuckoo interfaces # (web.py, api.py, Django web interface). tmppath = /tmp # Delta in days from current time to set the guest clocks to for file analyses # A negative value sets the clock back, a positive value sets it forward. # The default of 0 disables this option # Note that this can still be overridden by the per-analysis clock setting # and it is not performed by default for URL analysis as it will generally # result in SSL errors daydelta = 0 # Path to the unix socket for running root commands. rooter = /tmp/cuckoo-rooter # Enable if you want to see a DEBUG log periodically containing backlog of pending tasks, locked vs unlocked machines. # NOTE: Enabling this feature adds 4 database calls every 10 seconds. periodic_log = off # Max filename length for submissions, before truncation. 196 is arbitrary. max_len = 196 # If it is greater than this, call truncate the filename further for sanitizing purposes. # Length truncated to is controlled by sanitize_to_len. # # This is to prevent long filenames such as files named by hash. sanitize_len = 32 sanitize_to_len = 24 [resultserver] # The Result Server is used to receive in real time the behavioral logs # produced by the analyzer. # Specify the IP address of the host. The analysis machines should be able # to contact the host through such address, so make sure it's valid. # NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option # resultserver_ip for all your virtual machines in machinery configuration. ip = 192.168.55.1 # Specify a port number to bind the result server on. port = 3042 # Force the port chosen above, don't try another one (we can select another # port dynamically if we can not bind this one, but that is not an option # in some setups) force_port = yes pool_size = 0 # Should the server write the legacy CSV format? # (if you have any custom processing on those, switch this on) store_csvs = off # Maximum size of uploaded files from VM (screenshots, dropped files, log) # The value is expressed in bytes, by default 100MB. upload_max_size = 100000000 # To enable trimming of huge binaries go to -> web.conf -> general -> enable_trim # Prevent upload of files that passes upload_max_size? do_upload_max_size = no [processing] # Set the maximum size of analyses generated files to process. This is used # to avoid the processing of big files which may take a lot of processing # time. The value is expressed in bytes, by default 200MB. analysis_size_limit = 200000000 # Enable or disable DNS lookups. resolve_dns = on # Enable or disable reverse DNS lookups # This information currently is not displayed in the web interface reverse_dns = off # Enable PCAP sorting, needed for the connection content view in the web interface. sort_pcap = on [database] # Specify the database connection string. # Examples, see documentation for more: # sqlite:///foo.db # @.:5432/mydatabase # @.**/mydatabase # If empty, default is a SQLite in db/cuckoo.db. # SQLite doens't support database upgrades! # For production we strongly suggest go with PostgreSQL connection = # Database connection timeout in seconds. # If empty, default is set to 60 seconds. timeout = [timeouts] # Set the default analysis timeout expressed in seconds. This value will be # used to define after how many seconds the analysis will terminate unless # otherwise specified at submission. default = 200 # Set the critical timeout expressed in (relative!) seconds. It will be added # to the default timeout above and after this timeout is hit # Cuckoo will consider the analysis failed and it will shutdown the machine # no matter what. When this happens the analysis results will most likely # be lost. critical = 60 # Maximum time to wait for virtual machine status change. For example when # shutting down a vm. Default is 300 seconds. vm_state = 300 [tmpfs] # only if you using volatility to speedup IO # mkdir -p /mnt/tmpfs
mount -t tmpfs -o size=50g ramfs /mnt/tmpfs # chown cape:cape /mnt/tmpfs
vim /etc/fstab # tmpfs /mnt/tmpfs tmpfs
nodev,nosuid,noexec,nodiratime,size=50g 0 0 # # Add crontab with # @reboot https://github.com/reboot chown cape:cape /mnt/tmpfs -R enabled = off path = /mnt/tmpfs/ # in mb freespace = 2000 kvm.conf [kvm] # Specify a comma-separated list of available machines to be used. For each # specified ID you have to define a dedicated section containing the details # on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = win10 interface = virbr2 [win10] # Specify the label name of the current machine as specified in your # libvirt configuration. label = win10 # Specify the operating system platform used by current machine # [windows/darwin/linux]. platform = windows # Specify the IP address of the current virtual machine. Make sure that the # IP address is valid and that the host machine is able to reach it. If not, # the analysis will fail. You may want to configure your network settings in # /etc/libvirt//networks/ ip = 192.168.55.231 # Specify tags to display # Tags may be used to specify on which guest machines a sample should be run # NOTE - One of the following OS version tags MUST be included for Windows VMs: # winxp,win7, win10, win11 # Some samples will only detonate on specific versions of Windows (see web.conf packages for more info) # Example: MSIX - Windows >= 10 # tags = winxp,acrobat_reader_6 # (Optional) Specify the snapshot name to use. If you do not specify a snapshot # name, the KVM MachineManager will use the current snapshot. # Example (Snapshot1 is the snapshot name): # snapshot = Snapshot1 # (Optional) Specify the name of the network interface that should be used # when dumping network traffic from this machine with tcpdump. If specified, # overrides the default interface specified in auxiliary.conf # Example (virbr0 is the interface name): interface = virbr2
(Optional) Specify the IP of the Result Server, as your virtual machine
sees it. # The Result Server will always bind to the address and port specified in cuckoo.conf, # however you could set up your virtual network to use NAT/PAT, so you can specify here # the IP address for the Result Server as your machine sees it. If you don't specify an # address here, the machine will use the default value from cuckoo.conf. # NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. # Example: resultserver_ip = 192.168.55.1 # (Optional) Specify the port for the Result Server, as your virtual machine sees it. # The Result Server will always bind to the address and port specified in cuckoo.conf, # however you could set up your virtual network to use NAT/PAT, so you can specify here # the port for the Result Server as your machine sees it. If you don't specify a port # here, the machine will use the default value from cuckoo.conf. # Example: resultserver_port = 3042 # Set the machine architecture # Required to auto select proper machine architecture for sample # x64 or x86 arch = x86 # (Optional) Specify whether or not the machine should be reserved, meaning that it will # only be used for a detonation if specifically requested by its label. # reserved = no routing.conf [routing] # Enable pcap generation for non live connections? # If you have huge number of VMs, pcap generation can be a bottleneck enable_pcap = no # Default network routing mode; "none", "internet", or "vpn_name". # In none mode we don't do any special routing - the VM doesn't have any # network access (this has been the default actually for quite a while). # In internet mode by default all the VMs will be routed through the network # interface configured below (the "dirty line"). # And in VPN mode by default the VMs will be routed through the VPN identified # by the given name of the VPN. # Note that just like enabling VPN configuration setting this option to # anything other than "none" requires one to run utils/rooter.py as root next # to the CAPE instance (as it's required for setting up the routing). route = internet # Network interface that allows a VM to connect to the entire internet, the # "dirty line" so to say. Note that, just like with the VPNs, this will allow # malicious traffic through your network. So think twice before enabling it. # (For example, to route all VMs through eth0 by default: "internet = eth0"). internet = enp0s31f6 # Routing table name/id for "dirty line" interface. If "dirty line" is # also default gateway in the system you can leave "main" value. Otherwise add # new routing table by adding " " line to /etc/iproute2/rt_tables # (e.g., "200 eth0"). ID and name must be unique across the system (refer to # /etc/iproute2/rt_tables for existing names and IDs). rt_table = main # When using "dirty line", you can reject forwarding to a certain network segment.
For example, a request targeting 192.168.12.1/24,172.16.22.1/24
http://192.168.12.1/24,172.16.22.1/24 will not be # forwarded, but will be rejected: # "reject_segments = 192.168.12.1/24,172.16.22.1/24 http://192.168.12.1/24,172.16.22.1/24" reject_segments = none # When ussing "dirty line", you can reject guest access a certain port. # For example, a request targeting host's port 8000 and 8080 will be rejected: # "reject_hostports = 8000,8080" reject_hostports = none # To route traffic through multiple network interfaces CAPE uses # Policy Routing with separate routing table for each output interface # (VPN or "dirty line"). If this option is enabled CAPE on start will try # to automatically initialise routing tables by copying routing entries from # main routing table to the new routing tables. Depending on your network/vpn # configuration this might not be sufficient. In such case you would need to
initialise routing tables manually. Note that enabling this option won't
affect main routing table. auto_rt = no # The drop route basically drops
any outgoing network (except for CAPE # traffic) whereas the regular none route still allows a VM to access its own # subnet (e.g., 192.168.122.1/24 http://192.168.122.1/24). It is disabled by default as it does require # the optional rooter to run (unlike the none route, where literally nothing
happens). One can either explicitly enable the drop route or if the
rooter # is enabled anyway, it is automatically enabled. drop = no # Should check if the inteface is up verify_interface = yes [inetsim] # Inetsim quick deploy, chose your vm manager if is not kvm # wget https://googledrive.com/host/0B6fULLT_NpxMQ1Rrb1drdW42SkE/remnux-6.0-ova-public.ova https://googledrive.com/host/0B6fULLT_NpxMQ1Rrb1drdW42SkE/remnux-6.0-ova-public.ova
tar xvf remnux-6.0-ova-public.ova # qemu-img convert -O qcow2
REMnuxV6-disk1.vmdk remnux.qcow2 enabled = no server = 192.168.1.2 dnsport = 53 interface = virbr1 # Redirect TCP ports (should we also support UDP?). If specified, this should # represent whitespace-separated src:dst pairs. E.g., "80:8080 443:8080" will # redirect all 80/443 traffic to 8080 on the specified InetSim host. # Source port range redirection is also supported. E.g., "996-2041:80" will # redirect all traffic directed at ports between 996 and 2041 inclusive to port 80 # on the specified InetSim host. ports = [tor] enabled = no dnsport = 5353 proxyport = 9040 interface = virbr1 [vpn]
By default we disable VPN support as it requires running utils/rooter.py
as # root next to cuckoo.py (which should run as regular user). enabled = no # select one of the configured vpns randomly random_vpn = no # Comma-separated list of the available VPNs. vpns = vpn0 [vpn0] # Name of this VPN. The name is represented by the filepath to the # configuration file, e.g., cuckoo would represent /etc/openvpn/cuckoo.conf # Note that you can't assign the names "none" and "internet" as those would # conflict with the routing section in cuckoo.conf. name = vpn0 # The description of this VPN which will be displayed in the web interface. # Can be used to for example describe the country where this VPN ends up. description = openvpn_tunnel # The tun device hardcoded for this VPN. Each VPN must be configured to use # a hardcoded/persistent tun device by explicitly adding the line "dev tunX" # to its configuration (e.g., /etc/openvpn/vpn1.conf) where X in tunX is a # unique number between 0 and your lucky number of choice. interface = tun0 # Routing table name/id for this VPN. If table name is used it must be # added to /etc/iproute2/rt_tables as " " line (e.g., "201 tun0"). # ID and name must be unique across the system (refer /etc/iproute2/rt_tables # for existing names and IDs). rt_table = tun0 [socks5] # By default we disable socks5 support as it requires running utils/rooter.py as # root next to cuckoo.py (which should run as regular user). enabled = no # select one of the configured socks5 proxies randomly random_socks5 = no # Comma-separated list of the available proxies. proxies = socks_ch [socks_ch] name = ch_socks description = ch_socks proxyport = 5008 dnsport = 10053 The network in virt-manager: [image: Screen Shot 2023-05-12 at 22 16 00] https://user-images.githubusercontent.com/55062168/238071215-31384341-f9e4-4039-8520-41f1dc8f478f.png https://user-images.githubusercontent.com/55062168/238071215-31384341-f9e4-4039-8520-41f1dc8f478f.png ipconfig in the guest: [image: Screen Shot 2023-05-12 at 22 17 18] https://user-images.githubusercontent.com/55062168/238071282-2869f8f2-ef7b-4ac6-96cb-13414e8677d5.png https://user-images.githubusercontent.com/55062168/238071282-2869f8f2-ef7b-4ac6-96cb-13414e8677d5.png — Reply to this email directly, view it on GitHub <#1515 (comment) https://github.com/kevoreilly/CAPEv2/issues/1515#issuecomment-1546249765>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH32MZIDKCGJNWKOF47DXF2LZZANCNFSM6AAAAAAX7Y7WKI https://github.com/notifications/unsubscribe-auth/AAOFH32MZIDKCGJNWKOF47DXF2LZZANCNFSM6AAAAAAX7Y7WKI . You are receiving this because you were mentioned.Message ID: @.**>
@doomedraven https://github.com/doomedraven Do you have any more suggestions about why this is happening and where I should check? This really has been costing me a significant amount of time :(
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1515#issuecomment-1546269215, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH3ZX7ESQWX3RXYN76XTXF2N3ZANCNFSM6AAAAAAX7Y7WKI . You are receiving this because you were mentioned.Message ID: @.***>
CassieXx0215
commented
1 year ago Not real y, im from phone and is almost midnight here. Maybe someone el se gonna check the issue
Okay, thank you already! :)
MarioRL0
commented
1 year ago Is your Windows guest operating system 32-bit or 64-bit? If it is a 64-bit system, you should change the 'arch' value to 'x64' in the 'kvm.conf' file
CassieXx0215
commented
1 year ago Is your Windows guest operating system 32-bit or 64-bit? If it is a 64-bit system, you should change the 'arch' value to 'x64' in the 'kvm.conf' file
@MarioRL0 Thanks a lot for pointing this out! I guess this was indeed one of the problems. After I modified this to x64, there was still no data sent back, but I can see the sample getting executed in the guest VM and network connection errors.
I also checked the Syslog.
And then specify allowing connection from 192.168.55.231 in ufw, and also changed the libvirtd.conf set max_client_requests = 5, then it works. The problem is solved now!
kevoreilly
commented
1 year ago Happy days ❤️ thank you @MarioRL0
The cape sandbox never returns any behavioral analysis result. The malware sample seems not to be executed, and the agent never communicates back any data.
The troubleshooting I have tried is listed later.
Environment: Guest VM: win10 under KVM hypervisor Host VM: Ubuntu 22.04.2 LTS (I'm logging into the server using VNCserver)
Cuckoo log:
It stucks at
Uploading script files to guestand never proceeding with the analysis. The malware sample and Cape analysis files have been sent to the VM. I tried to execute the sample manually, but still no analysis result is sent back to the host. Meanwhile, I also noticed localhost:8000 returnsERR_EMPTY_RESPONSE. (In the VM's snapshot, this gives back the response, the JSON data.) Via task manager, I can see that the python3 process is still running.The things I have checked & more information: 32-bit Python 3.8 is running the agent. I am able to ping host from guest, and ping guest from host. Agent has been set up via task scheduler, and I am able to visit localhost:8000 in the snapshot. Firewall on the VM is turned off. Virus & threat detection's real-time protection is turned off.
I have been stuck on this for several days, any help or hint would be very appreciated 🙏🙏 🙏