Tuesday, November 29, 2016

Cuckoo Sandbox Installation (Part 3 of 4)

This is 3 of a 4 part series on the installation of Cuckoo Sandbox. Part 3 will focus on editing the configuration files for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 3


Steps

To edit the configuration files:
  • Open a terminal
  • Navigate to the directory of the configuration files 
    • /home/YourUserName/Downloads/cuckoo/conf
  • Open a specific file using nano editor
    • nano FileName
  • Replace the value on the right side of the equal sign with a corresponding value (i.e replace "yes" with "no", or change a numerical value). 
    • Note: The items in "[ ]" are the section heads within the specific configuration file.  
  • Nano editor Basics
    • To save the edited file hold the "Ctrl" button on your keyboard and press the "x" button on your keyboard.
    • Type "Y"
  • How to Find the IP Address of your Windows virtual machine:
    • 1. Power on the VM.
    • 2. Open a command prompt and type the command:
      • ipconfig  
  • How to Find the Network Interface of your virtual machine:
    • 1. Open a terminal
    • 2. Type the command:
      • ifconfig
      • Look the IP Address range which your VM's IP Address falls within. To the left of the IP Address range will be the name of the Network Interface associated with it. Below is a picture containing an example:
      •   
  • How to Find the vmx_path:
    • Type the following command:
      •  find / -name "*.vmx"
  • How to Find the IP Address of your host machine:
    • 1. Open a terminal
    • 2. Type the command:
      • ifconfig

Configuration Files[1]
  • cuckoo.conf 
  • nano cuckoo.conf
    • [cuckoo]
      • memory_dump = on
      • machinery = virtualbox or vmware
    • [resultserver]
      • ip = ip address of the host system not the virtual machine.
    • [sniffer]
      • interface = the network interface of your virtual machine
  • vmware.conf
  • nano vmware.conf 
    • [vmware]
      • machines = name of virtual machine
      • interface = name of the network interface for the virtual machine
    • [Name_of_the_Virtual_Machine]
      • vmx_path = ../name_of_virtual_machine/ name_of_virtual_machine.vmx
        • ip = ip address of the virtual machine
      • memory.conf
      • nano memory.conf
        • [basic]
          • guest_profile = volatility's profile name for your guest operating system
          • Here are a list of profile names for the various Windows operating systems
          •  
        • [mongodb]
          • enable = yes
      References  
      1. Cuckoo Sandbox Configuration Files

      Social Media
      Facebook:
      https://www.facebook.com/BDavisCS/

      Twitter:
      @BDavis_CyberSec
       

      Friday, November 25, 2016

      Cuckoo Sandbox Installation (Part 2 of 4)

      This is 2 of a 4 part series on the installation of Cuckoo Sandbox. Part 2 will focus on installing additional functionality to the Host Operating System for the Cuckoo Sandbox. 

      Video Instructions
      Cuckoo Sandbox Installation Part 2


      Steps
      All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts.

      1. Install Django-based web interface [1]
        • sudo apt-get install mongodb
      2. Install TCPdump [1]
        • sudo apt-get install tcpdump
        • sudo apt-get install libcap2-bin
        • sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
        • getcap /usr/sbin/tcpdump
      3. Install Volatility [2]
        • sudo apt install git
        • git clone https://github.com/volatilityfoundation/volatility.git
        • Navigate to the volatility folder 
          • cd /home/YourUserName/volatility
        • sudo python setup.py install
      4. Install Volatility Plug-ins
      • Distorm3
        • Download Distorm3  
        • Navigate to the Downloads folder
          • tar -xvzf distorm-3.4.0.tar.gz
        • Navigate to the distorm-3.4.0 folder
          • cd /home/YourUserName/Downloads/distorm-3.4.0
        • sudo python setup.py install
      •  Yara [3]
        •  Install autoreconf
          • sudo apt-get install autoconf
        • Install libtool-bin
          • sudo apt-get install libtool-bin
        • Download Yara
        • Navigate to the Downloads folder
          • tar -xvzf yara-3.5.0.tar.gz
        • Navigate to the yara-3.5.0 folder
          • cd /home/YourUserName/Downloads/yara-3.5.0
        • ./bootstrap.sh
        • ./configure --with-crypto --enable-magic --enable-cuckoo
        • make
        • sudo make install 
        • sudo -H pip install yara-python
      • PyCrypto [4]
        • Download PyCrypto
        • Navigate to the Downloads folder
          • tar -xvzf pycrypto-2.6.1.tar.gz
        • Navigate to the pycrypto-2.6.1 folder
          • cd /home/YourUserName/Downloads/pycrypto-2.6.1
        •  python setup.py build
        • sudo python setup.py install
      • Openpyxl [5]
        • sudo -H pip install openpyxl
      • UJSON [6]
        • sudo -H pip install ujson
      •  IPython [7]
        • sudo -H pip install jupyter
      5. Install Mitmproxy
      • sudo apt-get install python3-pip python3-dev libssl-dev libtiff5-dev libjpeg8-dev zlib1g-dev libwebp-dev
      • sudo pip3 install mitmproxy
      • mitmproxy
      • cd ~/.mitmproxy
      • cp mitmproxy-ca-cert.p12 /home/YourUserName/Downloads/cuckoo/analyzer/windows/bin/cert.p12 
      •  mitmdump = /usr/local/bin/mitmdump


      References
      1. Cuckoo Sandbox Documentation
      2. Volatility Documentation
      3. Yara Documentation
      4. PyCrypto Documentation
      5. OpenPyxl Documentation
      6. UJSON Documentation
      7. IPython Documentation


      Social Media
      Facebook:
      https://www.facebook.com/BDavisCS/

      Twitter:
      @BDavis_CyberSec

      Monday, November 21, 2016

      Cuckoo Sandbox Installation (Part 1 of 4)

      This is the first of four parts series on the "Installation of Cuckoo Sandbox." Part 1 will focus on preparing the Host Operating System. 
      Background
      In order to successfully install Cuckoo Sandbox you must setup the required environment. The required software is Linux, Python, and a virtualization platform (i.e Virtualbox or VMware Player).

            Steps
            All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts. 
            1. Linux
            • Install Linux as your main operating system. This can be any distribution of Linux. (My choice was  Ubuntu 16.04).
            • Run the update command to update your Linux distribution. 
              • sudo apt-get update
            2. Python libraries [1]
            •   Install the dependencies 
              •  sudo apt-get install python python-pip python-dev libffi-dev libssl-dev 
            • Install libxml2-dev and libxslt-dev 
              • sudo apt-get install libxml2-dev libxslt-dev
            •  Install the requirements from the requirements text file using PyPI 
              • Download Cuckoo Sandbox and extract it.  
                • Command to extract the .tar.gz file: tar -xvzf 
                • Example: tar -xvzf FileName.tar.gz
              • Navigate to the cuckoo folder:
                • cd /home/YourUserName/Downloads/cuckoo
              • sudo -H pip install -r requirements.txt 
              • sudo -H pip install --upgrade pip
             3. Virtualization Software
              • sudo chmod u+x VMWare-Player-12.5.1-4542065.x86_64.bundle
              • sudo ./VMWare-Player-12.5.1-4542065.x86_64.bundle
              4. Create a user for cuckoo
              • sudo adduser cuckoo

              References:
              1. Cuckoo Sandbox Documentation


              Social Media
              Facebook:
              https://www.facebook.com/BDavisCS/

              Twitter:
              @BDavis_CyberSec

              Entering The Field of Cyber Security

              Background
              As the internet growth accelerates, the need for innovative approaches to combat new cyber threats has grown as well. Corporations and governments invested billions of dollars annually to establish and maintain a defense against cyber-attacks. It is estimated that by 2019 the cost of cyber security will exceed $155 billion. The demand for certified Cyber Security specialists continues to exceed the number of available certified individuals. There are several options to obtain and maintain security certifications. Internet based training is available to everyone who has access to the internet and by far the most flexible (self-pace) and cost effective. 
                
              Certifications
              Security+ and Network+ certifications are required to apply for entry level Information Technology positions. Advertise Cyber Security positions "Requests for Proposals" always include requirements for individuals with key internet security certifications. 

              Online Internet Course Market Place
              •  Udemy -Is an internet marketplace with over 22,000 courses available for a variety of career fields. Udemy offers free membership to its alumni and course enrollment cost is very small.  
              •  Cybrary.IT  Is free to join and each available course is free to enroll in.
               Books
              The recommended books below contain hands on labs at the end of each chapter. 
              •   Security+
                • (ISBN-13: 978-1118875070), (ISBN-10: 1118875079)
              • Network+
                •    (ISBN-13: 978-1119021247), (ISBN-10: 1119021243)
              (Disclaimer: I am not sponsored by any of the companies . All my opinions are my own.)

              Social Media
              Facebook:
              https://www.facebook.com/BDavisCS/

              Twitter:
              @BDavis_CyberSec