Tuesday, November 29, 2016

Cuckoo Sandbox Installation (Part 3 of 4)

This is 3 of a 4 part series on the installation of Cuckoo Sandbox. Part 3 will focus on editing the configuration files for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 3


Steps

To edit the configuration files:
  • Open a terminal
  • Navigate to the directory of the configuration files 
    • /home/YourUserName/Downloads/cuckoo/conf
  • Open a specific file using nano editor
    • nano FileName
  • Replace the value on the right side of the equal sign with a corresponding value (i.e replace "yes" with "no", or change a numerical value). 
    • Note: The items in "[ ]" are the section heads within the specific configuration file.  
  • Nano editor Basics
    • To save the edited file hold the "Ctrl" button on your keyboard and press the "x" button on your keyboard.
    • Type "Y"
  • How to Find the IP Address of your Windows virtual machine:
    • 1. Power on the VM.
    • 2. Open a command prompt and type the command:
      • ipconfig  
  • How to Find the Network Interface of your virtual machine:
    • 1. Open a terminal
    • 2. Type the command:
      • ifconfig
      • Look the IP Address range which your VM's IP Address falls within. To the left of the IP Address range will be the name of the Network Interface associated with it. Below is a picture containing an example:
      •   
  • How to Find the vmx_path:
    • Type the following command:
      •  find / -name "*.vmx"
  • How to Find the IP Address of your host machine:
    • 1. Open a terminal
    • 2. Type the command:
      • ifconfig

Configuration Files[1]
  • cuckoo.conf 
  • nano cuckoo.conf
    • [cuckoo]
      • memory_dump = on
      • machinery = virtualbox or vmware
    • [resultserver]
      • ip = ip address of the host system not the virtual machine.
    • [sniffer]
      • interface = the network interface of your virtual machine
  • vmware.conf
  • nano vmware.conf 
    • [vmware]
      • machines = name of virtual machine
      • interface = name of the network interface for the virtual machine
    • [Name_of_the_Virtual_Machine]
      • vmx_path = ../name_of_virtual_machine/ name_of_virtual_machine.vmx
        • ip = ip address of the virtual machine
      • memory.conf
      • nano memory.conf
        • [basic]
          • guest_profile = volatility's profile name for your guest operating system
          • Here are a list of profile names for the various Windows operating systems
          •  
        • [mongodb]
          • enable = yes
      References  
      1. Cuckoo Sandbox Configuration Files

      Social Media
      Facebook:
      https://www.facebook.com/BDavisCS/

      Twitter:
      @BDavis_CyberSec
       

      20 comments:

      1. hi bdavis
        can You please provide video for this part also.

        ReplyDelete
      2. Hi Shankar Kumar Chaudhary. Thank you reading the blog post. I will have a video for this post and the next by the end of next week. But feel free to try the steps without the video and if you run into any issues just leave me a note in the comments sections and I'll respond in a timely manner. I'm glad you are taking an interest in Malware Analyst keep with it. As always "Stay Hungry for Knowledge"!!!!

        ReplyDelete
        Replies
        1. CuckooCriticalError: Error initializing machines: VMware vmrun not found in specified path /usr/bin/vmrun

          I am done all as u guided here but getting the above error.

          Delete
        2. Hey! Did u make this video about installation?

          Delete
      3. cant find the 4th part of this blog, is there any?

        ReplyDelete
      4. Hi Mohanan Suppiah. I have included a link to the 4th part of the series below:
        https://bdavis-cybersecurity.blogspot.com/2016/12/cuckoo-sandbox-installation-part-4-of-4.html

        ReplyDelete
      5. Hi BDavis.
        Thanks for supplying this guide - Cuckoo is notoriously difficult to engineer and you've shown us all the way forward!
        Keenly awaiting the 3rd and 4th installment of the youtube guide.

        ReplyDelete
      6. Hello,
        I've added the appropriate IP addresses to the config files, but I keep getting this error every time I attempt to launch cuckoo. Any idea why I'm getting this? Your help is greatly appreciated:

        2017-02-24 14:28:47,168 [lib.cuckoo.core.rooter] CRITICAL: Unable to passthrough root command (nic_available) as the rooter unix socket doesn't exist.

        2017-02-24 14:28:47,168 [root] CRITICAL: CuckooStartupError: The network interface that has been configured as dirty line is not available.

        ReplyDelete
      7. Hi TA,
        I have researched your issues and believe i have found the Solutions:
        1. https://cuckoo.sh/docs/usage/rooter.html
        2. http://docs.cuckoosandbox.org/en/latest/faq/
        Navigate to the "Unable to bind result server error" question.

        Please let me know if they successfully resolve your issues. Thank you.

        ReplyDelete
      8. Hello bdavis,

        I have got cuckoo working for android on linux for android apk analysis. but I am not getting the dynamic behaviour analysis starts normally and completes as well yet I dont get the results. Can you tell me what could be the reason ALso can you tell me the volatility profile for android on linux. I am using ubuntu 14.04 and android emulator with nexux one device.


        2017-03-04 16:53:24,213 [modules.processing.memory] ERROR: Generic error executing volatility
        Traceback (most recent call last):
        File "/home/lovina/Downloads/cuckoo/modules/processing/memory.py", line 1022, in run
        results = VolatilityManager(self.memory_path).run()
        File "/home/lovina/Downloads/cuckoo/modules/processing/memory.py", line 942, in run
        vol = VolatilityAPI(self.memfile, self.osprofile)
        File "/home/lovina/Downloads/cuckoo/modules/processing/memory.py", line 53, in __init__
        self.init_config()
        File "/home/lovina/Downloads/cuckoo/modules/processing/memory.py", line 107, in init_config
        self.addr_space = utils.load_as(self.config)
        File "/usr/local/lib/python2.7/dist-packages/volatility-2.6-py2.7.egg/volatility/utils.py", line 65, in load_as
        raise error
        AddrSpaceError: No suitable address space mapping found


        2017-03-04 16:53:24,245 [modules.processing.screenshots] ERROR: Could not find tesseract binary, screenshot OCR aborted.
        2017-03-04 16:53:29,525 [modules.processing.network] ERROR: Failed to process packet: 'type'
        Traceback (most recent call last):
        File "/home/lovina/Downloads/cuckoo/modules/processing/network.py", line 621, in run
        self._udp_dissect(connection, udp.data)
        File "/home/lovina/Downloads/cuckoo/modules/processing/network.py", line 212, in _udp_dissect
        self._add_dns(data)
        File "/home/lovina/Downloads/cuckoo/modules/processing/network.py", line 351, in _add_dns
        reqtuple = query["type"], query["request"]
        KeyError: 'type'

        ReplyDelete
      9. Hi Bdavis,
        This page jumps right pass the setting up of the virtual machine. Is that in another tutorial?

        ReplyDelete
      10. Thank you for the response. I was speaking more to the setting up of the VM in terms of installation. What networking mode should be used, etc? Thank you for your responses.

        ReplyDelete
        Replies
        1. The network connection setup between your VM and the host needs to be a "Host-Only" connection. You don't want an infected VM reaching out to the internet.

          Delete
      11. Thank you very much for writing such an interesting article on this topic. This has really made me think and I hope to read more.
        Cyber security courses London

        ReplyDelete
      12. https://github.com/cuckoosandbox/cuckoo/blob/master/conf/cuckoo.conf

        In above link show error 404 page not found. Please provide configuration files

        ReplyDelete
      13. ~/cuckoo$ ./cuckoo.py

        .-----------------.
        | Cuckoo Sandbox? |
        | OH NOES! |\ '-.__.-'
        '-----------------' \ /oo |--.--,--,--.
        \_.-'._i__i__i_.'
        """""""""

        Cuckoo Sandbox 1.2
        www.cuckoosandbox.org
        Copyright (c) 2010-2015

        2018-05-01 10:52:02,893 [root] CRITICAL: CuckooCriticalError: Unable to import plugin "modules.machinery.avd": No module named avd

        ReplyDelete
      14. Hi Mr Davis , I thank you for making cuckoo sandbox so informative and easy to install.
        I have a query , Im using VMware workstation and Im not sure of the port number , how to find the port number for the below mentioned statement :

        # Specify a port number to bind the result server on.
        port = {{ cuckoo.resultserver.port }}

        ReplyDelete
      15. Hi Mr Davis , I thank you for making cuckoo sandbox so informative and easy to install.
        I have a query , Im using VMware workstation and Im not sure of the port number , how to find the port number for the below mentioned statement :

        # Specify a port number to bind the result server on.
        port = {{ cuckoo.resultserver.port }}



        Regards
        Hemant Yadav

        ReplyDelete
      16. Hi Mr. Davis, have you ever configured Cuckoo to route traffic through a VPN? I'm trying to achieve this but I get the error:

        What could be going on? I haven't found anything online and there's no active online community for Cuckoo. I hope you can reply to me because I have no one else I can ask and I need this to work for my university project.

        ReplyDelete