Cuckoo sandbox是一款系统级的沙箱分析工具,本文详细记录了安装配置cuckoo的过程。

1. Architecture & Network Topology

安装Cuckoo的体系结构如下图1:

Fig.1 Cuckoo install architecture
Fig.1 Cuckoo install architecture

由于Cuckoo是安装在单机上,

  • 物理主机使用了Windows 10系统
  • 使用VMware Workstation安装Ubuntu 18.04 LTS作为Cukoo的主机(Host)
  • 再在Ubuntu内使用VirtualBox安装Windows 7 x64,作为Cuckoo的客机(guest)

就是一个nested的虚拟机结构。

Cuckoo的网络拓扑如下图:

Fig.2 Cuckoo install network topology
Fig.2 Cuckoo install network topology

2. Prepare Host(准备主机)

2.1 Prepare OS

使用VMware Workstation安装cuckoo host的主机,主机操作系统是Ubuntu 18.04 LTS。安装完成后,软件更新:

$ sudo apt-get update
$ sudo apt-get upgrade && apt-get dist-upgrade

2.2 Prepare Python Library

$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

2.3 Prepare Database

$ sudo apt-get install mongodb
$ sudo apt-get install postgresql libpq-dev

2.4 Install tcpdump

$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump

添加用户组

$ sudo groupadd pcap
$ sudo usermod -a -G pcap cuckoo
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

$ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

2.5 Install Volatility

$ sudo apt-get install volatility

2.6 Install M2Crypto

sudo -H pip install m2crypto==0.32.0

2.7 Install guacd

$ sudo apt install libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd

2.8 Install Distorm

$ git clone https://github.com/gdabah/distorm.git
$ sudo python setup.py install
$ sudo apt-get install libjansson-dev libmagic-dev
$ sudo apt-get install libtool-bin

2.9 Install PyCrypto

$ sudo -H pip install pycrypto
$ sudo -H pip install ansible –upgrade

2.10 Install YARA

$ tar -zxf yara-3.1.0.tar.gz
$ sudo ./bootstrap.sh
$ sudo ./configure –with-crypto –enable-magic –enable-cuckoo
$ sudo make
$ sudo make install
$ sudo -H pip install yara-python

2.11 Install Cuckoo

安装virtualenv后:

$ virtualenv venv
$ . venv/bin/activate
$ source ./bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo

2.11.1 Raise file limits

提高最大打开文件数限制:

2.12 Trail Run

试运行cuckoo

(venv)$ cuckoo -d

如果显示如下图,则安装成功:

Fig.3 Cuckoo trial run
Fig.3 Cuckoo trial run

本文参考了2