前文系列一讨论了安装Cuckoo的Host,本文讨论安装Cuckoo的Guest,以及网络配置等。

1. Prepare the Guest

1.1 Install Virtualbox

在Cuckoo host(即Ubuntu 18.04 LST)中安装Virtualbox(vbox):

$ sudo apt-get install virtualbox virtualbox-ext-pack

安装成功后,显示Virtualbox版本:

virtualbox is already the newest version (5.2.18-dfsg-2~ubuntu18.04.5).

据说Virtualbox 6.0以上版本就不再支持32位的系统了。

1.2 Install Windows 7 x86/x64

安装完Virtualbox之后,使用vbox安装guest操作系统: Windows 7 x86,32位、64位版本均可。

安装完成后,需要配置Windows 7:

  • Turn off auto update
  • Turn off firewall
  • Turn Windows UAC to minimum

1.3 Install Python 2.7

Cuckoo使用python脚本运行在guest中,所以需要安装Python。

  • 下载Python 2.7 Windows相应版本,并安装到Windows 7系统。 注意安装时候点选把python路径加载到系统环境变量中。

如果安装成功,打开cmd,输入python,会有显示如下图:

Fig.1 Install python2.7 successfully
Fig.1 Install python2.7 successfully
  • 安装Pillow,在沙箱分析过程中,Cuckoo会自动给guest截图。

    $ pip install Pillow

1.4 Install the Cuckoo Agent

  • $CWD/agent路径中有一个脚本文件:agent.py,把这个脚本文件拷贝到Windows 7 guest操作系统中,路径可以自定
    • CWD(Current Working Directory)默认路径为~/.cuckoo
    • 使用python agent.py运行脚本
    • 脚本运行成功,可以通过命令netstat -an查看,发现本地的8000端口处于监听状态中
  • 如果希望guest系统启动时自动运行脚本文件:
    • agent.py重命名为agent.pyw
    • agent.pyw拷贝到Windows 7的Startup的文件夹中。这样每次guest系统启动时,就会自动运行Cuckoo agent

1.5 Install Other Software

Cuckoo可以分析多种类型的文件,譬如pdf,word等,所以可以安装一些相应的软件:

  • Microsoft Office 2013
  • 旧版本的Adobe Reader
  • 旧版本的浏览器Firefox等

1.6 配置Guest网络

给guest OS配置一个host-only网卡:vboxnet0,这样guest只能和Cuckoo host通信。并配置网卡固定IP地址:192.168.56.1,如下图:

Fig.2 Config host-only network adapter
Fig.2 Config host-only network adapter

再配置guest OS Windows 7的网络:

  • ip: 192.168.56.2(其它亦可)
  • 掩码: 255.255.255.0
  • 网关: 192.168.56.1
Fig.3 Config guest OS network
Fig.3 Config guest OS network

这样guest网络配置就完成了,可与Cuckoo host互ping,验证是否配置成功。

2. Config Cuckoo Host Packet Forward(报文转发)

由于guest配置是host-only的,不能直接访问Internet。所以要在Cuckoo host中用iptable,设置报文转发:

$ sudo iptables -A FORWARD -o ens33 -i vboxnet0 -s 192.168.56.0/24 -m conntrack –ctstate NEW -j ACCEPT
$ sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE

  • ens33是本地机器Cuckoo host网络适配器的名字
  • 配置完成后,guest Windows 7就可以访问Internet。可以通过ping来验证,但是Cuckoo host无法访问Internet。

如果希望报文转发重启后依然有效:

修改/etc/sysctl.conf

  • 去掉net.ipv4.ip_forward=1的注释
  • 执行

    $ sudo sysctl -p /etc/sysctl.conf

再运行:

$ sudo apt-get install iptables-persistent
$ sudo netfilter-persistent save

3. 配置conf文件

安装好host和guest之后,Cuckoo还不能运行,需要填写一些配置文件。 在$CWD/conf文件夹中,有一系列的.conf可以配置,如下图:

Fig.4 Config Cuckoo conf files
Fig.4 Config Cuckoo conf files

3.1 配置cuckoo.conf

cuckoo.conf是负责配置cuckoo沙箱自身的文件,需要配置的选项:

  • version_check = no

    # Enable or disable startup version check. When enabled, Cuckoo will connect
    # to a remote location to verify whether the running version is the latest
    # one available.

在设置了报文转发之后,cuckoo host已经无法访问Internet,所以选择关闭。

  • machinery = virtualbox

    # Specify the name of the machinery module to use, this module will
    # define the interaction between Cuckoo and your virtualization software
    # of choice.

指定guest VM软件,可以是VMware,Qemu等,因为本机安装的是Virtualbox,就填写vbox。

  • memory_dump = yes

    # Enable creation of memory dump of the analysis machine before shutting # down. Even if turned off, this functionality can also be enabled at # submission. Currently available for: VirtualBox and libvirt modules (KVM).

打开memory dump。

  • [resultserver]

    # The Result Server is used to receive in real time the behavioral logs
    # produced by the analyzer.
    # Specify the IP address of the host. The analysis machines should be able
    # to contact the host through such address, so make sure it’s valid.
    # NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
    # resultserver_ip for all your virtual machines in machinery configuration.

    • ip = cuckoo host本机的ip地址
    • port = 2042

      # Specify a port number to bind the result server on.

    默认的端口号。

3.2 配置virtualbox.conf

  • mode = gui

    # Specify which VirtualBox mode you want to run your machines on.
    # Can be “gui” or “headless”. Please refer to VirtualBox’s official
    # documentation to understand the differences.

是否使用gui运行虚拟机。

  • path = /usr/bin/VBoxManage

    # Path to the local installation of the VBoxManage utility.

vbox的路径。

  • interface = vboxnet0 # Default network interface.

网络适配器的名字。

  • machines = []

    # Specify a comma-separated list of available machines to be used. For each
    # specified ID you have to define a dedicated section containing the details
    # on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)

guest客户机的名字。

  • ip = []

    # Specify the IP address of the current virtual machine. Make sure that the
    # IP address is valid and that the host machine is able to reach it. If not,
    # the analysis will fail.

客户机的ip地址。

  • snapshot = []

    # (Optional) Specify the snapshot name to use. If you do not specify a snapshot
    # name, the VirtualBox MachineManager will use the current snapshot.
    # Example (Snapshot1 is the snapshot name):

vbox snapshot的名字。

3.3 配置reporting.conf

[singlefile] # Enable creation of report.html and/or report.pdf?
enabled = yes
# Enable creation of report.html?
html = yes
# Enable creation of report.pdf?
pdf = no

[mongodb] enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100

4. 运行Cuckoo box

至此,Cuckoo box的安装配置就完成了。在virtualenv中运行:

cuckoo
cuckoo web

启动cuckoo和web界面。