Setting up Cuckoo 2.0.5 – Part II

This is my second article on the cuckoo sandbox series. The previous one focused on setting up the host machine and from here on out we will be focusing on the guest machine.

Preparing the Virtual Machine

Now that we are done with the host machine, we will start preparing the virtual machine, starting with the installation of virtualBox.

Virtualization Software
echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
sudo apt-get update
sudo apt-get install virtualbox-5.1

In case you are using a different version Linux, then please look at this first.

For Ubuntu 17.04 ("Zesty")
deb http://download.virtualbox.org/virtualbox/debian zesty contrib
For Ubuntu 16.04 ("Xenial")
deb http://download.virtualbox.org/virtualbox/debian xenial contrib
For Ubuntu 14.04 ("Trusty")
deb http://download.virtualbox.org/virtualbox/debian trusty contrib
For Ubuntu 12.04 LTS ("Precise Pangolin")
deb http://download.virtualbox.org/virtualbox/debian precise contrib
For Debian 8 ("Jessie")
deb http://download.virtualbox.org/virtualbox/debian jessie contrib
For Debian 7 ("Wheezy")
deb http://download.virtualbox.org/virtualbox/debian wheezy contrib

You can confirm the virtual box installation by switching to super user and then typing Virtualbox on the terminal

Creation of the Virtual Machine

Now start with windows installation on virtual box. For this setup we will be installing windows 7 operating system on virtual box. It is a 32 – bit operating which has been assigned 4 GB ram and 65 GB HDD space. It is important to make note of the machine name that you set. For this setup we will be using “windows7”.

Requirements

Once the operating system has been installed, proceed with installing the guest edition on the virtual OS. For identifying if windows is 32 bit or 64 bit operating system has been installed, then in command prompt type “winmsd.exe

This will result in a pop-up window asking for guest edition installation. Proceed with it and reboot the virtual machine once done. Now we will add the agent folder here which we made shareable earlier. Click on machine > settings in virtual box window while windows 7 is running.

Click on shared folders.

Click on machine folders and then the + sign on the right. Select the agent folder and check the Auto-mount and make permanent options.

Once done with that, disable the windows firewall and disable the user account control settings

Once done, power off the virtual machine properly.

Network Configuration

We now need to configure the host and the virtual machines in such a way that they are able to communicate properly with each other. Proceed with the following command execution on the host machine (ubuntu).

Switch to super user.

sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
sudo vboxmanage modifyvm windows7 --hostonlyadapter1 vboxnet0
sudo vboxmanage modifyvm windows7 --nic1 hostonly

Do “ifconfig” to verify the result. You should be able to see the vboxnet0 adapter

Proceed with the following steps on the virtual machine (windows). In windows 7 virtual machine type in the following static IP, but don’t press OK yet.

On another terminal switch to super user and type in the following commands, but make sure to change the adapter name to what you see on your machine.

iptables -A FORWARD -o wlp2s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Now press OK on the windows virtual machine for the settings. If the connection was successful, you should see connectivity and this dialogue box turn up.

You can also check by pinging 192.168.56.101 from linux machine or pinging linux machine IP address from windows machine.

To make sure that the rules remain constant in the system the install the iptables persistent.

sudo apt-get install iptables-persistent

This installation will make sure that the rules stay in the system after you reboot the machine. You will receive the following prompt for IPV4 and IPV6 , just select yes

Having done the above steps, we can now place the agent file from the cuckoo directory in the shareable folder that we earlier created. This file will become available in the virtual machine.

cp /root/.cuckoo/agent/agent.sh /home/administrator/Downloads/agent/
cp /root/.cuckoo/agent/agent.py /home/administrator/Downloads/agent/

You can now locate these file at the following location in windows’’

network > VBOXSVR > agent folder

Installing the Agent on windows

In order for the agent to work on the windows virtual machine, it is important we install other software such as python and pillow. In this case pillow will help us by taking the screenshots of activities on the windows.

You can go ahead and install Python 2.7.14 – 2017-09-16. Download Windows x86 MSI installer

https://www.python.org/downloads/windows/

For pillow download “Pillow-2.7.0.win32-py2.7.exe (md5)” from https://pypi.python.org/pypi/Pillow/2.7.0

After this, install software like office, adobe etc, to make a virtual setup that looks similar to what you have on a normal machine in the organization. The idea is to make it resemble close enough to an organization machine.

Finally, all that is left is to run the agent.py file from the documents folder and take a snapshot of the virtual machine.

You will see a blank screen, but that is perfectly normal. After this take a snapshot by selecting the option at machine> take snapshot

Please make note of the name you give this snapshot. It will be used while configuring the sandbox. I used something small and easy “snap”. Now you can power off the virtual machine.

Cloning the Virtual Machine

You can always create a clone of the virtual machine, as this will act as a backup of all the settings and applications installed or if you plan one using multiple VM’s then you use these clones.

Cuckoo Configuration

This stage involves configuring the settings for the sandbox. These configuration files are located in the “./cuckoo/conf” folder. The change points have been highlighted in each screenshot.

cuckoo.conf
nano /root/.cuckoo/conf/cuckoo.conf

auxiliary.conf
nano /root/.cuckoo/conf/auxiliary.conf
Virtualbox.conf
nano /root/.cuckoo/conf/virtualbox.conf

Modify the name of the snapshot as per the name you mentioned earlier while setting up the virtual machine with windows 7.

memory.conf
nano /root/.cuckoo/conf/memory.conf

To edit the guest profile please refer to the list below:

processing.conf
nano /root/.cuckoo/conf/processing.conf

And that’s about it. Hope you enjoyed the two articles. Your comments or feedback would be greatly appreciated.

 

(Featured Image credits: A cuckoo-clock heart, by KaleidoMewStar, deviantart.com)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: