3년 전 쯤에 악성코드 분석을 위해서 Cuckoo Sandbox를 구축했던 기억이 있다..
꽤나 애 먹었던 것으로 기억되는데, 그래서인지 당시에 구축과정을 써놓은 글이 있어서 이렇게 블로그에 남겨본다.
버전이 꽤나 업그레이드 되었을텐지만.. 다음번에 다시 구축할 일이 생기면 참조해서 볼겸ㅋ
Cuckoo Sandbox PC 구성
호스트 스펙
운영체제: 윈도우 10 Pro 64비트
가상머신: Oracle VM VirtualBox 5.2.0 r118431
CPU: i7-4770TM
메모리: 32.0GB
가상 아이피: 192.168.1.0/24
게스트 스펙 - Cuckoo-Server
운영체제: 우분투 16.04.3 데스크톱 64비트
CPU: 가상 CPU 8코어
메모리: 4GB
아이피: 192.168.1.192
웹 포트: 8000
게스트 인 게스트 스펙 - Sandbox
운영체제: 윈도우 7 엔터프라이즈 SP1 32비트
가상머신: 버추얼박스(Virtualbox)
CPU: 가상 CPU 1코어
메모리: 512MB
아이피: 192.168.56.101
서브넷마스크: 255.255.255.0
게이트웨이:192.168.56.1
기본 패키지 및 C 라이브러리 설치
$ sudo apt-get install -y python-pip python-dev libssl-dev libjpeg-dev zlib1g-dev tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ sudo apt-get install libcap2-bin
$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install –y virtualbox-5.1
Cuckoo 코어 설치
$ sudo pip install cuckoo
설치 가능한 버전 리스트 확인 : sudo pip install cuckoo==
$ cuckoo
______ __ __ ______ ___ ___ ______ ______
/_____/\ /_/\/_/\ /_____/\ /___/\/__/\ /_____/\ /_____/\
\:::__\/ \:\ \:\ \\:::__\/ \::.\ \\ \ \\:::_ \ \\:::_ \ \
\:\ \ __\:\ \:\ \\:\ \ __\:: \/_) \ \\:\ \ \ \\:\ \ \ \
\:\ \/_/\\:\ \:\ \\:\ \/_/\\:. __ ( ( \:\ \ \ \\:\ \ \ \
\:\_\ \ \\:\_\:\ \\:\_\ \ \\: \ ) \ \ \:\_\ \ \\:\_\ \ \
\_____\/ \_____\/ \_____\/ \__\/\__\/ \_____\/ \_____\/
Cuckoo Sandbox 2.0.1
www.cuckoosandbox.org
Copyright (c) 2010-2017
=======================================================================
Welcome to Cuckoo Sandbox, this appears to be your first run!
We will now set you up with our default configuration.
You will be able to see and modify the Cuckoo configuration,
Yara rules, Cuckoo Signatures, and much more to your likings
by exploring the /home/cuckoo/.cuckoo directory.
Among other configurable items of most interest is the
new location for your Cuckoo configuration:
/home/cuckoo/.cuckoo/conf
=======================================================================
Cuckoo has finished setting up the default configuration.
Please modify the default settings where required and
start Cuckoo again (by running `cuckoo` or `cuckoo –d`).
샌드박스 구성
가상머신 다운로드 및 가져오기
$ unzip ~/Download/IE8.Win7.For.Windows.VirtualBox.zip
$ virtualbox
▶ C:\Python27\Scripts\pip.exe install pillow
네트워크 구성 및 아이피 고정
$ sudo vboxmanage hostonlyif create
$ sudo vboxmanage hostonlyif ipconfig vboxnet0 —ip 192.168.56.1
$ ifconfig
$ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
$ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
$ iptables -A POSTROUTING -t nat -j MASQUERADE
$ sysctl -w net.ipv4.ip_forward=1
$ sysctl –p
방화벽/업데이트 비활성화
Administrator 계정 활성화 및 로그인
▶ Net user administrator /active:yes
UAC 비활성화
agent.py 실행과 가상머신 스냅샷 구성
$ VBoxManage snapshot "IE8 - Win7" take "Snapshot1" --pause
$ VBoxManage controlvm "IE8 - Win7" poweroff
$ VBoxManage snapshot "IE8 - Win7" restorecurrent
데이터베이스 구성
$ sudo apt-get install mongodb
$ sudo nano /etc/mongodb.conf
bind_ip = 192.168.1.192
$ sudo systemctl restart mongodb
$ mongo 192.168.2.192
MongoDB shell version: 2.6.10
connecting to: 192.168.0.251/test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
Questions? Try the support group
http://groups.google.com/group/mongodb-user
> use cuckoo
switched to db cuckoo
> db.createUser({user:"cuckoo",pwd:"cuckoo123!@#",roles:[{role:"readWrite",db:"cuckoo"}]})
Successfully added user: {
"user" : "cuckoo",
"roles" : [
{
"role" : "readWrite",
"db" : "cuckoo"
}
]
}
Cuckoo 설정
$ sudo nano ~/.cuckoo/conf/cuckoo.conf
[resultserver]
# The Result Server is used to receive in real time the behavioral logs
# produced by the analyzer.
# Specify the IP address of the host. The analysis machines should be able
# to contact the host through such address, so make sure it's valid.
# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
# `resultserver_ip` for all your virtual machines in machinery configuration.
ip = 192.168.1.192
# Specify a port number to bind the result server on.
port = 2042
$ sudo nano ~/.cuckoo/conf/reporting.conf
[mongodb]
enabled = yes
host = 192.168.1.192
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
# MongoDB authentication (optional).
username = cuckoo
password = cuckoo123!@#
$ sudo nano ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui" or "headless". Please refer to VirtualBox's official
# documentation to understand the differences.
mode = gui
# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# If you are running Cuckoo on Mac OS X you have to change the path as follows:
# path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage
# Default network interface.
interface = enp0s3
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo1
[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = IE8 - Win7
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101
Cuckoo 샌드박스 기본 운영
Cuckoo 코어 실행
$ cuckoo -d
Cuckoo 웹 서버 실행
$ cuckoo web –H 192.168.1.192 –p 8000
'DF' 카테고리의 다른 글
디스크 인터페이스 간략 정리 (정리중) (0) | 2020.06.03 |
---|---|
[Python] Timestamp Convert (0) | 2020.04.07 |
Windows 10 Timeline Forensics (0) | 2020.03.11 |