cuckoo布谷鸟沙箱搭建的初衷,是分析禁止联网并且禁止上传网络云沙箱的敏感样本时,为了方便自己收集样本行为,使用了一年,它的内存dump功能对于一些样本偶尔有奇效。

环境

  • 运行环境 Ubuntu18.04.5x64
  • windows沙箱客户机 window7sp1x86
  • linux沙箱客户机 Ubuntu18.04.3x64

    Ubuntu主机配置

    依赖安装

    ```bash

    !/bin/bash

    echo “Installing Updates and dependencies…” sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev -y sudo apt-get install python-virtualenv python-setuptools -y sudo apt-get install libjpeg-dev zlib1g-dev -y sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++ -y sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2 -y sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet -y

echo “Python 3” cd /usr/src sudo wget https://www.python.org/ftp/python/3.8.0/Python-3.8.0.tgz sudo tar -xvf Python-3.8.0.tgz cd Python-3.8.0 ./configure sudo make && make install

echo “Pip” sudo wget https://bootstrap.pypa.io/get-pip.py python get-pip.py pip install —upgrade pip sudo -H pip install pillow -y

echo “MongoDB” sudo apt-get install mongodb -y

echo “Postgresql” sudo apt-get install postgresql libpq-dev -y sudo pip install psycopg2

echo “Tcpdump” sudo apt-get install tcpdump apparmor-utils -y sudo aa-disable /usr/sbin/tcpdump sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump

sudo -H pip install lxml cybox==2.0.1.4 maec==4.0.1.0 “Django<2”

sudo -H pip install lxml cybox maec “Django<2”

  1. <a name="b5wRl"></a>
  2. ### cuckoo与组件安装
  3. ```bash
  4. #!/bin/bash
  5. echo " - Installing -"
  6. echo "Adding cuckoo user"
  7. sudo adduser --disabled-login -gecos "" cuckoo
  8. sudo usermod -G cuckoo cuckoo
  9.  echo "ssdeep"
  10. sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev -y
  12. echo "M2Crypto"
  13. sudo apt-get install swig -y
  14. sudo -H pip install m2crypto==0.31.0
  16. echo "Volatility"
  17. git clone https://github.com/volatilityfoundation/volatility.git
  18. cd volatility
  19. sudo python setup.py install
  20. cd ..
  22. echo "Distrom"
  23. wget -O distormv3.4.1.tar.gz https://github.com/gdabah/distorm/archive/v3.4.1.tar.gz
  24. tar -zxvf distormv3.4.1.tar.gz
  25. cd distorm-3.4.1
  26. sudo python setup.py install
  27. sudo apt-get install libjansson-dev libmagic-dev
  28. sudo apt-get install libtool-bin
  29. cd ..
  31. echo "PyCrypto"
  32. sudo -H pip install pycrypto ansible --upgrade IPython==5.0 jupyter openpyxl ujson
  34. echo "Yara"
  35. wget -O yarav3.11.0.tar.gz https://github.com/VirusTotal/yara/archive/v3.11.0.tar.gz
  36. tar -zxvf yarav3.11.0.tar.gz
  37. cd yara-3.11.0
  38. sudo ./bootstrap.sh
  39. sudo ./configure --with-crypto --enable-magic -enable-cuckoo
  40. sudo make
  41. sudo make install
  42. sudo -H pip install yara-python
  44. echo "FTP Server"
  45. sudo mkdir -p /home/ubuntu/vmshared/pub
  46. sudo chown -R cuckoo:cuckoo /home/ubuntu/vmshared
  47. sudo chmod -R ug=rwX,o=rX /home/ubuntu/vmshared/
  48. sudo chmod -R ugo=rwX /home/ubuntu/vmshared/pub
  49. sudo apt-get install vsftpd
  51. echo "Adding stuff to /etc/vsftpd.conf"
  52. sudo sed -i 's/#write_enable=YES/write_enable=YES/g' /etc/vsftpd.conf
  53. sudo sed -i 's/#anon_upload_enable=YES/anon_upload_enable=YES/g' /etc/vsftpd.conf
  54. sudo sed -i 's/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g' /etc/vsftpd.conf
  55. sudo bash -c 'echo "listen_address=192.168.100.1" >> /etc/vsftpd.conf'
  56. sudo bash -c 'echo "listen_port=2121" >> /etc/vsftpd.conf'
  57. sudo bash -c 'echo "anon_root=/home/ubuntu/vmshared" >> /etc/vsftpd.conf'
  58. sudo bash -c 'echo "anon_umask=000" >> /etc/vsftpd.conf'
  59. sudo bash -c 'echo "chown_upload_mode=0666" >> /etc/vsftpd.conf'
  60. sudo bash -c 'echo "pasv_enable=Yes" >> /etc/vsftpd.conf'
  61. sudo bash -c 'echo "pasv_min_port=10090" >> /etc/vsftpd.conf'
  62. sudo bash -c 'echo "pasv_max_port=10100" >> /etc/vsftpd.conf'
  64. sudo service vsftpd restart
  65. sudo service vsftpd status
  66. sudo ufw allow 20/tcp
  67. sudo ufw allow 21/tcp
  68. sudo ufw allow 990/tcp
  69. sudo ufw allow 10090:10100/tcp
  70. sudo ufw enable
  71. sudo ufw disable
  73. echo "Cuckoo"
  74. cat <<EO
  75. Do the following:
  76. virtualenv venv
  77. sudo apt-get remove python-dpkt
  78. sudo su
  79. . venv/bin/activate
  80. sudo pip install -U pip setuptools
  81. sudo pip install -U cuckoo
  82. cuckoo -d
  83. cp /root/.cuckoo/agent/agent.py /home/ubuntu/vmshared/agent.pyw
  84. cd /root/.cuckoo
  85. service mongodb start
  86. EO
  1. virtualenv venv
  2. sudo apt-get remove python-dpkt
  3. sudo su
  4. . venv/bin/activate
  5. sudo pip install -U pip setuptools
  6. sudo pip install -U cuckoo
  7. cuckoo -d
  8. cp /root/.cuckoo/agent/agent.py /home/ubuntu/vmshared/agent.pyw
  9. cd /root/.cuckoo
  10. service mongodb start

安装VirtualBox

  1. #!/bin/bash
  2. echo "Installing VirtualBox"
  3. #codename = (lsb_release --codename | cut -f2) 
  4. codename=$(lsb_release --codename | cut -f2)
  5. echo deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian bionic contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
  6. wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
  7. wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
  8. sudo apt-get update
  9. sudo apt-get install virtualbox-6.1

网络配置

使用host-only网络,并通过iptables转发客户机数据包到主机,下面的配置将会将输入接口vboxnet0的数据包转发到主机且将内网地址伪装成外接口ens33的地址,iptable的参数使用可见https://www.jianshu.com/p/5a604b4ef342

  1. #!/bin/bash
  2. echo "- Installing -"
  3. sudo apt install net-tools
  4. sudo vboxmanage hostonlyif create
  5. sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
  6. sudo vboxmanage modifyvm cuckoo1 --hostonlyadapter1 vboxnet0
  7. sudo vboxmanage modifyvm cuckoo1 --nic1 hostonly
  9. sudo modprobe ip_tables
  10. sudo modprobe ip_nat_ftp
  11. sudo iptables -P INPUT ACCEPT
  12. sudo iptables -P OUTPUT ACCEPT
  13. sudo iptables -P FORWARD ACCEPT
  14. sudo iptables -t nat -A POSTROUTING -o ens33 -jMASQUERADE
  15. sudo iptables -A FORWARD -i vboxnet0 -j ACCEPT
  17. echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
  18. sudo sysctl -w net.ipv4.ip_forward=1
  20. sudo apt-get install iptables-persistent
  21. sudo netfilter-persistent save


modprobe ip_tables
modprobe ip_nat_ftp
在LINUX启动时,ip_tables和iptable_nat两个模块在内核中并不是默认的启动项,因此上述两条语句就是先将这两个必须的模块启动。
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
设置防火墙规则,对于输入输出和转发的包均设置为接受状态。
建立伪装和IP转发:
iptables -t nat -A POSTROUTING -o ens33 -jMASQUERADE
iptables -A FORWARD -i vboxnet0 -j ACCEPT
参数说明:
-t nat:调用NAT表,调用这个说明遇到了产生新的连接的包。
-A POSTROUTIN:指定信息包打算离开防火墙时改变它们的规则,意即使用NAT。
-i vboxnet0:输入接口。
-o ens33:输出接口。
-j MASQUERADE:指定进行地址伪装,意即将内网地址伪装成外接口ens33的地址进行传输。
这两条命令的意思就是将内网向外连接的数据包(从vboxnet0接收到的数据包)的地址转换为外网接口的地址并从外接口(从ens33接口转发)转发

cuckoo配置

  1. sudo nano /root/.cuckoo/conf/cuckoo.conf
  2. memory_dump = yes
  3. sudo nano /root/.cuckoo/conf/virtualbox.conf
  4. mode = gui
  5. machines = cuckoo1
  6. [cuckoo1]
  7. label = cuckoo1
  8. snapshot = clean-final-X
  9. tags = windows_7, 32_bit, python
  11. sudo nano /root/.cuckoo/conf/memory.conf
  12. guest_profile = Win7SP1x86
  13. delete_memdump = yes
  15. sudo nano /root/.cuckoo/conf/processing.conf
  16. [memory]
  17. enabled yes
  19. sudo nano /root/.cuckoo/conf/reporting.conf
  20. [singlefile]
  21. enabled = yes
  22. html = yes
  23. pdf = yes

Windows7客户机

  • 使用默认管理员账号Administrator
  • 配置网络,设置静态IP192.168.56.101,子网掩码,255.255.255.0,网关192.168.56.1,DNS8.8.8.8
  • 关闭防火墙
  • 将agent.pyw置于启动目录下
  • 在agent.pyw运行状态下拍下快照snapshot1,作为沙箱运行快照

    Linux客户机

    按照文档https://cuckoo.sh/docs/installation/guest/linux.html,逐步执行命令即可。
    确保代理自动启动。最简单的方法是将其添加到 crontab:
    1. $sudo crontab -e 
    2. @reboot python /path/to/agent.py
    在虚拟机内安装依赖项:
    1. $sudo apt-get install systemtap gcc patch linux-headers-$(uname -r)
    安装内核调试符号: ```bash sudo apt-key adv —keyserver keyserver.ubuntu.com —recv-keys C8CAB6595FDFF622 $ codename=$(lsb_release -cs) $ sudo tee /etc/apt/sources.list.d/ddebs.list << EOF
    deb http://ddebs.ubuntu.com/ ${codename} main restricted universe multiverse

    deb http://ddebs.ubuntu.com/ ${codename}-security main restricted universe multiverse

    deb http://ddebs.ubuntu.com/ ${codename}-updates main restricted universe multiverse
    deb http://ddebs.ubuntu.com/ ${codename}-proposed main restricted universe multiverse EOF

$ sudo apt-get update $ sudo apt-get install linux-image-$(uname -r)-dbgsym

  1. 修补 SystemTap tapset,以便 Cuckoo 分析器可以正确解析输出:
  2. ```bash
  3. $ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/expand_execve_envp.patch 
  4. $ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/escape_delimiters.patch 
  5. $ sudo patch /usr/share/systemtap/tapset/linux/sysc_execve.stp < expand_execve_envp.patch 
  6. $ sudo patch /usr/share/systemtap/tapset/uconversions.stp < escape_delimiters.patch

编译内核扩展:

  1. $ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/strace.stp 
  2. $ sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v

编译完成后,您应该会stap_.ko在同一文件夹中看到该文件。您现在可以按如下方式测试 STAP 内核扩展:

  1. $ sudo staprun -v ./stap_.ko

输出应如下所示:
staprun:insertmodule:x Module stap inserted from file pathto_stap.ko
该stap_.ko文件应放在 /root/.cuckoo 中:

  1. $ sudo mkdir /root/.cuckoo 
  2. $ sudo mv stap_.ko /root/.cuckoo/

禁用虚拟机内部的防火墙(如果存在):

  1. $ sudo ufw disable

在 VM 内禁用 NTP:

  1. $ sudo timedatectl set-ntp off

可选 - 预装删除软件和配置:

  1. $ sudo apt-get purge update-notifier update-manager update-manager-core ubuntu-release-upgrader-core 
  2. $ sudo apt-get purge whoopsie ntpdate cups-daemon avahi-autoipd avahi-daemon avahi-utils 
  3. $ sudo apt-get purge account-plugin-salut libnss-mdns telepathy-salut

建议使用静态 IP 地址配置 Linux 来宾。确保配置中的机器条目具有正确的 IP 地址并将platform变量设置为linux。配置 VM 后创建快照。现在可以进行分析了!

自定义配置

反虚拟机检测

  1. #!/bin/bash
  2. echo " - Installing -"
  3. sudo apt-get install python3-pip libcdio-utils acpica-tools mesa-utils
  4. sudo pip3 install -r requirements.txt
  5. wget https://download.sysinternals.com/files/VolumeId.zip https://www.nirsoft.net/utils/devmanview-x64.zip
  6. hostname > computer.lst
  7. whoami > user.lst
  8. sudo python3 antivmdetect.py
  9. echo "Installation complete"

Cuckoo社区插件

cuckoo社区存储仓库(https://github.com/cuckoosandbox/community),包含一些样本签名与yara规则。

  1. cuckoo community
  2. # cuckoo community --file cuckoo_master.tar.gz

遇到的一些问题

VMware通过NAT转发端口异常

我是以VMware下的Ubuntu虚拟机作为Host,并通过NAT分配IP给虚拟机。但局域网某些网段无法访问VMware内虚拟机的web服务。甚至出现在物理机无法通过自己的局域网地址访问cuckoo服务。
解决方案:把VMware的NAT服务程序vmnat.exe加入到防火墙允许列表里面。

无法在 Linux Guest 上编译内核扩展

执行sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v命令编译systemtap模块报错:
semantic error: while resolving probe point: identifier ‘kprobe’ …
解决方案:移除systemtap并下载源码重新编译安装,https://github.com/cuckoosandbox/cuckoo/issues/2684
我建议每个有同样问题的人尝试以下步骤:

  • sudo apt-get remove systemtap: 删除现有的安装
  • https://sourceware.org/systemtap/wiki/SystemTapReleases下载Systemtap的最新源码(我测试过4.3版本)
  • tar xf systemtap-x.x.tar.gz
  • apt-get install gcc g++ elfutils libdw-dev elfutils build-essential:它应该是依赖项的完整列表,但如果缺少某些内容,您将在下一步中找到(查看systemtap-*/README)
  • cd systemtap-*
  • ./configure (如果您在这里遇到错误,则可能缺少某些依赖项)
  • make
  • make install

重试启动sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v:

  1. $ sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v 
  2. Pass 1: parsed user script and 476 library scripts using 117248virt/88100res/5912shr/82312data kb, in 150usr/20sys/165real ms. 
  3. Pass 2: analyzed script: 1799 probes, 205 functions, 103 embeds, 176 globals using 148156virt/120404res/7412shr/113220data kb, in 48440usr/5800sys/33518real ms. 
  4. Pass 3: translated to C into "/tmp/stapklRjSe/stap__src.c" using 149744virt/122164res/7604shr/114808data kb, in 250usr/20sys/283real ms. stap_.ko 
  5. Pass 4: compiled C into "stap_.ko" in 60980usr/1970sys/58715real ms.

Incorrect OS has been specified - volatility

在配置完linux沙箱后提交elf样本产出如下错误。

  1. ERROR: Error running Volatility on machine 'cuckoo_ubuntu1': An incorrect OS has been specified for this machine! Please provide the correct one or Cuckoo won't be able to provide Volatility-based results for analyses with this VM.

输出日志显示内存dump文件路径为:/root/.cuckoo/storage/analyses/10/memory.dmp,执行下面命令查看dmp文件对应的信息。

  1. vol.py -f memory.dmp imageinfo

但等待一段时间后并没有镜像信息,使用vol.py —info命令查看volatility配置发现profile中并不包含有Linux,需要手动配置。
文档如下:
https://github.com/volatilityfoundation/profiles
https://github.com/volatilityfoundation/volatility/wiki/Linux
https://www.andreafortuna.org/2019/08/22/how-to-generate-a-volatility-profile-for-a-linux-system/

  1. apt-get install dwarfdump
  2. apt-get install build-essential
  3. apt search linux-headers-$(uname -r)
  4. apt install linux-headers-$(uname -r)

生成的zip文件复制到目录:volatility/volatility/plugins/overlays/linux,zip名称根据系统发行版本自定义一个即可,如Ubuntu1804

  1. git clone https://github.com/volatilityfoundation/volatility.git
  2. cd volatility/tools/linux/ && make
  3. cd ../../../
  4. zip $(lsb_release -i -s)_$(uname -r)_profile.zip ./volatility/tools/linux/module.dwarf /boot/System.map-$(uname -r)

复制zip到插件目录后,查找配置文件的名称:
image.png

Host配置多个guest

分布式