/* CAT(1) */

By Jeff White (karttoon)

This is a condensed dump of the commands/changes I used recently while setting up a new Cuckoo install so I can use them again in the future. This build uses cuckoo-modified, virtualbox, tor, and Ubuntu 16.04.1 LTS. Most of the information is pulled from the following resources and tweaked to fit my needs. IP's are as follow: host VM 60.200 is ext, 56.1 is int, and 56.250 is VM int (hostonly).

Create user

root@cuckoo:~# adduser cuckoo root@cuckoo:~# usermod -a -G vboxusers cuckoo root@cuckoo:~# usermod -a -G sudo cuckoo root@cuckoo:~# su cuckoo

Update system

cuckoo@cuckoo:~$ sudo apt-get remove apt-listchanges cuckoo@cuckoo:~$ sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y

Install dependencies and tools

cuckoo@cuckoo:~$ sudo apt-get install apache2-utils apt-listchanges automake bison clamav clamav-daemon clamav-freshclam curl exiftool fail2ban flex gcc geoip-database git libboost-all-dev libffi-dev libfuzzy-dev libgeoip-dev libjpeg-dev libmagic1 libpq-dev libssl-dev libtool libvirt-dev libxml2-dev libxslt-dev libxslt1-dev make mongodb mono-utils nginx openjdk-8-jre-headless p7zip-full postgresql postgresql-contrib privoxy python python-bottle python-bson python-chardet python-dev python-dpkt python-jinja2 python-libvirt python-m2crypto python-magic python-pefile python-pil python-pip python-pymongo python-sqlalchemy python-yara ssdeep suricata swig tcpdump tesseract-ocr tor unattended-upgrades unzip upx-ucl virtualbox wget wkhtmltopdf xfonts-100dpi xvfb yara -y cuckoo@cuckoo:~$ sudo pip install MAEC cybox distorm3 django gunicorn openpyxl psycopg2 pycrypto cuckoo@cuckoo:~$ sudo pip install git+https://github.com/kbandla/pydeep.git cuckoo@cuckoo:~$ sudo pip install git+https://github.com/volatilityfoundation/volatility.git cuckoo@cuckoo:~$ sudo chmod +s /usr/sbin/tcpdump cuckoo@cuckoo:~$ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz cuckoo@cuckoo:~$ tar -zxvf v3.5.0.tar.gz cuckoo@cuckoo:~$ cd yara-3.5.0/ cuckoo@cuckoo:~/yara-3.5.0$ ./bootstrap.sh cuckoo@cuckoo:~/yara-3.5.0$ ./configure --enable-cuckoo --enable-magic cuckoo@cuckoo:~/yara-3.5.0$ make cuckoo@cuckoo:~/yara-3.5.0$ sudo make install cuckoo@cuckoo:~$ cd ~ cuckoo@cuckoo:~$ git clone https://github.com/seanthegeek/routetor.git cuckoo@cuckoo:~$ cd routetor cuckoo@cuckoo:~/routetor$ $ sudo cp *tor* /usr/sbin cuckoo@cuckoo:~$ cd ~

Setup DB

cuckoo@cuckoo:~$ sudo su postgres postgres@cuckoo:/home/cuckoo$ psql CREATE USER cuckoo WITH PASSWORD 'cuckoo'; CREATE DATABASE cuckoo; GRANT ALL PRIVILEGES ON DATABASE cuckoo to cukoo; \q postgres@cuckoo:/home/cuckoo$ exit

Install cuckoo

cuckoo@cuckoo:~$ git clone https://github.com/spender-sandbox/cuckoo-modified.git cuckoo@cuckoo:~$ sudo pip install -r ./cuckoo-modified/requirements.txt cuckoo@cuckoo:~$ ./cuckoo-modified/utils/community.py -wafb monitor cuckoo@cuckoo:~$ ./cuckoo-modified/utils/community.py -waf cuckoo@cuckoo:~$ mv cuckoo-modified/ cuckoo/

Configure Nginx

cuckoo@cuckoo:~$ mkdir ~/ssl cuckoo@cuckoo:~/ssl$ cd ~/ssl cuckoo@cuckoo:~/ssl$ openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout cuckoo.key -out cuckoo.crt cuckoo@cuckoo:~/ssl$ openssl req -newkey rsa:4096-nodes -keyout cuckoo.key -out cuckoo.csr cuckoo@cuckoo:~/ssl$ rm cuckoo.csr cuckoo@cuckoo:~/ssl$ openssl dhparam -out dhparam.pem 4096 cuckoo@cuckoo:~$ cd ~ cuckoo@cuckoo:~$ sudo mv ssl/ /etc/nginx cuckoo@cuckoo:~$ sudo chown -R root:www-data /etc/nginx/ssl cuckoo@cuckoo:~$ sudo chmod -R 550 /etc/nginx/ssl cuckoo@cuckoo:~$ sudo rm /etc/nginx/sites-enabled/default cuckoo@cuckoo:~$ sudo vim /etc/nginx/sites-available/cuckoo server { listen ssl http2; ssl_certificate /etc/nginx/ssl/cuckoo.crt; ssl_certificate_key /etc/nginx/ssl/cuckoo.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 # Uncomment this next line if you are using a signed, trusted cert #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; root /usr/share/nginx/html; index index.html index.htm; client_max_body_size 101M; auth_basic "Login required"; auth_basic_user_file /etc/nginx/htpasswd; location / { proxy_pass; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /storage/analysis { alias /home/cuckoo/cuckoo/storage/analyses/; autoindex on; autoindex_exact_size off; autoindex_localtime on; } location /static { alias /home/cuckoo/cuckoo/web/static/; } } server { listen http2; return 301 https://$server_name$request_uri; } cuckoo@cuckoo:~$ sudo ln -s /etc/nginx/sites-enabled/cuckoo /etc/nginx/sites-available/cuckoo cuckoo@cuckoo:~$ sudo htpasswd -c /etc/nginx/htpasswd cuckoo cuckoo@cuckoo:~$ sudo chown root:www-data /etc/nginx/htpasswd cuckoo@cuckoo:~$ sudo chmod 540 /etc/nginx/htpasswd

Setup VM and install OS

cuckoo@cuckoo:~$ VM='Win7ProSP1-86' cuckoo@cuckoo:~$ VBoxManage createhd --filename $VM.vdi --size 16384 cuckoo@cuckoo:~$ VBoxManage createvm --name $VM --ostype 'Windows7' --register cuckoo@cuckoo:~$ VBoxManage storagectl $VM --name "SATA Controller" --add sata --controller IntelAHCI cuckoo@cuckoo:~$ VBoxManage storageattach $VM --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium $VM.vdi cuckoo@cuckoo:~$ VBoxManage storagectl $VM --name "IDE Controller" --add ide cuckoo@cuckoo:~$ VBoxManage storageattach $VM --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium en_windows_7_professional_with_sp1_x86_dvd_u_677056.iso cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --ioapic on cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --boot1 dvd --boot2 disk --boot3 none --boot4 none cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --memory 1024 --vram 128 cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --nic1 hostonly cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --vrde on cuckoo@cuckoo:~$ VBoxManage modifyvm $VM --vrdeport 5555 cuckoo@cuckoo:~$ VBoxHeadless -s $VM cuckoo@cuckoo:~$ VBoxManage storageattach $VM --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium none cuckoo@cuckoo:~$ VBoxManage controlvm $VM poweroff

Setup VM with tools/office - not shown is install of Adobe/Flash/Java/Office/PIL/Python. Make sure to enable macros in Office, accept all prompts for each product & run once. Disable updates.

cuckoo@cuckoo:~$ VBoxManage storageattach $VM --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium en_office_ultimate_2007_united_states_x86_dvd_480625.iso cuckoo@cuckoo:~$ VBoxHeadless -s $VM cuckoo@cuckoo:~$ VBoxManage storageattach $VM --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium none cuckoo@cuckoo:~$ VBoxManage snapshot $VM take GOLD --pause cuckoo@cuckoo:~$ VBoxManage controlvm $VM poweroff cuckoo@cuckoo:~$ VBoxManage snapshot $VM restorecurrent


[sniffer] enabled = yes interface = vboxnet0 [tor] enables = yes [msoffice]


[cuckoo] machinery = virtualbox [resultserver] ip = port = 2042 [database] connection = postgresql://cuckoo:cuckoo@localhost:5432/cuckoo


#!/bin/bash /sbin/iptables -F /sbin/iptables -t nat -F /usr/bin/vboxmanage hostonlyif create /usr/bin/vboxmanage hostonlyif ipconfig vboxnet0 --ip CUCKOO_USER="cuckoo" CUCKOO_PATH="/home/cuckoo/cuckoo" VIRBR_IP="" INETSIM_DNS_PORT="5342" VIRBR_DEV="vboxnet0" su $CUCKOO_USER -c "pkill gunicorn" >/dev/null 2>&1 su $CUCKOO_USER -c "pkill python" > /dev/null 2>&1 /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null while [ $? -ne 0 ] do sleep 5 /usr/sbin/service nginx restart /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null done /usr/sbin/service tor restart cd $CUCKOO_PATH su $CUCKOO_USER -c "./cuckoo.py &" cd web su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b web.wsgi" cd ../utils su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b api"


forward-socks5t / .


TransListenAddress TransPort 9040 DNSListenAddress DnsPort 5353

root crontab

42 * * * * /usr/sbin/etupdate @reboot /usr/sbin/cuckooboot > /dev/null 2>&1 @reboot /usr/sbin/routetor

Hopefully I didn't miss anything. I'm going to work on getting mitm setup with tor on cuckoo-modified but requires a bit of work. Specifically, need to modify torstart to append entries, instead of insert, and include the below iptables rules for mitmproxy.

/sbin/iptables -t nat -I PREROUTING -i vboxnet0 -p tcp --dport 80 -j REDIRECT --to-port 8080 /sbin/iptables -t nat -I PREROUTING -i vboxnet0 -p tcp --dport 443 -j REDIRECT --to-port 8080

There are about 5 other things that need to be coded into the cuckoo webservices or copied over from vanilla but I'll add them here when/if I get around to doing it. Finally, need to modify the VM to include the mitmproxy p12 certificate.

*EDIT - 07MAR2017*
I added a new VM which is dedicated to INET Simulator so that I could probe malware with more tailored responses or spoof responses when infrastructure is no longer available.

First, create a duplicate VM and then use the previous commands to connect to it and change the IP/Gateway (I changed IP to .245 and gateway is .5, which is what INET Sim will listen on).

cuckoo@cuckoo:~$ VBoxManage clonevm 07dcf444-c692-463b-b2c5-072abdc6351d --mode all --name Win7ProSP1-86_SIM --register

Then delete the existing snapshot and create a new one after you modify the IP's.

cuckoo@cuckoo:~$ VBoxManage snapshot Win7ProSP1-86_SIM delete GOLD cuckoo@cuckoo:~$ VBoxManage snapshot Win7ProSP1-86_SIM take GOLD --pause

Add a profile to the cuckoo/conf/virtualbox.conf file for the new VM.

machines = Win7ProSP1-86,Win7ProSP1-86_SIM [Win7ProSP1-86_SIM] label = Win7ProSP1-86_SIM platform = windows ip = snapshot = GOLD interface = vboxnet1 resultserver_ip = resultserver_port = 2042 tags = windows_7_sp1,32_bit,INETSIM mem_profile = Win7SP1x86

For the /usr/sbin/cuckooboot file, I added the following line for a new interface with .5. It's not really necessary to do it this way but I just wanted to keep it straight-forward.

/usr/bin/vboxmanage hostonlyif ipconfig vboxnet1 --ip

Older posts...