■仮想マシンdebian stretchのプロキシ環境でCuckoo Sandboxを導入する。
vSphere Hypervisor上のVMマシンでのネスト環境。
デフォルトのCPU、メモリ、ディスクサイズは拡張しておく。
Product: VMware ESXi
Version: 6.5.0
Build: Releasebuild-5310538
Update: 0
Patch: 19
$ lsb_release -d
Description: Debian GNU/Linux 9.2 (stretch)
$ cat /etc/apt/apt.conf
Acquire::http::Proxy "http://172.31.31.60:8080/";
■環境は標準インストールとSSHサーバのみのクリーンインストール。
※インストーラで上記プロキシを設定済み。
i ssh-server SSH サーバ
■初期環境設定とディストリビューションの最新化。
*172.31.31.252
27(sudo)
$ mkdir ~/myscripts
$ cat ~/myscripts/update.sh
echo -e "update\nupgrade\nautoremove\nautoclean" | \
awk '{print "apt-get -y "$1};END{print "apt-get clean all"}' | sudo sh
$ sudo chmod +x ~/myscripts/update.sh
$ sudo ./myscripts/update.sh
■インストール手順について
公式の手順だけ読んで出来る人はそんなに多く居ないと思う。。。
若干多めの手順でも動けばよしとする方針で進める。
Docs » Installation
http://docs.cuckoosandbox.org/en/latest/installation/
■Python関連ライブラリの導入
M2Cryptoライブラリは、SWIGがインストールされている場合にのみサポートされている。
$ echo "python python-pip python-dev libffi-dev libssl-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "python python-pip python-dev libffi-dev libssl-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
python 2.7.13-2
python-pip 9.0.1-2
python-dev 2.7.13-2
libffi-dev:amd64 3.2.1-6
libssl-dev:amd64 1.1.0f-3
$ echo "python-virtualenv python-setuptools" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "python-virtualenv python-setuptools" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
python-virtualenv 15.1.0+ds-1
python-setuptools 33.1.1-1
$ echo "libjpeg-dev zlib1g-dev swig" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "libjpeg-dev zlib1g-dev swig" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
libjpeg-dev 1:1.5.1-2
zlib1g-dev:amd64 1:1.2.8.dfsg-5
swig 3.0.10-1.1
■cuckooのWeb管理GUIの準備(MongoDB)
$ sudo apt-get install -y mongodb
■PostgreSQLサーバの導入
$ echo "postgresql libpq-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "postgresql libpq-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
postgresql 9.6+181
libpq-dev 9.6.4-0+deb9u1
■yaraの導入
$ echo "libtool automake libjansson-dev libmagic-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "libtool automake libjansson-dev libmagic-dev" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
libtool 2.4.6-2
automake 1:1.15-6
libjansson-dev:amd64 2.9-1
libmagic-dev:amd64 1:5.30-1+deb9u1
$ sudo sed -i 's%#https_proxy%https_proxy = http://172.31.31.60:8080/\n&%' /etc/wgetrc
$ sudo sed -i 's%#https_proxy%http_proxy = http://172.31.31.60:8080/\n&%' /etc/wgetrc
$ sudo sed -i 's%#https_proxy%ftp_proxy = http://172.31.31.60:8080/\n&%' /etc/wgetrc
$ wget "https://github.com/plusvic/yara/archive/v3.1.0.tar.gz"
$ tar zxvf v3.1.0.tar.gz
$ cd yara-3.1.0/
$ ./bootstrap.sh && ./configure --enable-cuckoo --enable-magic && make && sudo make install
$ cd yara-python/
$ python setup.py build && sudo python setup.py install
$ echo "/usr/local/lib" | sudo tee -a /etc/ld.so.conf && sudo ldconfig
/usr/local/lib
$ sudo ldconfig -p | grep yara
libyara.so.3 (libc6,x86-64) => /usr/local/lib/libyara.so.3
libyara.so (libc6,x86-64) => /usr/local/lib/libyara.so
■KVMの導入
$ echo "qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt" | \
sed -e 's/ubuntu-vm-builder/ubuntu-dev-tools/' | \
sed -e 's/libvirt-bin/libvirt-clients/' | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt" | \
sed -e 's/ubuntu-vm-builder/ubuntu-dev-tools/' | \
sed -e 's/libvirt-bin/libvirt-clients/' | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
qemu-kvm 1:2.8+dfsg-6+deb9u3
libvirt-clients 3.0.0-4
ubuntu-dev-tools 0.157
bridge-utils 1.5-13+deb9u1
python-libvirt 3.0.0-2
■tcpdumpをroot権限なしで実行出来るように導入
$ echo "tcpdump apparmor-utils libcap2-bin" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "tcpdump apparmor-utils libcap2-bin" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
tcpdump 4.9.2-1~deb9u1
apparmor-utils 2.11.0-3
libcap2-bin 1:2.25-1
$ sudo aa-disable /usr/sbin/tcpdump
Profile for /usr/sbin/tcpdump not found, skipping
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ sudo getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
■distormの導入
$ echo "git" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "git" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
git 1:2.11.0-3+deb9u2
$ git config --global http.proxy http://172.31.31.60:8080
$ git config --global https.proxy http://172.31.31.60:8080
$ cat ~/.gitconfig
[http]
proxy = http://172.31.31.60:8080
[https]
proxy = http://172.31.31.60:8080
$ git clone "https://github.com/gdabah/distorm.git"
$ cd distorm/ && sudo python setup.py install
$ pip show distorm3
Name: distorm3
Version: 3.3.4
Summary: The goal of diStorm3 is to decode x86/AMD64 binary streams and return a structure that describes each instruction.
Home-page: https://github.com/gdabah/distorm/
Author: Gil Dabah
Author-email: distorm@gmail.com
License: UNKNOWN
Location: /usr/local/lib/python2.7/dist-packages
Requires:
■ssdeepとpydeepの導入
$ echo "ssdeep python-pyrex libfuzzy-dev subversion" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh
$ echo "ssdeep python-pyrex libfuzzy-dev subversion" | \
tr ' ' '\n' | awk '{print "dpkg -l | grep \"^ii *"$1"[ :]\" || sudo apt-get install -y "$1}' | sh | \
awk '{print $2,$3}'
ssdeep 2.13-3
python-pyrex 0.9.9-1
libfuzzy-dev:amd64 2.13-3
subversion 1.9.5-1+deb9u1
$ sudo pip install pydeep --proxy=http://172.31.31.60:8080/
$ sudo pip list --format=legacy
cryptography (1.7.1)
distorm3 (3.3.4)
enum34 (1.1.6)
idna (2.2)
ipaddress (1.0.17)
keyring (10.1)
keyrings.alt (1.3)
pip (9.0.1)
pyasn1 (0.1.9)
pycrypto (2.6.1)
pydeep (0.2)
pygobject (3.22.0)
Pyrex (0.9.9)
pyxdg (0.25)
SecretStorage (2.3.1)
setuptools (33.1.1)
six (1.10.0)
virtualenv (15.1.0)
wheel (0.29.0)
yara-python (3.1)
$ apt-cache show ssdeep | grep -A 11 ^Description-en
Description-en: recursive piecewise hashing tool
ssdeep is a tool for recursive computing and matching of Context Triggered
Piecewise Hashing (aka Fuzzy Hashing).
.
Fuzzy hashing is a method for comparing similar but not identical files.
This tool can be used to compare files like regular hashing does (like
md5sum or sha1sum) but it will find similar files with little differences.
.
For example, it can be used to identify modified versions of known files
even if data has been inserted, modified, or deleted in the new files.
.
This package is useful in forensics investigations.
■VirtualBoxの導入
$ echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | \
sudo tee -a /etc/apt/sources.list.d/virtualbox.list
deb http://download.virtualbox.org/virtualbox/debian stretch contrib
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O - | sudo apt-key add -
OK
$ sudo apt-key finger | grep -A 6 ^/etc/apt/trusted.gpg\$
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2016-04-22 [SC]
B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub rsa4096 2016-04-22 [E]
$ sudo apt-get update && sudo apt-get install -y virtualbox-5.1
$ sudo shutdown -r now && exit
■volalityの導入
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility/ && sudo python setup.py install
$ pip list --format=legacy | grep volatility
volatility (2.6)
■Cuckooの導入
途中、pytest-runnerが不足していたので追加でインストール。
yara-pythonは3.1から3.6.3にバージョンが上がった。
$ sudo pip install -U pip setuptools --proxy=http://172.31.31.60:8080/
$ pip list --format=legacy | grep "pip\|setuptools"
pip (9.0.1)
setuptools (36.5.0)
$ sudo pip install -U cuckoo --proxy=http://172.31.31.60:8080/
Collecting cuckoo
Using cached Cuckoo-2.0.4.4.tar.gz
No files/directories in /tmp/pip-build-_zQ3ST/cuckoo/pip-egg-info (from PKG-INFO)
$ sudo pip install -U cuckoo --verbose --proxy=http://172.31.31.60:8080/ | tee -a cuckoo_install.log
$ grep Errno cuckoo_install.log
Download error on https://pypi.python.org/simple/pytest-runner/: [Errno 110] Connection timed out -- Some packages may not be found!
Download error on https://pypi.python.org/simple/: [Errno 110] Connection timed out -- Some packages may not be found!
$ sudo pip install -U pytest-runner --proxy=http://172.31.31.60:8080/
Collecting pytest-runner
Downloading pytest_runner-2.12.1-py2.py3-none-any.whl
Installing collected packages: pytest-runner
Successfully installed pytest-runner-2.12.1
$ sudo pip install -U cuckoo --verbose --proxy=http://172.31.31.60:8080/
$ pip list --format=legacy | grep yara
yara-python (3.6.3)
$ cuckoo -d
_ _ _ _ _ _
/\ \ /\_\ /\ \ /\_\ /\ \ /\ \
/ \ \ / / / _ / \ \ / / / _ / \ \ / \ \
/ /\ \ \ \ \ \__ /\_\ / /\ \ \ / / / /\_\ / /\ \ \ / /\ \ \
/ / /\ \ \ \ \___\ / / // / /\ \ \ / / /__/ / / / / /\ \ \ / / /\ \ \
/ / / \ \_\ \__ / / / // / / \ \_\ / /\_____/ / / / / \ \_\ / / / \ \_\
/ / / \/_/ / / / / / // / / \/_/ / /\_______/ / / / / / // / / / / /
/ / / / / / / / // / / / / /\ \ \ / / / / / // / / / / /
/ / /________ / / /___/ / // / /________ / / / \ \ \ / / /___/ / // / /___/ / /
/ / /_________\/ / /____\/ // / /_________\/ / / \ \ \ / / /____\/ // / /____\/ /
\/____________/\/_________/ \/____________/\/_/ \_\_\\/_________/ \/_________/
Cuckoo Sandbox 2.0.4
www.cuckoosandbox.org
Copyright (c) 2010-2017
=======================================================================
Welcome to Cuckoo Sandbox, this appears to be your first run!
We will now set you up with our default configuration.
You will be able to see and modify the Cuckoo configuration,
Yara rules, Cuckoo Signatures, and much more to your likings
by exploring the /home/labunix/.cuckoo directory.
Among other configurable items of most interest is the
new location for your Cuckoo configuration:
/home/labunix/.cuckoo/conf
=======================================================================
Cuckoo has finished setting up the default configuration.
Please modify the default settings where required and
start Cuckoo again (by running `cuckoo` or `cuckoo -d`).
$ cuckoo -d
_____________________________________/\/\_______________________________
___/\/\/\/\__/\/\__/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
___/\/\/\/\____/\/\/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
________________________________________________________________________
Cuckoo Sandbox 2.0.4
www.cuckoosandbox.org
Copyright (c) 2010-2017
Checking for updates...
^C
Aborted!
$ cuckoo
_ _ _ _ _ _
/\ \ /\_\ /\ \ /\_\ /\ \ /\ \
/ \ \ / / / _ / \ \ / / / _ / \ \ / \ \
/ /\ \ \ \ \ \__ /\_\ / /\ \ \ / / / /\_\ / /\ \ \ / /\ \ \
/ / /\ \ \ \ \___\ / / // / /\ \ \ / / /__/ / / / / /\ \ \ / / /\ \ \
/ / / \ \_\ \__ / / / // / / \ \_\ / /\_____/ / / / / \ \_\ / / / \ \_\
/ / / \/_/ / / / / / // / / \/_/ / /\_______/ / / / / / // / / / / /
/ / / / / / / / // / / / / /\ \ \ / / / / / // / / / / /
/ / /________ / / /___/ / // / /________ / / / \ \ \ / / /___/ / // / /___/ / /
/ / /_________\/ / /____\/ // / /_________\/ / / \ \ \ / / /____\/ // / /____\/ /
\/____________/\/_________/ \/____________/\/_/ \_\_\\/_________/ \/_________/
Cuckoo Sandbox 2.0.4
www.cuckoosandbox.org
Copyright (c) 2010-2017
Checking for updates...
^C
Aborted!
■HostOnlyNetworkの準備
後でダッシュボードを見るとNATで構成していないというエラーが出る。
Cuckooで外部に何か送るようなので、何を送るか分かったら、NATに変えるかも知れない。
$ sudo apt-get install linux-headers-4.9.0-3-amd64
$ sudo /sbin/vboxconfig
$ sudo VBoxManage hostonlyif create
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Interface 'vboxnet0' was successfully created
$ VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
$ ip a show dev vboxnet0
3: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
■IPマスカレードの設定
通常のVirtualbox上のNATと異なり、出ていける範囲を制限出来るのがメリット。
$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
1
$ sudo iptables -t nat -F
$ sudo iptables -A FORWARD -i vboxnet0 -o ens193 -s 192.168.56.0 -j ACCEPT
$ sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -o ens192 -s 192.168.56.0 -d 172.31.31.0/24 -j MASQUERADE
$ sudo iptables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source 172.31.31.7
$ sudo iptables-save | sudo tee /etc/iptables.save
*filter
INPUT ACCEPT [9:800]
FORWARD ACCEPT [5:355]
OUTPUT ACCEPT [6:896]
-A FORWARD -s 192.168.56.0/32 -i vboxnet0 -o ens193 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.56.0/32 -i vboxnet0 -o ens193 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
PREROUTING ACCEPT [0:0]
INPUT ACCEPT [0:0]
OUTPUT ACCEPT [0:0]
POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.56.0/32 -d 172.31.31.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -o ens192 -j SNAT --to-source 172.31.31.7
COMMIT
■cuckooのWeb管理GUIの準備(MongoDB)
$ sudo apt-get install -y mongodb
$ nl -ba .cuckoo/conf/reporting.conf | grep -A 9 mongodb
34 [mongodb]
35 enabled = yes
36 host = 127.0.0.1
37 port = 27017
38 db = cuckoo
39 store_memdump = yes
40 paginate = 100
41
42 username =
43 password =
$ sed -n '34,43p' .cuckoo/conf/reporting.conf
[mongodb]
enabled = no
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
username =
password =
$ sed -i -e '35 s/no/yes/' .cuckoo/conf/reporting.conf
$ sed -n '34,43p' .cuckoo/conf/reporting.conf
[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
username =
password =
$ cuckoo web runserver 0.0.0.0:8000
Performing system checks...
System check identified no issues (0 silenced).
October 09, 2017 - 03:33:07
Django version 1.8.4, using settings 'cuckoo.web.web.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
[09/Oct/2017 03:33:31] "GET / HTTP/1.1" 200 25510
[09/Oct/2017 03:33:31] "GET /static/css/vendor.css HTTP/1.1" 200 152014
[09/Oct/2017 03:33:31] "GET /static/js/hexdump.js HTTP/1.1" 200 6054
[09/Oct/2017 03:33:31] "GET /static/js/handlebars-templates.js HTTP/1.1" 200 45302
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/loader.js HTTP/1.1" 200 2463
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/sticky.js HTTP/1.1" 200 3240
[09/Oct/2017 03:33:31] "GET /static/css/main.css HTTP/1.1" 200 512649
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/analysis_sidebar.js HTTP/1.1" 200 3357
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/submission.js HTTP/1.1" 200 86256
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/process_tree.js HTTP/1.1" 200 16275
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/recent.js HTTP/1.1" 200 7392
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/analysis_network.js HTTP/1.1" 200 20626
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/app.js HTTP/1.1" 200 30382
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/analysis_export.js HTTP/1.1" 200 952
[09/Oct/2017 03:33:31] "GET /static/js/vendor.js HTTP/1.1" 200 2065186
[09/Oct/2017 03:33:31] "GET /static/js/cuckoo/analysis_feedback.js HTTP/1.1" 200 1444
[09/Oct/2017 03:33:31] "GET /static/graphic/cuckoo_inverse.png HTTP/1.1" 200 8158
[09/Oct/2017 03:33:31] "GET /static/graphic/cuckoo-coffee-cup.png HTTP/1.1" 200 35356
[09/Oct/2017 03:33:33] "GET /static/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1" 200 77160
[09/Oct/2017 03:33:33] "GET /static/fonts/Roboto_normal_700_default.woff HTTP/1.1" 200 13348
[09/Oct/2017 03:33:33] "GET /static/fonts/Roboto_normal_500_default.woff HTTP/1.1" 200 13248
[09/Oct/2017 03:33:33] "GET /static/fonts/Roboto_normal_400_default.woff HTTP/1.1" 200 13308
[09/Oct/2017 03:33:33] "GET /static/images/loading.gif HTTP/1.1" 200 8476
[09/Oct/2017 03:33:33] "GET /static/images/close.png HTTP/1.1" 200 280
[09/Oct/2017 03:33:33] "GET /static/images/prev.png HTTP/1.1" 200 1360
[09/Oct/2017 03:33:33] "GET /static/images/next.png HTTP/1.1" 200 1350
...
■Gnome Desktopの導入
$ sudo tasksel install --new-install gnome-desktop
■vmware-toolsのインストール
$ sudo apt-get install -y net-tools
$ tar zxvf /media/cdrom0/VMwareTools-10.1.0-4449150.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
$ sudo shutdown -r now && exit
■ここからはゲストOSの設定。
VirtualboxにWindows7(32bit)を導入
サンドボックスで使用するWindows版Python Libraryの公式版は32bitのみのため、
ダウンロード時やインストール時に32bit版OSのプロダクトキーを必要とする。
もちろん従来通り、slmgrで管理可能な評価期間があることに変わりはない。
Windows 7 のディスク イメージ (ISO ファイル) のダウンロード
https://www.microsoft.com/ja-jp/software-download/windows7
■GuestAdditionsのインストール。
vmware-toolsのVirtualbox版。
画面キャプチャやホストとの共有フォルダアクセスのために必要。
再起動前にUACを無効化しておく。
その他、モニタやHDDの電源を切らない、デスクトップアシスタントの拒否、
システムの保護の削除と無効化などなど、ゲストOSとしてのお作法設定を行う。
また、カスタマイズ設定も出来るだけ実際に使用するクライアントPCと同一にしておく。
■ネットワーク設定
[ファイル]->[環境設定]->「ネットワーク]->[ホストオンリーネットワーク]->[vboxnet0]をダブルクリックして、
DHCPサーバを無効化。
Windows7上で、「192.168.56.X/24」内のIPとサブネットを設定、
環境に合わせたデフォルトGWやDNS設定を行う。
また、IEのプロキシ設定も行い、IPマスカレード設定が正しいことをpingやWebブラウジングで確認する。
■共有フォルダの作成
ホストOSのdebian上に「share」を作成、Virtualboxで共有設定。
自動マウントと永続化にチェックオン。
$ mkdir share
Windows7上の「ネットワーク」または「Network」から、
Virtualboxで共有したホストOSの「\\VBOXSVR\share」にアクセスし、書き込みテストを行う。
■Windows7にPython2.7をインストール。
Windows7のIEで、Pythonの公式サイトからダウンロードして、「\\VBOXSVR\share」に書き込み。
公式サイトのハッシュと比較。
インストールウィザードでは「Add python.exe to Path」を「Will be installed on local hard drive」に変更。
$ md5sum < share/python-2.7.14.msi
fff688dc4968ec80bbb0eedf45de82db -
■Pythonライブラリ(PIL)のインストール
Windows7上で下記から取得したexeを実行する。
Python Imaging Library (PIL)
http://www.pythonware.com/products/pil/
$ md5sum < share/PIL-1.1.7.win32-py2.7.exe
989b0e144160941d07929ec0aa8a62b0 -
■検体ソフトのインストール。
Adobe ReaderやFlash Player、Microsoft Officeなど、
提供元のライセンス条件に従ったアプリケーションをインストール。
■Cuckooエージェントのコピー
ホストOS上のCuckooがインストールされたフォルダから、
「agent.py」を共有フォルダにコピー。
Windows7上から「c:\」にコピーする。
一度、必ず実行してUAC等のOS側メッセージが出ないことを確認すること。
$ ls ~/.cuckoo/agent/
agent.py agent.sh
$ cp ~/.cuckoo/agent/agent.py ~/share/
■スナップショットの作成
Virtualbox上で付けた仮想マシン名を元に、ホストから実行。
$ vboxmanage snapshot "win7" take "setting" --pause
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Snapshot taken. UUID: 62289c75-8902-4f68-9bb6-70d1dce912fc
$ vboxmanage controlvm "win7" poweroff
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
$ vboxmanage snapshot "win7" restorecurrent
Restoring snapshot 62289c75-8902-4f68-9bb6-70d1dce912fc
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
$ nl -ba .cuckoo/conf/virtualbox.conf | grep -A 15 "machines = cuckoo1"
18 machines = cuckoo1
19
20
21 [cuckoo1]
22
23
24 label = win7
25
26
27
28 platform = windows
29
30
31
32
33 ip = 192.168.56.101
$ sed -i -e '24 s/cuckoo1/win7/' .cuckoo/conf/virtualbox.conf
$ sed -i -e '33 s/192.168.56.101/192.168.56.7/' .cuckoo/conf/virtualbox.conf
$ nl -ba .cuckoo/conf/virtualbox.conf | grep -A 15 "machines = cuckoo1"
18 machines = cuckoo1
19
20
21 [cuckoo1]
22
23
24 label = win7
25
26
27
28 platform = windows
29
30
31
32
33 ip = 192.168.56.7
■agent.pyの実行
[cuckoo1]のWindows7上で、
コマンドプロンプトを管理者として実行で開き、[c:\agent.py]として配置、
[python agent.py]で実行する。
※何も表示されないがそのままで良い。
■サンドボックスの設定
$ find .cuckoo/ -type f -name "reporting.conf"
.cuckoo/conf/reporting.conf
$ nl -ba .cuckoo/conf/reporting.conf | grep -A 6 singlefile
17 [singlefile]
18
19 enabled = no
20
21 html = no
22
23 pdf = no
$ sed -i -e '19 s/no/yes/' .cuckoo/conf/reporting.conf
$ sed -i -e '21 s/no/yes/' .cuckoo/conf/reporting.conf
$ sed -i -e '23 s/no/yes/' .cuckoo/conf/reporting.conf
$ grep -A 6 singlefile .cuckoo/conf/reporting.conf
[singlefile]
enabled = yes
html = yes
pdf = yes
■Cuckoo Web管理画面の起動と、Cuckooの起動
$ cuckoo web runserver 0.0.0.0:8000 &
$ cuckoo
_____________________________________/\/\_______________________________
___/\/\/\/\__/\/\__/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
___/\/\/\/\____/\/\/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
________________________________________________________________________
Cuckoo Sandbox 2.0.4
www.cuckoosandbox.org
Copyright (c) 2010-2017
Checking for updates...
Performing system checks...
System check identified no issues (0 silenced).
October 09, 2017 - 17:15:13
Django version 1.8.4, using settings 'cuckoo.web.web.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
■サンプルexeのサブミット
2017-10-09 18:27:16,410 [cuckoo] INFO: $ cuckoo community
2017-10-09 18:27:16,414 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-10-09 18:27:22,558 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-10-09 18:27:22,607 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2017-10-09 18:27:23,702 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "inject-x64.exe" (task #1, options "procmemdump=yes,route=none")
2017-10-09 18:27:23,826 [cuckoo.core.scheduler] INFO: Task
2017-10-09 18:27:23,922 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 7469 (interface=vboxnet0, host=192.168.56.7)
■以下に実行結果が保存される。
$ find .cuckoo/storage/
.cuckoo/storage/
.cuckoo/storage/baseline
.cuckoo/storage/baseline/.gitignore
.cuckoo/storage/analyses
.cuckoo/storage/analyses/1
.cuckoo/storage/analyses/1/binary
.cuckoo/storage/analyses/1/cuckoo.log
.cuckoo/storage/analyses/1/task.json
.cuckoo/storage/analyses/1/dump.pcap
.cuckoo/storage/analyses/.gitignore
.cuckoo/storage/binaries
.cuckoo/storage/binaries/fa77027e69acabf490dbba8b67620d68e118996f02a1d39d8710f8743884d923
.cuckoo/storage/binaries/.gitignore
■URLのサンプルサブミット
2017-10-09 20:42:24,621 [cuckoo] INFO: $ cuckoo community
2017-10-09 20:42:24,623 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-10-09 20:42:27,404 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-10-09 20:42:27,459 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2017-10-09 20:42:28,549 [cuckoo.core.scheduler] INFO: Starting analysis of URL "http://google.co.jp" (task #2, options "procmemdump=yes,route=none")
2017-10-09 20:42:28,836 [cuckoo.core.scheduler] INFO: Task
2017-10-09 20:42:28,898 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9823 (interface=vboxnet0, host=192.168.56.7)
2017-10-09 20:42:35,716 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.7)
[09/Oct/2017 20:42:40] "POST /analysis/api/tasks/recent/ HTTP/1.1" 200 13
$ find .cuckoo/storage/analyses/2/
.cuckoo/storage/analyses/2/
.cuckoo/storage/analyses/2/cuckoo.log
.cuckoo/storage/analyses/2/task.json
.cuckoo/storage/analyses/2/dump.pcap
■PILをサブミットしてみる。
$ find .cuckoo/storage/analyses/3/
.cuckoo/storage/analyses/3/
.cuckoo/storage/analyses/3/network
.cuckoo/storage/analyses/3/tlsmaster.txt
.cuckoo/storage/analyses/3/binary
.cuckoo/storage/analyses/3/reboot.json
.cuckoo/storage/analyses/3/cuckoo.log
.cuckoo/storage/analyses/3/task.json
.cuckoo/storage/analyses/3/reports
.cuckoo/storage/analyses/3/reports/report.json
.cuckoo/storage/analyses/3/reports/report.html
.cuckoo/storage/analyses/3/dump.pcap
■Web管理画面の「Recent」からレポート画面とログが見れれば正常に稼働している。
$ w3m -dump http://172.31.31.7:8000/analysis/3/summary | grep -A 13 "Download Resubmit sample"
Download Resubmit sample
Size 818.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 989b0e144160941d07929ec0aa8a62b0
SHA1 2293618ac972fdda2e43636cbb4e93646b10e343
SHA256 3445533d98330b57e6adbbf63a9dca9e8d714f06827d437e6e3a28cb8e635191
SHA512 Show SHA512
944934f61ce777b3ff2c69018fd601dc50d2aa08e37a5a556236695d4cd3b1ba82766211bb01bd11e44634c61119893ecde900ac47351cfd0a4b89eaf097e288
CRC32 F8874C80
ssdeep 24576:/Jid0Tqwv/P65tPhDN0TuiHM9tpKs4s/jVWTXr:60Thv65tPhDiHs/0S/JWTr
PDB o:\src\python-svn\lib\distutils\command\wininst-9.0.pdb
Path
Yara None matched
