Cuckoo Sandbox. auto install script

Cuckoo Sandbox is a malware analysis system.

It means that you can throw any suspicious file at it and get a report with details about the file's behavior inside an isolated environment.

We created this at Buguroo Offensive Security initially to make the painful cuckoo installation quicker, easier and painless

Most of this script is not distro dependant (tough of course you've got to run it on GNU/Linux), but package installation, at this moment supports only debian derivatives.

Also, given that we use the propietary virtualbox version (most of the time OSE edition doesn't fulfill our needs), this script requires that they've got a debian repo in Virtualbox Downloads for your distro. Forcing the distro in config file should make it work in unsupported ones.

David Reguera García - Dreg - [email protected] - @fr33project

David Francos Cuartero - XayOn - [email protected] - @davidfrancos

• Clone this repo & execute the script: bash cuckooautoinstall.bash

If you trust us, your network setup and a lot of more variables enough (which is totally not-recommended) and you're as lazy as it gets, you can execute as a normal user if you've got sudo configured:

wget -O - https://raw.githubusercontent.com/buguroo/cuckooautoinstall/master/cuckooautoinstall.bash | bash

The script does accept a configuration file in the form of a simple bash script with options such as:

SUDO="sudo"
TMPDIR=$(mktemp -d)
RELEASE=$(lsb_release -cs)
CUCKOO_USER="cuckoo"
CUSTOM_PKGS=""
ORIG_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}"   )" && pwd   )
VOLATILITY_URL="http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.tar.gz"
VIRTUALBOX_REP="deb http://download.virtualbox.org/virtualbox/debian $RELEASE contrib"
CUCKOO_REPO='https://github.com/cuckoobox/cuckoo'
YARA_REPO="https://github.com/plusvic/yara"
JANSSON_REPO="https://github.com/akheron/jansson"

LOG=$(mktemp)
UPGRADE=false

You can override any of these variables in the config file.

It accepts parameters

┌─────────────────────────────────────────────────────────┐
│                CuckooAutoInstall 0.2                    │
│ David Reguera García - Dreg <[email protected]>      │
│ David Francos Cuartero - XayOn <[email protected]>   │
│            Buguroo Offensive Security - 2015            │
└─────────────────────────────────────────────────────────┘
Usage: cuckooautoinstall.bash [--verbose|-v] [--help|-h] [--upgrade|-u]

    --verbose   Print output to stdout instead of temp logfile
    --help      This help menu
    --upgrade   Use newer volatility, yara and jansson versions (install from source)

For most setups, --upgrade is recommended always.

• Add a password (as root) for the user 'cuckoo' created by the script

passwd cuckoo

• Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines

VBoxManage import virtual_machine.ova

• Add to the virtual machines with HostOnly option using vboxnet0

vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0

• Configure cuckoo (http://docs.cuckoosandbox.org/en/latest/installation/host/configuration/ )
• Execute cuckoo

cd ~cuckoo/cuckoo
python cuckoo.py

• Execute also django using port 6969

cd ~cuckoo/cuckoo/web
python manage.py runserver 0.0.0.0:6969

• Installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django ...
• Installs the last versions of ssdeep, yara, pydeep-master & jansson.
• Solves common problems during the installation: ldconfigs, autoreconfs...
• Installs by default virtualbox and creates the hostonlyif.
• Creates the 'cuckoo' user in the system and it is also added this user to vboxusers group.
• Enables mongodb in conf/reporting.conf
• Creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

Enables run tcpdump from nonroot user

sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Fixes the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py

TEMPLATE_DIRS = (
    "templates"
)

becomes

TEMPLATE_DIRS = (
    ("templates"),
)

For this, we recommend supervisor usage.

Install supervisor

sudo apt-get install supervisor

Edit /etc/supervisor/conf.d/cuckoo.conf , like

[program:cuckoo]
command=python cuckoo.py
directory=/home/cuckoo
User=cuckoo

[program:cuckoo-api]
command=python api.py
directory=/home/cuckoo/utils
user=cuckoo

Reload supervisor

sudo supervisorctl reload

As you probably have already noticed, iptables rules don't stay there after a reboot. If you want to make them persistent, we recommend iptables-save & iptables-restore

iptables-save > your_custom_iptables_rules
iptables-restore < your_custom_iptables_rules

You may want to read:

• Remote - Enabling remote administration of VMS and VBox
• OVA - Working with OVA images
• Antivm How to deal with malware that has VM detection techniques
• VMcloak VMCloak - Cuckoo windows virtual machines management

• Improve documentation

This project is licensed as GPL3+ as you can see in "LICENSE" file. All pull requests are welcome, having in mind that:

• The scripting style must be compliant with the current one
• New features must be in sepparate branches (way better if it's git-flow =) )
• Please, check that it works correctly before submitting a PR.

We'd probably be answering to PRs in a 7-14 day period, please be patient.