I was inspired by this great article by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.
I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
Ping me on Twitter @chryzsh if something's not working. I will update the guide.
As Rastamouse says in his article, VMWare is necessary on the physical host as because to have 64-bit VMs for the malware sandboxes we need support for VT-x/AMD-V. VMWare Workstation / Player does not have this restriction.
Virtual Cuckoo Host OS
Ubuntu Server 16.04 x64
Cuckoo & Virtualbox
Virtual Sandbox VM
Python with Cuckoo agent
Virtual Sandbox VM
Python with Cuckoo agent
In VMWare workstation, go to Edit -> Virtual network editor and change the VMnet1 (Host-only) IP subnet to 192.168.45.0/24 and enable DHCP.
During this guide we sometimes have to change networking settings, even while VMs are running. If you do that, remember to restart the networking service in Ubuntu so config and interfaces gets updated.
sudo /etc/init.d/networking restart
I followed the wizdom of the Rasta and gave the Ubuntu server the following specs
8 CPU Cores
Enable Virtualize Intel VT-x/EPT or AMD-V/RVI
100GB Hard Disk
NIC 1: Bridged (we will change it to NAT later)
NIC 2: Host-Only
Proceed to install Ubuntu 16.04 in VMWare workstation. Set the username to cuckoo.
Once your Install the requirements to get Cuckoo and Virtualbox running
cd ~sudo apt updatesudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb python-pip virtualbox tcpdump apparmor-utils
Install some additional tools
sudo apt install git vim cifs-utils smbclient terminator unzip xfce4 firefox
If you want you can now boot to the graphical user environment XFCE using
startx and finish the rest of the setup from there.
Finish the rest of the setup of cuckoo
sudo aa-disable /usr/sbin/tcpdumpsudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumppip install -U pip pycrypto distorm3git clone https://github.com/volatilityfoundation/volatilitycd ~/volatility/sudo python setup.py installcd ~/virtualenv cuckoo. cuckoo/bin/activatepip install -U yara-python==3.6.3 cuckoocuckooexit
The install should now be finished and you have verified Cuckoo is working.
Proceed to set up a Host-only network for Virtualbox. Add a new host-only network by doing the following.
Go to Virtualbox -> File -> Preferences -> Network -> Host-only Networks -> Press the little green + icon.Click the screwdriver icon just below it and make sure the IP subnet is set to 192.168.56.0/24 and that DHCP is disabled.
vboxnet0 should now appear in the list. This interface
Restart the networking service in Ubuntu and verify with
ip addr that a new interface has been added.
I had some minor trouble getting the files over as file sharing between VMs can be a bit of a jerk sometimes. So I prefer using SMB for transfer. You should have a Share set up on your Windows host
Connect to your share using SMB and download whatever ISOs and software you need
smbclient -U username //10.0.0.2/Downloads -m SMB3 -W win
After this is done you can go back to the VM settings for the Ubuntu box in and change the first NIC to NAT.
Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called Win10x64 and Win7x64 respectively. They can be small VMs. So give them
1 NIC attached to vboxnet0
During installation, set the username to cuckoo for all VMs. Wait for the installation to finish.
Set a static IP in each VM
Win10x64 - 192.168.56.10
Win7x64 - 192.168.56.15
You will also want to
Disable the Windows Firewall
Disable UAC (Never Notify)
Disable Windows Updates (don't even bother with W10)
Download the latest Python 2.7.x for Windows to your Ubuntu server. Host the files a convenient place and fire up a simple web server
cp ~/cuckoo/agents/agent.py ~/Downloads
python -m SimpleHTTPServer
Download the x64 MSI installer and the Cuckoo agent
Install Python manually in each VM.
Start the Cuckoo agent by opening a
Command Prompt as Administrator.
Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):
VBoxManage snapshot "Win7x64" take "Win7x64_snap" --pauseVBoxManage controlvm "Win7x64" poweroffVBoxManage snapshot "Win7x64" restorecurrent
In the GUI, they should appear as
mode = headless ->
mode = gui is useful for testing.
machines = cuckoo1 ->
machines = Win1x64,Win7x64 plus any others you’ve made.
cuckoo1 is the default example. Each VM needs its own little block.
[Win10x64]label = Win10x64platform = windowsip = 192.168.56.10snapshot = Win10x64_snap[Win7x64]label = Win7x64platform = windowsip = 192.168.56.15snapshot = Win7x64_snap
Now you should be able to run cuckoo. Start Cuckoo
Now fire up another terminal and start the Cuckoo web GUI
cuckoo web runserver 192.168.45.128:8080
You can then submit a sample and enjoy the results :)