<Cuckoo Sandbox 설치>
[Ubuntu 자동 업데이트 종료 및 비활성화]
sudo systemctl stop apt-daily.service
sudo systemctl stop apt-daily.timer
sudo systemctl disable apt-daily.service
sudo systemctl disable apt-daily.timer
sudo systemctl mask apt-daily.service
sudo systemctl mask apt-daily.timer
[Ubuntu 자동 업그레이드 종료 및 비활성화]
sudo systemctl stop apt-daily-upgrade.service
sudo systemctl stop apt-daily-upgrade.timer
sudo systemctl disable apt-daily-upgrade.service
sudo systemctl disable apt-daily-upgrade.timer
sudo systemctl mask apt-daily-upgrade.service
sudo systemctl mask apt-daily-upgrade.timer
[Cuckoo Sandbox 설치]
sudo apt-get update -y
sudo apt-get install -y python-dev libffi-dev libssl-dev libjpeg-dev zlib1g-dev tcpdump swig apparmor-utils vim curl iptables-persistent
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
CF) <setcap>
-e : effective 효력 부여
-p : Permitted 허용
-i : Inheritable 권한 상속 여부(execve)
CAP_NET_RAW : 다양한 네트워크 작업 시 사용
ex) 권한있는 소켓 옵션, 멀티 캐스팅, 인터페이스 구성, 라우팅 테이블 구성
CAP_NET_ADMIN : RAW 및 PACKET 소켓의 사용 허용
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
sudo python get-pip.py
sudo -H pip install --upgrade --ignore-installed pip setuptools
sudo pip install cuckoo==2.0.5.3
[Cuckoo 코어 실행 및 환경변수 등록]
cuckoo
echo "export cwd=/home/\"$USER\"/.cuckoo" >> ~/.profile
source ~/.profile
env | grep cwd
=> 로그오프 후 재로그인
[Virtualbox 설치]
echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
sudo apt-get update -y
sudo apt-get install -y virtualbox-5.1
[Virtualbox 실행 및 취약한 환경 설치]
virtualbox
- 여기서 부터 취약한 환경(Windows 7)
net user administrator /active:yes
net user administrator *
=> 엔터 두번(비밀번호 설정X)
wmic computersystem where caption='WIN-ILUGH7KAK8H' rename 'cuckoo1'
=> caption 확인 방법 : wmic computersystem get caption
net user
=> 현재 유저 확인
net user kisec /delete
shutdown -r -t 0
Plain Text
복사
호스트 온리
이거 있어야함
[iptables 설정(Ubuntu)]
sudo iptables -t nat -A POSTROUTING -o ens33 -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -j LOG
sudo iptables -L -v
sudo netfilter-persistent save
sudo netfilter-persistent reload
sudo vim /etc/sysctl.conf
28 net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.ip_forward=1
Plain Text
복사
윈도우 ip 설정
인터넷 다시 되는거 확인
방화벽 해제
UAC 내림
자동 업데이트 해제
해당 파일을 실행해야함
경로 지정
체크박스
ok
[Cuckoo Sandbox & Windows 7 연동]
wget https://www.python.org/ftp/python/2.7.18/python-2.7.18.amd64.msi
mv ./python-2.7.18.amd64.msi $cwd/agent
Plain Text
복사
완료되면 윈도우 - 네트워크에 vboxsvr이 추가된 것 확인 가능
안에 파이썬설치
설치 시 환경변수 추가
- 취약한 분석 환경(Windows 7)에서 python 설치
==> 설치 시 환경변수 체크
pip install pillow(Windows 7)
Plain Text
복사
우분투
VBoxManage snapshot "cuckoo1" take "Snapshot1" --pause
VBoxManage controlvm "cuckoo1" poweroff
VBoxManage snapshot "cuckoo1" restorecurrent
Plain Text
복사
[쿡쿠샌드박스 - Postgres 구성]
sudo apt-get install postgresql libpq-dev -y
sudo passwd postgres
- Enter new UNIX password: Postgres123!@#
- Retype new UNIX password: Postgres123!@#
- passwd: password updated successfully
sudo -u postgres createuser --interactive
- Enter name of role to add: kisec
- Shall the new role be a superuser? (y/n) n
- Shall the new role be allowed to create databases? (y/n) y
- Shall the new role be allowed to create more new roles? (y/n) y
createdb cuckoo
psql cuckoo
- cuckoo=> alter user kisec with password 'Cuckoo123!@#';
- cuckoo=> \q
sudo vim /etc/postgresql/9.5/main/postgresql.conf
59 listen_addresses = '192.168.0.7'
sudo vim /etc/postgresql/9.5/main/pg_hba.conf
92 host all all 192.168.0.1/24 md5
sudo systemctl restart postgresql@9.5-main.service
sudo systemctl enable postgresql@9.5-main.service
Plain Text
복사
[쿡쿠샌드박스 - Mongodb 구성]
sudo apt-get install mongodb -y
sudo vim /etc/mongodb.conf
11 bind_ip = 192.168.0.7
sudo systemctl restart mongodb.service
mongo -quiet 192.168.0.7
> use cuckoo
> db.createUser({user:"kisec",pwd:"Mongodb123!@#",roles:[{role:"readWrite",db:"cuckoo"}]})
> exit
Plain Text
복사
[쿡쿠샌드박스 설정]
vim $cwd/conf/cuckoo.conf
87 ip = 192.168.56.1
122 connection = postgresql://kisec:Cuckoo123!@#@192.168.0.7:5432/cuckoo
sudo -H pip install psycopg2==2.6.2
vim $cwd/conf/virtualbox.conf
5 mode = gui
18 machines = cuckoo1
24 label = cuckoo1
28 platform = windows
33 ip = 192.168.56.101
vim $cwd/conf/reporting.conf
35 enabled = yes
36 host = 192.168.0.7
37 port = 27017
38 db = cuckoo
39 store_memdump = yes
40 paginate = 100
41 # MongoDB authentication (optional).
42 username = kisec
43 password = Mongodb123!@#
Plain Text
복사
[쿡쿠샌드박스 실행]
cuckoo -d
cuckoo web -H 192.168.0.7
Plain Text
복사
vbox 인터페이스는 우분투 재부팅하면 비활성화 됨, 다시 활성화 시켜야함
[ssdeep 연동]
sudo apt-get install libfuzzy-dev -y
sudo -H pip install pydeep
pip install m2crypto==0.24.0
cuckoo process -r 1
Plain Text
복사
[쿡쿠샌드박스 시그니처 추가]
cuckoo community
cuckoo process -r 1
Plain Text
복사
[쿡쿠샌드박스 & 바이러스토탈 연동]
vim $cwd/conf/processing.conf
148 enabled = yes
156 scan = yes
160 key = 회원가입해서 api 키 발급해야함
cuckoo process -r 1
Plain Text
복사
[Nginx & uWSGI 설치 및 연동]
sudo apt-get install uwsgi uwsgi-plugin-python nginx -y
sudo adduser www-data $USER
sudo rm /etc/nginx/sites-enabled/default
sudo systemctl daemon-reload
cuckoo web --uwsgi | sudo tee -a /etc/uwsgi/apps-available/cuckoo-web.ini
sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/
sudo systemctl restart uwsgi.service
cuckoo web -H 192.168.0.7 --nginx | sudo tee -a /etc/nginx/sites-available/cuckoo-web
sudo ln -s /etc/nginx/sites-available/cuckoo-web /etc/nginx/sites-enabled/
- cuckoo web 종료 후
sudo systemctl restart nginx.service
- cuckoo web과 같이 cuckoo sandbox 웹 로그 확인
tail -f /var/log/nginx/access.log | grep 192.168.0.7:8000
Plain Text
복사
[Cuckoo API 서버 연동]
sudo pip install Werkzeug==0.16.1
cuckoo api --uwsgi | sudo tee -a /etc/uwsgi/apps-available/cuckoo-api.ini
sudo ln -s /etc/uwsgi/apps-available/cuckoo-api.ini /etc/uwsgi/apps-enabled/
sudo systemctl restart uwsgi.service
cuckoo api -H 192.168.0.7 --nginx | sudo tee -a /etc/nginx/sites-available/cuckoo-api
sudo ln -s /etc/nginx/sites-available/cuckoo-api /etc/nginx/sites-enabled/
sudo systemctl restart nginx.service
- 연동 테스트
curl http://192.168.0.7:8090
=> 404 not found(Success), 5XX (Fail)
Plain Text
복사
[악성코드 분석 요청]
curl -X POST -F file=@./518.exe http://192.168.0.7:8090/tasks/create/file
[악성코드 분석 결과 요청]
curl -X GET http://192.168.0.7:8090/tasks/list/<보고서ID>/0
Plain Text
복사
[python 코드를 활용해서 자동화 예시]
==========================================
import requests
import os
import time
REST_URL = "http://192.168.0.7:8090/tasks/create/file"
VIEW_URL = "http://192.168.0.7:8090/tasks/view/{}"
REPORT_URL = "http://192.168.0.7:8090/tasks/report/{}"
SAMPLE_FILE = "./518.exe"
HEADERS = {"Authorization": "Bearer S4MPL3"}
with open(SAMPLE_FILE, "rb") as sample:
files = {"file": ("temp_file_name", sample)}
r = requests.post(REST_URL, headers=HEADERS, files=files)
task_id = r.json()["task_id"]
print "[task_id] : {}".format(task_id)
while(1):
VIEW_URL = VIEW_URL.format(task_id)
result = requests.get(VIEW_URL, headers=HEADERS)
if result.status_code != 200:
print "Server Error"
break
if result.json()['task']['status'] == 'reported':
break
print "Status: {} : Wait 10 seconds".format(result.json()['task']['status'])
time.sleep(10)
REPORT_URL = REPORT_URL.format(task_id)
report = requests.get(REPORT_URL, headers=HEADERS)
if report.status_code != 200:
print "Cannot find report"
with open("report_{}.json".format(task_id), "w") as f:
f.write(report.text)
==========================================
Plain Text
복사
[엘라스틱서치 설치 및 연동]
sudo apt-get install openjdk-8-jre -y
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get update -y
sudo apt-get install elasticsearch -y
sudo vim /etc/elasticsearch/elasticsearch.yml
17 cluster.name: ES-Cuckoo
23 node.name: es-node-1
33 path.data: /var/lib/elasticsearch
37 path.logs: /var/log/elasticsearch
55 network.host: 192.168.0.7
59 http.port: 9200
89 node.master: true
90 node.data: true
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
- 엘라스틱서치 동작 여부 확인
curl -X GET http://192.168.0.7:9200
vim $cwd/conf/reporting.conf
46 enabled = yes
50 hosts = 192.168.0.7:9200
56 calls = yes
69 cuckoo_node = es-node-1
sudo systemctl restart elasticsearch.service
curl -X PUT 192.168.0.7:9200/_template/cuckoo_template -T ~/.cuckoo/elasticsearch/template.json
sudo systemctl restart uwsgi.service
Plain Text
복사
[볼라틸리티 설치 및 연동] 메모리 포렌식 도구
sudo apt-get install openjdk-8-jre -y
sudo apt-get install volatility -y
vim $cwd/conf/cuckoo.conf
25 memory_dump = yes
vim $cwd/conf/processing.conf
51 enabled = yes
vim $cwd/conf/memory.conf
6 guest_profile = Win7SP1x64
- 쿡쿠 코어 종료 후 재시작
sudo systemctl restart uwsgi.service
Plain Text
복사
[Snort 설치 및 연동]
sudo apt-get install snort -y
- vboxnet0 입력
- 192.168.0.0/24 입력
- vboxnet0 입력
sudo chmod 4775 /usr/sbin/snort
sudo chmod 644 /etc/snort/snort.conf
snort -T -c /etc/snort/snort.conf
vim $cwd/conf/processing.conf
102 enabled = yes
107 snort = /usr/sbin/snort
- 룰 추가 예시)
sudo vim /etc/snort/rules/local.rules
7 alert tcp any any -> any any (msg:"\"qzone.qq.com\" Alert"; content:"qzone.qq.com"; nocase; sid:10000002; gid:1; rev:1;)
Plain Text
복사
[Supervisor 설치 및 연동]
sudo -H pip install supervisor==3.3.4
vim $cwd/conf/cuckoo.conf
39 process_results = no
sudo ln -s $cwd/supervisord.conf /etc/supervisord.conf
- cuckoo -d 프로세스 종료
supervisord
supervisorctl status cuckoo:*
Plain Text
복사
vim ~/.bashrc
#Autorun Cuckoo Sandbox with Supervisor
if [ `ps -e | grep supervisord | wc -l` == 0 ]; then
supervisord
fi
#Autorun VirtualBox
if [ `ps -e | grep VirtualBox | wc -l` == 0 ]; then
virtualbox &
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
fi
Plain Text
복사