This is my second article on the cuckoo sandbox series. The previous one focused on setting up the host machine and from here on out we will be focusing on the guest machine.
Preparing the Virtual Machine
Now that we are done with the host machine, we will start preparing the virtual machine, starting with the installation of virtualBox.
echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - sudo apt-get update sudo apt-get install virtualbox-5.1
In case you are using a different version Linux, then please look at this first.
For Ubuntu 17.04 ("Zesty") deb http://download.virtualbox.org/virtualbox/debian zesty contrib For Ubuntu 16.04 ("Xenial") deb http://download.virtualbox.org/virtualbox/debian xenial contrib For Ubuntu 14.04 ("Trusty") deb http://download.virtualbox.org/virtualbox/debian trusty contrib For Ubuntu 12.04 LTS ("Precise Pangolin") deb http://download.virtualbox.org/virtualbox/debian precise contrib For Debian 8 ("Jessie") deb http://download.virtualbox.org/virtualbox/debian jessie contrib For Debian 7 ("Wheezy") deb http://download.virtualbox.org/virtualbox/debian wheezy contrib
You can confirm the virtual box installation by switching to super user and then typing Virtualbox on the terminal
Creation of the Virtual Machine
Now start with windows installation on virtual box. For this setup we will be installing windows 7 operating system on virtual box. It is a 32 – bit operating which has been assigned 4 GB ram and 65 GB HDD space. It is important to make note of the machine name that you set. For this setup we will be using “windows7”.
Once the operating system has been installed, proceed with installing the guest edition on the virtual OS. For identifying if windows is 32 bit or 64 bit operating system has been installed, then in command prompt type “winmsd.exe”
This will result in a pop-up window asking for guest edition installation. Proceed with it and reboot the virtual machine once done. Now we will add the agent folder here which we made shareable earlier. Click on machine > settings in virtual box window while windows 7 is running.
Click on shared folders.
Click on machine folders and then the + sign on the right. Select the agent folder and check the Auto-mount and make permanent options.
Once done with that, disable the windows firewall and disable the user account control settings
Once done, power off the virtual machine properly.
We now need to configure the host and the virtual machines in such a way that they are able to communicate properly with each other. Proceed with the following command execution on the host machine (ubuntu).
Switch to super user.
sudo vboxmanage hostonlyif create sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 sudo vboxmanage modifyvm windows7 --hostonlyadapter1 vboxnet0 sudo vboxmanage modifyvm windows7 --nic1 hostonly
Do “ifconfig” to verify the result. You should be able to see the vboxnet0 adapter
Proceed with the following steps on the virtual machine (windows). In windows 7 virtual machine type in the following static IP, but don’t press OK yet.
On another terminal switch to super user and type in the following commands, but make sure to change the adapter name to what you see on your machine.
iptables -A FORWARD -o wlp2s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Now press OK on the windows virtual machine for the settings. If the connection was successful, you should see connectivity and this dialogue box turn up.
You can also check by pinging 192.168.56.101 from linux machine or pinging linux machine IP address from windows machine.
To make sure that the rules remain constant in the system the install the iptables persistent.
sudo apt-get install iptables-persistent
This installation will make sure that the rules stay in the system after you reboot the machine. You will receive the following prompt for IPV4 and IPV6 , just select yes
Having done the above steps, we can now place the agent file from the cuckoo directory in the shareable folder that we earlier created. This file will become available in the virtual machine.
cp /root/.cuckoo/agent/agent.sh /home/administrator/Downloads/agent/ cp /root/.cuckoo/agent/agent.py /home/administrator/Downloads/agent/
You can now locate these file at the following location in windows’’
network > VBOXSVR > agent folder
Installing the Agent on windows
In order for the agent to work on the windows virtual machine, it is important we install other software such as python and pillow. In this case pillow will help us by taking the screenshots of activities on the windows.
You can go ahead and install Python 2.7.14 – 2017-09-16. Download Windows x86 MSI installer
For pillow download “Pillow-2.7.0.win32-py2.7.exe (md5)” from https://pypi.python.org/pypi/Pillow/2.7.0
After this, install software like office, adobe etc, to make a virtual setup that looks similar to what you have on a normal machine in the organization. The idea is to make it resemble close enough to an organization machine.
Finally, all that is left is to run the agent.py file from the documents folder and take a snapshot of the virtual machine.
You will see a blank screen, but that is perfectly normal. After this take a snapshot by selecting the option at machine> take snapshot
Please make note of the name you give this snapshot. It will be used while configuring the sandbox. I used something small and easy “snap”. Now you can power off the virtual machine.
Cloning the Virtual Machine
You can always create a clone of the virtual machine, as this will act as a backup of all the settings and applications installed or if you plan one using multiple VM’s then you use these clones.
This stage involves configuring the settings for the sandbox. These configuration files are located in the “./cuckoo/conf” folder. The change points have been highlighted in each screenshot.
Modify the name of the snapshot as per the name you mentioned earlier while setting up the virtual machine with windows 7.
To edit the guest profile please refer to the list below:
And that’s about it. Hope you enjoyed the two articles. Your comments or feedback would be greatly appreciated.
(Featured Image credits: A cuckoo-clock heart, by KaleidoMewStar, deviantart.com)