Some obstacles overcome to get a Cuckoo 2 sandbox going on the class laptop: Win10x64 Pro. This is just my notes and rambling and intent is to write up a working build in case someone else in 610 or the community wants it.
Upstream installation instructions, might give harmless cert error: http://docs.cuckoosandbox.org/en/latest/installation/guest/agent/
Python 2.7 64 bit build (such as provided by Chocolately or default on Python.org ) doesn't support a few of the key libraries used by Cuckoo Sandbox, including one for pcap and magic. Cuckoo can't handle Python 3 at all perhaps due to dependencies. So, Python 2.7 is the best choice.
As part of getting this going I ripped out Python 2.7 completely and reinstalled it a couple times. The one that I used for the Cuckoo sandbox host and the Windows guest VMs is presently here: https://www.python.org/downloads/release/python-2714/ and labeled Windows x86 MSI installer which nets you a https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi that I immediately rename to python-2.7.14-win32.msi because it is. Hang onto it.
I'm doing pip install -e . in the cuckoo Git checkout working directory. Why? some earlier trouble getting cuckoo to init and create a CWD.
Cuckoo 2 now uses a specific folder for your install instead of runnign out of the source directory like in the past. This is great!
Mine ended up in ~/.cuckoo even though I really wanted it somewhere else.
There's some weirdness with this one, which is intended to compensate for Window's peculiarities... need to re-science this before I make any declarations.
One such module that absolutely doesn't work x64 is the python-magic package which implements similar functionality to file(1) on Unix systems and requires a binary library and a magic file.
This was eventually fixed upstream in a fork which provides packages including the DLL you need: https://github.com/julian-r/python-magic tells you to get python-magic-bin.
Cuckoo has a compat hack to try and get past this problem, but it doesn't work for me and was blocking analysis from starting (because file type is needed).
options["file_type"] = File(self.task.target).get_type()
File "c:\users\adric\documents\github\cuckoo\cuckoo\common\objects.py", line 224, in get_type
return magic.from_file(os.path.realpath(self.file_path))
File "c:\users\adric\documents\github\cuckoo\cuckoo\compat\magic.py", line 51, in from_file
patch()
File "c:\users\adric\documents\github\cuckoo\cuckoo\compat\magic.py", line 40, in patch
mime=False, magic_file=cwd("win32", "magic.mgc", private=True)
File "build\bdist.win32\egg\magic.py", line 67, in __init__
magic_load(self.cookie, magic_file)
File "build\bdist.win32\egg\magic.py", line 256, in magic_load
return _magic_load(cookie, coerce_filename(filename))
File "build\bdist.win32\egg\magic.py", line 187, in errorcheck_negative_one
raise MagicException(err)
MagicException: bad magic in `c:\users\adric\documents\github\cuckoo\cuckoo\private\win32\magic.mgc'
So let's roll that back and use the upstream magic and bin to see if that works better!
Undoing this patch get analyses running:
- Add back in magic to the library includes up top
- Comment out the import of compat/magic.py
- rename that file for good measure or we could modify the init there, probably
Disabling that hack and using Python pip packages for magic works .. but another library is using the same kind of hack ?!
File "c:\python27\lib\site-packages\sflock-0.3.2-py2.7.egg\sflock\compat\magic.py", line 38, in patch
if sys.platform != "win32" or magic._instances:
AttributeError: 'module' object has no attribute '_instances'
- Downloaded and installed WinXP from MSDN
- Win10 VM (time limited) from MS Edge tools: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
MSDN has an ISO for Windows XP Pro build 2600 ... before all of the service packs. Visual Studio Professional Cloud is the way these days since TechNet Pro was taken from us.
Python installer errors on out on 1723 for some DLL (maybe). Exract the files and just run python, seems to work? Ref: https://stackoverflow.com/questions/2678702/install-python-2-6-without-using-installer-on-win32 which includes the MSI command to extract the package contents:
C:\development\apps>msiexec /a python-3.3.2.msi /qb
TARGETDIR=C:\development\apps\python33
IE won't reliably load pages from Ietsim on the remfilter box, though it did before. It's gotten convinced that a) it needs a DNS lookup to get to http://172,28.128.3 and b) that lookup fails .. neither of which is true. PCAPs back this up as it hasn't actually sent HTTP to the remfilter box is quite a few cycles.
FTP also didn't quite work (wonn't auth (ftpd) or can't transfer files (inetsim)) and nothing wants to talk SMB to this poor XP paleo specimen. I ended up using a real USB to transfer the python msi and the agent.py file over to the guest VMs ... this should not be necessary since ping works.
Don't have it and giving it Tshark hasn't worked. So, no pcaps for now.
Should allow screenshots as PIL is unmaintained and won't install. Until then no screenshots.