configuring cuckoo 2.0
For using my vSphere environment I've used the below configuration.
sudo su - cuckoo
. venv/bin/activate
cd .cuucko/conf
Still some python modules are missing:
pip install -U pyvmomi
pip install psycopg2
pip install weasyprint
pip install m2crypto
In auxiliary.conf changed:
#[mitm]
enabled = yes
In cuckoo.conf changed:
delete_original = yes
machinery = vsphere
upload_max_size = 99134217728
analysis_size_limit = 99134217728
connection=postgresql://cuckoo:[password]@localhost:5432/cuckoo
postgres@Cuckoo2:~$ psql -c "CREATE DATABASE cuckoo;"
postgres@Cuckoo2:~$ psql -c "CREATE USER cuckoo WITH PASSWORD 'secret';"
postgres@Cuckoo2:~$ psql -c "GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;"
As I'm having a quite low performing ESXi:
[timeouts]
default = 240
critical = 60
vm_state = 300
In memory.conf changed:
guest_profile = Win7SP0x86
delete_memdump = yes
In processing.conf changed:
allowed_dns = 8.8.8.8,9.9.9.9,8.8.4.4,10.123.64.11
extract_dll = yes
dump_delete = yes
#[suricata]
enabled = yes
conf = /etc/suricata/suricata-cuckoo.yaml
#[virustotal]
enabled = yes
in reporting.conf changed:
#[singlefile]
enabled = yes
html = yes
pdf = yes
#[mongodb]
enabled = yes
in routing.conf changed:
internet = ens160
in vsphere.conf changed:
[vsphere]
# ?no_verify disables the SSL signature check. By default it is self signed
host = xxx.xxx.xxx.xxx [IP addr of the vcenter/vsphere host]
port = 443
user = root
pwd = xxx
unverified_ssl = on
machines = analysis1,analysis2,analysis3,analysis4
[analysis1]
label = Win7_1
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_1_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64
[analysis2]
label = Win7_2
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_2_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64
[analysis3]
label = Win7_3
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_3_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64
[analysis4]
label = Win7_4
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_4_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64
[analysis5]
label = Win7_5
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_5_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64