Cuckoo 3 Installation
This guide in inspired by Estonian CERT cuckoo 3 documentation and https://reversingfun.com/posts/cuckoo-3-installation-guide/ and This guide has been tested on Ubuntu server 22.04 and python 3.10.
- Ubuntu server 22.04
- Python 3.10
- username cuckoo
sudo apt update && sudo apt upgrade -y
sudo apt install git build-essential python3-dev python3.10-venv libhyperscan5 libhyperscan-dev libjpeg8-dev zlib1g-dev unzip p7zip-full rar unace-nonfree cabextract yara tcpdump genisoimage qemu-system-x86 qemu-utils qemu-system-common -y
sudo adduser cuckoo kvm
sudo chmod 666 /dev/kvm
Allow cuckoo user (non-root) to use tcpdump
sudo groupadd pcap
sudo adduser cuckoo pcap
sudo chgrp pcap /usr/bin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
sudo ln -s /etc/apparmor.d/usr.bin.tcpdump /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.bin.tcpdump
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.tcpdump
sudo chown cuckoo /opt && cd /opt
git clone https://github.com/cert-ee/cuckoo3
cd cuckoo3
Edit processing/setup.py and change pefile and hyperscan version in install_requires to
"pefile<2023.0.0",
"hyperscan>=0.4.0",
Install cuckoo 3
python3 -m venv venv
source venv/bin/activate
pip install wheel
./install.sh
Create Cuckoo working directory
cuckoo createcwd
import monitor and stager binaries and extract cuckoo signatures
cuckoo getmonitor monitor.zip
unzip signatures.zip -d ~/.cuckoocwd/signatures/cuckoo/
git clone https://github.com/hatching/vmcloak.git && cd vmcloak
Edit vmcloak/setup.py and Change pefile version in install_requires to
"pefile<2023.0.0",
Edit vmcloak/platforms/qemu.py and change _create_snapshot_disk function to
subprocess.check_call(["qemu-img", "create", "-F", "qcow2", "-o",
"lazy_refcounts=on,cluster_size=2M", "-b",
image_path, "-f", "qcow2", path])
Install vmcloak
pip install . && cd ..
Create VM interface
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24
sudo mkdir -p /etc/qemu
echo 'allow br0' | sudo tee /etc/qemu/bridge.conf
sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper
Download windows 10 ISO file
vmcloak isodownload --win10x64 --download-to ~/win10x64.iso
sudo mkdir /mnt/win10x64
Mount windows 10 ISO
sudo mount -o loop,ro /home/cuckoo/win10x64.iso /mnt/win10x64
Install windows 10 base image
vmcloak --debug init --win10x64 --hddsize 128 --cpus 2 --ramsize 4096 --network 192.168.30.0/24 --vm qemu --ip 192.168.30.2 --iso-mount /mnt/win10x64 win10base br0
Optionally install extra utilities
vmcloak --debug install win10base dotnet:4.7.2 java:7u80 vcredist:2013 vcredist:2019 edge carootcert wallpaper disableservices
Taking 1 snapshot with ip 192.168.30.20, feel free to add more instances by increasing count
vmcloak --debug snapshot --count 1 win10base win10vm_ 192.168.30.20
Import VM into cuckoo
cuckoo machine import qemu ~/.vmcloak/vms/qemu
Delete example template
cuckoo machine delete qemu example1
Cuckoo database initialization
cuckoomigrate database all Ignore all errors
Configure the correct IP of the result server in the file ~/.cuckoocwd/conf/cuckoo.yaml
resultserver:
listen_ip: 192.168.30.1
remove loop=self.loop from resultserver.py
nano node/cuckoo/node/resultserver.py in line 443
Change tcpdump path to /usr/bin/tcpdump
nano ~/.cuckoocwd/conf/cuckoo.yaml
Edit allowed_subnets to your subnet, in my case (192.168.122.0/24)
nano ~/.cuckoocwd/conf/web/web.yaml
Install cuckoo 3 docs
cd /opt/cuckoo3/docs
pip install -r requirements.txt
mkdocs build
cp -R site ../web/cuckoo/web/static/docs
Run cuckoo in debug mode
cuckoo --debug
pip install uwsgi
sudo apt-get install uwsgi uwsgi-plugin-python3 nginx -y
sudo adduser www-data cuckoo
Generate uwsgi configuration
cuckoo web generateconfig --uwsgi > cuckoo-web.ini
sudo mv cuckoo-web.ini /etc/uwsgi/apps-available/
sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/cuckoo-web.ini
nano ~/.cuckoocwd/web/web_local_settings.py
STATIC_ROOT = "/opt/cuckoo3/web/cuckoo/web/static"
Generate nginx configuration
cuckoo web generateconfig --nginx > cuckoo-web.conf
Nginx configuration
nano cuckoo-web.conf
In server section, change listen value from listen 127.0.0.1:8000; to listen 80;
sudo mv cuckoo-web.conf /etc/nginx/sites-available/cuckoo-web.conf
sudo ln -s /etc/nginx/sites-available/cuckoo-web.conf /etc/nginx/sites-enabled/cuckoo-web.conf
Delete Nginx default page
sudo rm /etc/nginx/sites-enabled/default
Restart Nginx and uwsgi
sudo systemctl restart nginx uwsgi
You could use this script to start cuckoo 3 daemon
#!/bin/bash
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24
source /opt/cuckoo3/venv/bin/activate
cuckoo --quiet