{"id":84,"date":"2024-07-19T08:17:50","date_gmt":"2024-07-19T08:17:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=84"},"modified":"2024-07-19T08:17:50","modified_gmt":"2024-07-19T08:17:50","slug":"a-hackers-guide-to-building-and-automating-security-tools","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=84","title":{"rendered":"A Hacker\u2019s Guide to Building and Automating Security Tools"},"content":{"rendered":"

Cuckoo Sandbox<\/strong>\u00a0is an open-source project that allows you to run malware samples on safe virtual machines, and then analyze and report on how the malware behaved in the virtual sandbox without the threat of the malware infecting your real machine. The application is written in\u00a0Python<\/strong>, and\u00a0Cuckoo Sandbox<\/strong>\u00a0also offers\u00a0a REST API<\/strong>\u00a0. This allows a programmer using any language to fully automate many of\u00a0Cuckoo\u2019s<\/strong>\u00a0features, such as running sandboxes, running malware, and receiving reports. In this section, we\u2019ll do all of this using easy-to-use\u00a0C#<\/strong>\u00a0libraries and classes. However, there\u2019s a lot of work to do, such as setting up a virtual environment to use\u00a0Cuckoo<\/strong>\u00a0, before we can start testing and running malware samples using\u00a0C#<\/strong>. You can find more information and download\u00a0Cuckoo Sandbox<\/strong>\u00a0at https:\/\/www.cuckoosandbox.org<\/a>\/.<\/p>\n

Setting up the Cuckoo Sandbox<\/strong><\/h2>\n

In this section, we will not cover setting up\u00a0Cuckoo Sandbox<\/strong>\u00a0as the instructions can vary greatly between operating systems and dep<\/span>ending on which version\u00a0of Windows\u00a0you use as your VM sandbox. This section assumes that you have properly set up\u00a0Cuckoo Sandbox<\/strong>\u00a0with a\u00a0Windows<\/strong>\u00a0guest and that\u00a0Cuckoo is fully functional. Be sure to follow the instructions on the main\u00a0Cuckoo Sandbox<\/strong>\u00a0website\u00a0(https:\/\/cuckoo.readthedocs.io\/en\/latest\/<\/a>) for up-to-date and detailed documentation on installing and configuring the software.
In the\u00a0conf\/cuckoo.conf<\/strong>\u00a0file that comes with\u00a0Cuckoo Sandbox<\/strong>\u00a0, I recommend changing the default timeout configuration to be shorter (I set it to 15 seconds) before you start working with\u00a0the API<\/strong>\u00a0. This will make testing easier and faster. In your cuckoo.conf file, you will see a section at the bottom that looks like the listing below.<\/p>\n

The default timeout for\u00a0Cuckoo<\/strong>\u00a0testing is set to\u00a0120<\/strong>\u00a0seconds\u00a0[1]<\/strong>\u00a0. A large timeout may make you impatient to see if you have fixed the problem while debugging since you will have to wait for the timeout to expire before the report is ready, but setting this value between\u00a015<\/strong>\u00a0and\u00a030<\/strong>\u00a0seconds should be useful for our target system.<\/p>\n

Launching the Cuckoo Sandbox API manually.<\/strong><\/p>\n

Like\u00a0Nessus, Cuckoo Sandbox<\/strong>\u00a0uses the\u00a0REST<\/strong>\u00a0pattern (if you need a refresher, see the description of\u00a0REST<\/strong>\u00a0in section 5). However,\u00a0the Cuckoo Sandbox API<\/strong>\u00a0is much simpler than\u00a0the Nessus API, as we only need to interact with a couple of\u00a0<\/strong>API<\/strong>\u00a0endpoints. To do this, we will continue to use the session\/manager pattern and first implement the\u00a0CuckooSession<\/strong>\u00a0class, which defines how we will interact with\u00a0the Cuckoo Sandbox API<\/strong>. However, let\u2019s check that you have configured\u00a0Cuckoo Sandbox<\/strong>\u00a0correctly before we start writing code. <\/p>\n

Launching API<\/strong><\/p>\n

Once Cuckoo Sandbox<\/strong>\u00a0is installed,\u00a0you can run it locally using the\u00a0.\/cuckoo.py<\/strong>\u00a0command, as shown in the listing below. If you get an error message, make sure the virtual machine you are using for testing is running. <\/p>\n

\n<\/div>\n

A successful startup\u00a0of Cuckoo<\/strong>\u00a0should result in a fun\u00a0ASCII<\/strong>\u00a0art banner appearing, followed by some quick information lines about how many VMs have been booted. Once the main script has started,\u00a0Cuckoo<\/strong>\u00a0needs to start\u00a0the API<\/strong>\u00a0that we will be talking to. Both of these\u00a0Python<\/strong>\u00a0scripts need to be running at the same time! The\u00a0cuckoo.py Python<\/strong>\u00a0script is the engine of\u00a0Cuckoo Sandbox<\/strong>\u00a0. If we run the\u00a0api.py<\/strong>\u00a0script without running the\u00a0cuckoo.py script, as shown in the listing below, our\u00a0<\/strong>API<\/strong>\u00a0requests\u00a0will do nothing. In order for us to use\u00a0Cuckoo Sandbox<\/strong>\u00a0from\u00a0the API , both\u00a0<\/strong>cuckoo.py<\/strong>\u00a0and\u00a0api.py<\/strong>\u00a0need to be running\u00a0. By default,\u00a0the Cuckoo Sandbox API<\/strong>\u00a0listens on port\u00a08090<\/strong>\u00a0, as shown in the listing below.<\/p>\n

To specify\u00a0the IP<\/strong>\u00a0address to listen on (the default is\u00a0localhost<\/strong>\u00a0), you can pass\u00a0the -H<\/strong>\u00a0argument to the\u00a0utils\/api.py<\/strong>\u00a0script , which tells\u00a0the API the IP<\/strong>\u00a0address to use when listening for\u00a0API<\/strong>\u00a0requests . In this case, we\u2019ve set\u00a00.0.0.0<\/strong>\u00a0as the listening\u00a0IP<\/strong>\u00a0, which means all network interfaces (both internal and external system\u00a0IPs<\/strong>\u00a0) will have port\u00a08090<\/strong>\u00a0available for communication, since we\u2019re using the default port.\u00a0The URL<\/strong>\u00a0that\u00a0the Cuckoo API<\/strong>\u00a0is listening on is also printed to the screen after startup. This\u00a0URL<\/strong>\u00a0allows us to interact with\u00a0the API<\/strong>\u00a0to manage\u00a0Cuckoo Sandbox<\/strong>\u00a0in the rest of this section.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n

Checking Cuckoo\u2019s Status<\/strong><\/p>\n

We can test\u00a0the API<\/strong>\u00a0to make sure it\u2019s set up correctly using the\u00a0Curl<\/strong>\u00a0command-line tool , just as we did in previous sections for other\u00a0APIs<\/strong>\u00a0. Later in this section, we make similar\u00a0API<\/strong>\u00a0requests to create a task, watch it run until it completes, and create a file report to see how it behaved when it ran. But first, the listing below shows how to use\u00a0Curl to retrieve\u00a0<\/strong>Cuckoo Sandbox<\/strong>\u00a0state information in\u00a0JSON<\/strong>\u00a0format\u00a0using\u00a0the HTTP API<\/strong>\u00a0.<\/p>\n

The status information is quite useful and details many aspects of the\u00a0Cuckoo Sandbox<\/strong>\u00a0system. Of note is the aggregated task information\u00a0[2]<\/strong>\u00a0, which includes the number of tasks that\u00a0Cuckoo<\/strong>\u00a0has started or is running , along with their status. A task could be parsing a running file or opening a web page with\u00a0a URL<\/strong>\u00a0, although in this section we\u2019ll only look at submitting a file for analysis. You can also see the number of VMs available for analysis\u00a0[1]<\/strong>\u00a0, and the current version\u00a0of Cuckoo [3]<\/strong>\u00a0.
Great,\u00a0the API is up and running! We\u2019ll use this same status\u00a0<\/strong>API<\/strong>\u00a0endpoint\u00a0later to test our code as we write it, and to discuss\u00a0the JSON<\/strong>\u00a0it returns in more detail . For now, we just need to confirm that\u00a0the API<\/strong>\u00a0is up and running. <\/p>\n

That\u2019s all. Have a nice day, everyone!<\/p>\n

\u2764\ufe0f If you liked the article,\u00a0like and subscribe<\/strong>\u00a0to my channel\u00a0\u201cCodelivly<\/a>\u201d.<\/strong><\/p>\n

\ud83d\udc4d If you have any questions or if I would like to discuss the described hacking tools in more detail, then\u00a0write in the comments<\/strong>. Your opinion is very important to me!<\/p>","protected":false},"excerpt":{"rendered":"

Cuckoo Sandbox\u00a0is an open-source project that allows you to run malware samples on safe virtual machines, and then analyze and report on how the malware behaved in the virtual sandbox without the threat of the malware infecting your real machine. The application is written in\u00a0Python, and\u00a0Cuckoo Sandbox\u00a0also offers\u00a0a REST API\u00a0. This allows a programmer using […]<\/p>\n","protected":false},"author":1,"featured_media":86,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-84","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/84"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=84"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/86"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}