Cuckoo + KVM: the easy way

I just needed some place to store this stuff. So I’m sharing it: it’s just a cheat sheet for setting up a KVM enabled cuckoo where guest VMs will have direct internet access or Tor access if you decide so. It uses the great cuckoo-autoinstall scripts from Daniel Gallagher.

As of today (17/02/2017), it should work right away on debian testing. It might be full of errors and you might not get the same result I did, so feel free to comment.

Setup

  1. Clone this repo.

  2. Apply the following patch (it adapts the autoinstall script to Debian testing):

    diff -Naur '--exclude=.git' cuckoo-autoinstall/cuckoo.sh cuckoo-autoinstall-debian_testing/cuckoo.sh
    --- cuckoo-autoinstall/cuckoo.sh        2017-02-17 12:30:37.231809310 +0100
    +++ cuckoo-autoinstall-debian_testing/cuckoo.sh 2017-02-15 17:22:20.729041106 +0100
    @@ -153,6 +153,7 @@
     echo -e '\e[35m[+] Configuring TcpDump \e[0m'
    
            #Configure tcpdump
    +       apt-get install tcpdump -y >/dev/null 2>&1
            chmod +s /usr/sbin/tcpdump
    
     echo -e '\e[35m[+] Installing Suricata \e[0m'
    @@ -179,7 +180,7 @@
     echo -e '\e[35m[+] Installing PostgreSQL \e[0m'
    
            #Install PostgreSQL
    -       apt-get install postgresql-9.5 postgresql-contrib-9.5 libpq-dev -y >/dev/null 2>&1
    +       apt-get install postgresql-9.6 postgresql-contrib-9.6 libpq-dev -y >/dev/null 2>&1
            pip install psycopg2 >/dev/null 2>&1
    
     echo -e '\e[35m[+] Configuring PostgreSQL DB \e[0m'
    @@ -198,7 +199,7 @@
     echo -e '\e[35m[+] Installing KVM \e[0m'
    
            #Install KVM and virt-manager
    -       apt-get install qemu-kvm libvirt-bin virt-manager libgl1-mesa-glx -y >/dev/null 2>&1
    +       apt-get install qemu-kvm libvirt-bin virt-manager libgl1-mesa-glx libvirt-clients libvirt-daemon-system -y >/dev/null 2>&1
    
            #Add current user to kvm and libvirt groups for admin
            usermod -a -G kvm $USER
    @@ -270,7 +271,7 @@
            echo "cuckoo:$cuckoo_passwd" | chpasswd >/dev/null 2>&1
            usermod -L cuckoo
            usermod -a -G kvm cuckoo
    -       usermod -a -G libvirtd cuckoo
    +       #usermod -a -G libvirtd cuckoo
            usermod -a -G cuckoo $USER
     }
    

    The output should be something like this:

    $ cd cuckoo-autoinstall
    $ patch --verbose --dry-run -p1 < ../cuckoo_autoinstall_debian_testing.patch
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |diff -Naur '--exclude=.git' cuckoo-autoinstall/cuckoo.sh cuckoo-autoinstall-debian_testing/cuckoo.sh
    |--- cuckoo-autoinstall/cuckoo.sh       2017-02-17 12:30:37.231809310 +0100
    |+++ cuckoo-autoinstall-debian_testing/cuckoo.sh        2017-02-15 17:22:20.729041106 +0100
    --------------------------
    checking file cuckoo.sh
    Using Plan A...
    Hunk #1 succeeded at 153.
    Hunk #2 succeeded at 180.
    Hunk #3 succeeded at 199.
    Hunk #4 succeeded at 271.
    done
    $ patch -p1 < ../cukoo_autoinstall_debian_testing.patch
    patching file cuckoo.sh
    
  3. Run cukoo-autoinstall/cuckoo.sh

  4. Install KVM guest VMs using vrit-manager or whatever you like.

  5. Once installed, run the folloing on the host if you want the Guest VMs to have direct internet access:

    #!/bin/bash
    VIRTUAL_NET="192.168.100.0/24"
    VIRTUAL_IFACE="virbr0"
    OUT_IFACE="wlo1" # or whatever you use, ethX, wlanX, etc.
    
    sysctl -w net.ipv4.ip_forward=1
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 192.168.100.0/24 -i virbr0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
    

Tor

The script will download and install routetor to /opt/routetor by default, installing its scripts to /usr/sbin/, running routetor and adding the following to the cuckoo user crontab:

(crontab -l -u cuckoo; echo "@reboot /usr/sbin/routetor")| crontab -u cuckoo -

So it should run on reboot, so we’re good to go. If you want to enable the Tor transparent proxy you have to check “Enable Tor transparent proxy” at the sample submit form.

If you don’t check that option, the guest VM will have direct internet access if you added the iptables rules commented earlier. Otherwise, it will have no internet access at all.

Issues

I couldn’t get the dnsmasq for the cuckoo network resolve anything, so I had to set-up a new virtual network on which I defined the IP address of the local DNS server I wanted to use. If you find yourself in the same situation, recreate the virtual network:

$ virsh net-destroy cuckoo
$ virsh net-define --file cuckoo.xml
$ virsh net-autostart cuckoo
$ virsh net-start cuckoo

The cuckoo.xml file contents are the following:

<network>
  <name>cuckoo</name>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:b7:23:04'/>
  <domain name='cuckoo'/>
  <dns enable='yes'>
    <forwarder addr='YOUR_INTERNAL_DNS_SERVER_IP'/>
  </dns>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.128' end='192.168.100.254'/>
    </dhcp>
  </ip>
</network>

virsh CHEAT SHEET

Here’s a little cheat sheet about virsh. Just day-to-day stuff to manage guest VMs and snapshots from cli:

List VMs

# virsh list
 Id    Name                           State
----------------------------------------------------
 2     win7                           running

Create Snapshot

# virsh snapshot-create-as --domain win7 --name "win7_clean_no_office"
Domain snapshot win7_clean_no_office created

List Snapshots

# virsh snapshot-list win7
 Name                 Creation Time             State
------------------------------------------------------------
 win7_clean_no_office 2017-02-15 16:36:29 +0100 running

Get Current Snapshot Info

# virsh snapshot-info win7 --current
Name:           win7_clean_no_office
Domain:         win7
Current:        yes
State:          running
Location:       internal
Parent:         -
Children:       0
Descendants:    0
Metadata:       yes

Get Snapshot Info

# virsh snapshot-info win7 --snapshotname win7_clean_no_office
Name:           win7_clean_no_office
Domain:         win7
Current:        yes
State:          running
Location:       internal
Parent:         -
Children:       0
Descendants:    0
Metadata:       yes

Delete Snaphsot

# virsh snapshot-delete win7 --snapshotname win7_clean_no_office
Domain snapshot win7_clean_no_office deleted

:wq!

comments powered by Disqus