Proxmox Issue

[phunki32]

Hi,
I'm moving forward and am trying to use proxmox.
At first run I was missing pip3 proxmoxer. Installed good.

Before and after I'm getting the following error:
2020-03-11 14:50:31,169 [root] DEBUG: Importing modules...
2020-03-11 14:50:31,184 [volatility.framework.interfaces.layers] DEBUG: Imported python-magic, autodetecting compressed files based on content
2020-03-11 14:50:31,739 [lib.cuckoo.core.plugins] WARNING: Unable to import plugin "modules.machinery.proxmox": cannot import name 'config'
WARNING lib.cuckoo.core.plugins: Unable to import plugin "modules.machinery.proxmox": cannot import name 'config'
2020-03-11 14:50:31,739 [root] DEBUG: Imported "auxiliary" modules:
2020-03-11 14:50:31,739 [root] DEBUG: `-- Sniffer

Did I miss something or is it a lib.cuckoo.core.plugins issue?
Thanks alot and beer.io is down :(

[doomedraven]

ah i have a secret :D everything that i don't use, probably doesn't work, as I use kvm, but that should be easy to fix, hm beer.io works here

i have fixed config problem in proxmon, but i don't have it to test, there a lot of community modules that we not using and we can't ensure 100% but with bug fixing we are more than happy to solve it

can you test now ?

[doomedraven]

thank you for the beer ;)

[phunki32]

Hey,
It worked: cape is running, but I'm stuck. When I try to submit a sample I get:

ERROR :-(
Error adding task to Cuckoo's database.

on the CAPE host: ufw is currently disabled.

Cuckoo.py -d does not give any output:
2020-03-12 16:57:18,080 [lib.cuckoo.core.scheduler] INFO: Using "proxmox" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5
2020-03-12 16:57:18,096 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2020-03-12 16:57:18,100 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Did I miss something?
Thanks again!

[phunki32]

You're welcome :)

[doomedraven]

just a simple file upload no?, that is not related to proxmon, maybe you had run something as root? and that can break permissions

[phunki32]

You're on right on spot!
I've been having issues starting cuckoo without sudo:
PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/log/cuckoo.log'

Still learing :)

[doomedraven]

sudo chown cape:cape /opt/CAPEv2 -R
that should solve that but then you will need to fix the permission in /tmp where is the temp folder for uplaoded samples

[phunki32]

Hi,
So I learned my error: I was installing Cape on Ubuntu Server with another username... Reinstalled with a user called cape and now the permissions are ok.
I also saw that it is now being started automatically.
Concerning the Proxmox I now get the following issue (opt/CAPEv2/log/cuckoo.log) when sending a sample:

2020-03-13 09:39:03,071 [lib.cuckoo.core.scheduler] INFO: Using "proxmox" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5
2020-03-13 09:39:03,089 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2020-03-13 09:39:03,093 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2020-03-13 09:43:56,318 [lib.cuckoo.core.scheduler] DEBUG: Task #3: Processing task
2020-03-13 09:43:56,323 [lib.cuckoo.core.scheduler] INFO: Task #3: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_mazfmr89/Sample_5b2bd21e6f493d5e917681d2(3).bin'
2020-03-13 09:43:56,326 [lib.cuckoo.core.scheduler] INFO: Task #3: File already exists at '/opt/CAPEv2/storage/binaries/f4ba5e8f98fe70d764df71b7c390237b90ed0fc3408579a15a06ee56008a3531'
2020-03-13 09:43:56,336 [lib.cuckoo.core.scheduler] INFO: Task #3: acquired machine cuckoo1 (label=win10MW, platform=windows)
2020-03-13 09:43:56,343 [root] DEBUG: Now tracking machine 192.168.60.11 for task #3
2020-03-13 09:43:56,353 [lib.cuckoo.core.scheduler] ERROR: The memory dump functionality is not available for the current machine manager.
2020-03-13 09:43:56,353 [lib.cuckoo.core.scheduler] ERROR: Task #3: Failure in AnalysisManager.run: name 'ProxmoxAPI' is not defined
Traceback (most recent call last):
File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 298, in launch_analysis
machinery.start(self.machine.label)
TypeError: start() missing 1 required positional argument: 'task'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 407, in run
success = self.launch_analysis()
File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 355, in launch_analysis
machinery.stop(self.machine.label)
File "/opt/CAPEv2/modules/machinery/proxmox.py", line 218, in stop
self.find_vm(label)
File "/opt/CAPEv2/modules/machinery/proxmox.py", line 52, in find_vm
proxmox = ProxmoxAPI(self.options.proxmox.hostname,
NameError: name 'ProxmoxAPI' is not defined

Is this something on my side?
Thanks for the support!

[phunki32]

I'm also getting log mails as root concerning smtp_sinkhole.sh and socksproxies.sh:
Excerpt from /var/mail/root:
Subject: Cron root@Cape cd /opt/CAPEv2/utils/ && ./smtp_sinkhole.sh
/bin/sh: 1: ./smtp_sinkhole.sh: Permission denied

And

Subject: Cron root@Cape /opt/CAPEv2/socksproxies.sh
/bin/sh: 1: /opt/CAPEv2/socksproxies.sh: not found

Is this something I should worry about?

[doomedraven]

about crons nop, i will need make that optional, that is from my setup, the smtp sinkhole can be due to missing exec permission sudo chmod a+x /opt/CAPEv2/utils/smtp_sinkhole.sh, socksproxies that is for socksproxy infra exit nodes

about proxymon i suspect you have it installed incorrectly, how did you install it? pip install or pip3 install?

about TypeError: start() missing 1 required positional argument: 'task' i will need to check, well you will be the person who will help to make working proxmon module :)

[phunki32]

Hehe, thank you for your continuous and efficient support!!
Concerning Proxmoxer: my bad with all the reinstalling, rollback, I forgot to reinstall proxmoxer...
I installed it, got my credentials working (the @ "realm" such as pve after the user name in the proxmox.conf is important) but still get:

2020-03-13 12:50:34,391 [lib.cuckoo.core.scheduler] INFO: Task #4: acquired machine cuckoo1 (label=win10MW, platform=windows)
2020-03-13 12:50:34,398 [root] DEBUG: Now tracking machine 192.168.60.11 for task #4
2020-03-13 12:50:34,417 [lib.cuckoo.core.scheduler] ERROR: The memory dump functionality is not available for the current machine manager.
2020-03-13 12:50:34,435 [modules.machinery.proxmox] DEBUG: Stopping VM win10MW
2020-03-13 12:50:34,457 [root] DEBUG: Stopped tracking machine 192.168.60.11 for task #4
2020-03-13 12:50:34,462 [lib.cuckoo.core.scheduler] ERROR: Task #4: Failure in AnalysisManager.run: start() missing 1 required positional argument: 'task'
Traceback (most recent call last):
File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 407, in run
success = self.launch_analysis()
File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 298, in launch_analysis
machinery.start(self.machine.label)
TypeError: start() missing 1 required positional argument: 'task'

[doomedraven]

cool, let me see why this happens

[phunki32]

I also did the :
sudo chmod a+x /opt/CAPEv2/utils/smtp_sinkhole.sh

and now mail to root is saying:
Subject: Cron root@Cape cd /opt/CAPEv2/utils/ && ./smtp_sinkhole.sh
(...)
./smtp_sinkhole.sh: 10: cd: can't cd to /opt/CAPE/utils

[doomedraven]

proxmon should be fixed, can you check it?

[phunki32]

Will do now, I keep reinstalling from a fresh install, is there a quicker way?

[doomedraven]

no, git pull is the faster way

[phunki32]

The proxmon issue seems fixed. But the agent.py on the Analysis machine is getting me errors.
I made a snapshot with the script running via cmd, when I curl it I get:

{"message": "CAPE Agent!", "version": "0.11", "features": ["execpy", "pinning", "logs", "largefile", "unicodepath"]}

But when I submit the file, I get the following:
`2020-03-13 15:33:21,731 [lib.cuckoo.core.guest] INFO: Starting analysis #11 on guest (id=cuckoo1, ip=192.168.60.11

snapshot = OnlineTour2)
2020-03-13 15:33:21,737 [lib.cuckoo.core.scheduler] ERROR: Cuckoo Agent failed without error status, please try upgrading to the latest version of agent.py (>= 0.10) and notify us if the issue persists.
2020-03-13 15:33:21,742 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2020-03-13 15:33:21,764 [modules.machinery.proxmox] DEBUG: Stopping VM win10MW
`
I'm going to try to debug the Win10 machine and will keep you posted.

[phunki32]

Agent.py = 0.11; copied into notepad and saved as .py.

[doomedraven]

well if curl returned you this line {"message": "CAPE Agent!", "version": "0.11", "features": ["execpy", "pinning", "logs", "largefile", "unicodepath"]}

then agent is running fine, try this to see the problem in terminal https://github.com/kevoreilly/CAPEv2/wiki/Tips'n'Tricks#how-to-debug-analyzer-and-any-script-that-executes-inside-of-the-virtual-machine

[phunki32]

The ps command is not functioning: Kill is complaining:
Usage:
kill [options] [...]

and cuckoo.py is stiill functionnig. Shoud I just kill -1 the PID of cuckoo.py?

[doomedraven]

i have pointed you to How to debug analyzer and any script that executes inside of the virtual machine not to kill

[phunki32]

oh sorry.
I couldn't find out where to stop and start CAPE in a better way so I tried changing CAPE in etc/systemd/system/cape.service to CAPE_DBG=1 python3 cuckoo.py -d ; but now it doesn't start.

So I copied https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/analyzer.py
to the VM and ran it with python (3.8.2) cmd as admin.
I get the following error:

And is : "DISABLE human interaction emulation " = "Disable automated interaction" or am I missing something?

Thanks for your patience

[doomedraven]

that doesn't work in that way
1 if you don't know how systemd works, y suggest you to learn the bases
2. copy 1 file doesn't work as it has a lot of subfiles

make favor to yourself and check how to use systemd ;)

[phunki32]

Thanks for the tip, I learned a bit how systemd works and found the cape.service. :)

I then started CAPE_DBG=1 python3 cuckoo.py -d . Here are the first results:
Debug Agent

Cape host

Debug agent:

Just to be sure I created a new Win10 analysis machine and checked with python 3.8.0.
An issue that keeps popping up is the:
2020-03-16 12:12:11,902 [root] DEBUG: Task #19 had connection reset for <Context for b'LOG'>

Am I still missing something?

[doomedraven]

I dont see any log from when you run analyzer.py by hand El lun., 16 mar. 2020 13:16, phunki32 <notifications@github.com> escribió:

…

Thanks for the tip, I learned a bit how systemd works and found the cape.service. :) I then started CAPE_DBG=1 python3 cuckoo.py -d . Here are the first results: Windows 10 [image: Win10_debug_1] <https://user-images.githubusercontent.com/61844903/76757518-037da300-6788-11ea-942e-6b6c236c8434.png> Cape host [image: Cape_debug_1] <https://user-images.githubusercontent.com/61844903/76757536-08daed80-6788-11ea-927b-9d09a234cc67.png> Debug agent: [image: Win10_debug_agent_1] <https://user-images.githubusercontent.com/61844903/76757543-0aa4b100-6788-11ea-9601-54c49e38dfe0.png> Just to be sure I created a new Win10 analysis machine and checked with python 3.8.0. An issue that keeps popping up is the: 2020-03-16 12:12:11,902 [root] DEBUG: Task #19 <#19> had connection reset for <Context for b'LOG'> Am I still missing something? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#104 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH35Z44HUCCVA4UBZQBTRHYKBFANCNFSM4LFX5VAA> .

[phunki32]

In the first pic I start cmd as admin, then went to the tmp folder and gave command python analyzer.py . What am I missing?
"Start analyzer.py by hand in cmd.exe with admin privilages:

Ex: c:\windows\py.exe c:\tmp\analyzer.py

"

[doomedraven]

hm it not make any sense that it try to set date and exits like nothing

can you post output of this cd /opt/CAPEv2 && git log -1 ? i suspect you are using old code

[phunki32]

commit 607decb (HEAD -> master, origin/master, origin/HEAD)
Author: DoomedRaven doommedraven@gmail.com
Date: Mon Mar 16 10:51:09 2020 +0100

fix upload

[doomedraven]

hm, then i don't have clue what is wrong, as it works just fine here, and that isn't anymore proxmon issue, that is something inside of the vm, you will need to debug that by yourself, adding debug lines, using pdb, anything that is comfortable for you, could be something in win10 that cut exec, idk, too many things to check

[phunki32]

Just redid a try:
output cuckoo host:
2020-03-16 12:34:55,519 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.60.11, size=18443821)
2020-03-16 12:34:55,796 [lib.cuckoo.core.guest] INFO: Uploading support files to guest (id=cuckoo1, ip=192.168.60.11)
2020-03-16 12:35:20,703 [root] DEBUG: Task #20: live log analysis.log initialized.
2020-03-16 12:35:33,015 [root] DEBUG: Task #20 had connection reset for <Context for b'LOG'>

Analysis Machine:

[phunki32]

I understand I'll do my best to try to understand what's going on. Before I go back to it what is the:
connection reset for <Context for b'LOG'>
?

[doomedraven]

yes analyzer.py shouldn't exit
connection reset for <Context for b'LOG'> <- vm killed connection

the problem is inside of the vm, ensure python -V as it maybe could exec bad python if you have both, c:\windows\py.exe should be used

check security, firewall, all that things, but it nothing on your host, so focus on inside of the vm

[phunki32]

Will do! Thank you very much for your patience, support and help!

[doomedraven]

you are welcome, let us know what it was, maybe that will help to others, leaving issue opened at the moment

[doomedraven]

well im closing this as the issue already isn't proxmon related, i hope you solved it