Youtube Installation Tutorial

[JannisTriesToCode]

I have created a YT-Tutorial about the installation of peekaboo. The motivation was to make it easier for my partner in a peekaboo related study project to set up the system. I'm pretty sure that there is a lot of potential for improvement as I took a very naive approach. Please let me know about errors and possible improvements.

[michaelweiser]

Awesome stuff! This must have been a lot of effort! We should link this in both Peekaboo's and the Installer's README.md, IMO.

I watched it once with focus on factual correctness and it's really spot on for the how to do it. @Jack28 will likely have some more ideas on the topics covered and which maybe to extend into if you ever do another one. :)

Stuff that remained unclear to me:

• What audience do you address? Should there be a warning not to try real malware in the setup you describe? Or is this intented and there perhaps should be some remarks regarding the requirements on the environment for real malware analsysis (separate machine, isolated networks, ...)?
• Where does postfix and dovecot run? On the host?

The one niggle I have with all tutorials is that most focus so much on the how that the why steps into the background. But I also get that in a tutorial you want to provide the consumer with a quick win and not bore them to death with the why. So it's a stoss-up and depends on your goals and intended audience.

Anyway, I jotted down some of the whys if only for future reference by information seekers. Sorry if you actually explained some or all of that and I missed it.

• Why Ubuntu 18.04? -> It's the latest LTS release, providing long term support and stable interfaces and recommended by Cuckoo and us. Others are possible but may require some tweaking.
• Why VirtualBox? -> There's support for a lot of different hypervisors but we chose VirtualBox because it's Cuckoo's default and recommended hypervisor.
• Why 192.168.56.x? -> It's just the default VirtualBox NAT network, IIRC. It can be any network but has to be consistently configured in a lot of config files.
• What are all those networks? -> You need an analysis network to which only Cuckoo and the analysis machines are connected and from which no malware can escape, particularly if you want to play with real malware.
• Why Windows 7 still? -> In principle it can be any Windows. Our tests with Windows 10 are still ongoing.
• Why python2.7 on Windows? -> Cuckoo is python2.7-only currently.
• Why Firewall off? -> So Cuckoo can reach the agent to give it work.
• Why disable UAC? -> So malware can really exploit stuff so it triggers a lot of Cuckoo signatures.
• Why vboxmanageapi? -> So Cuckoo can reach out from its virtual machine onto the host to start the analysis VMs.
• What do the hosts and interfaces files do? -> They configure the mail host's fqdn for name lookups (hosts) and a predefined IP address (interfaces). Both can be adjusted at will they just need to be consistent throughout the system.
• Why install dovecot? -> To access a test user's mailbox via IMAP using Thunderbird (and from there send test mails via postfix's SMTP interface into the system).

For completeness:

• in_flight_samples is only used in cluster mode ([cluster] -> instance_id != 0)

[michaelweiser]

@JannisTriesToCode: All the stuff you found and a link to your tutorial is now in #61. Feedback very welcome.

[JannisTriesToCode]

I have looked over your fixes and it seems to be consistent with my mentioned problems. However, I currently do not have the capacity to try them out.

[JannisTriesToCode]

Thanks for the comprehensive feedback for my tutorial. First and foremost I made it for my study partner and my future self, but figured the internet could also profit from it. I intentionally made it in such a way that it is (a rather) quick win for the user. However, I really like the explanations you gave and will include them in a pinned comment under the video.

[michaelweiser]

I extended the note on the link to include the phrase "testing environment". Hopefully that's enough to keep people from thinking that the setup you show is suitable for real malware. Closing this.

[michaelweiser]

And thanks again!