Difference between revisions of "Installing Cuckoo 1.1 on Mac OS X Maverick"
From Zam Wiki
Line 14: | Line 14: | ||
# sudo pip install Mako | # sudo pip install Mako | ||
# install tcpdump | # install tcpdump | ||
− | |||
# sudo chmod +s /usr/sbin/tcpdump | # sudo chmod +s /usr/sbin/tcpdump | ||
+ | |||
+ | |||
+ | ---- | ||
Line 25: | Line 27: | ||
# download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi) | # download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi) | ||
# download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe) | # download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe) | ||
+ | # install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK | ||
+ | |||
+ | |||
+ | '''Setting up cuckoo agent''' | ||
+ | # copy agent (agent.py) to virtual machine | ||
+ | # place it on "C:\Python27\" | ||
+ | # rename agent.py to agent.pyw | ||
+ | # double click agent.pyw to run the agent | ||
+ | # to verify agent has started: | ||
+ | #* netstat -an an look for listening port 8000 | ||
Line 30: | Line 42: | ||
# download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz | # download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz | ||
# edit conf/virtualbox.conf file. | # edit conf/virtualbox.conf file. | ||
− | # search for label = cuckoo1 and change "cuckoo1" to your virtual box label name this name refer at Virtualbox -> Settings -> General -> Basic -> Name | + | # search for label = cuckoo1 and change "cuckoo1" to your virtual box label name |
− | + | #* this name refer at Virtualbox -> Settings -> General -> Basic -> Name | |
+ | |||
+ | |||
+ | ---- | ||
− | ''' | + | '''Internet for Analysis Machine''' |
− | # | + | # Enable IP forwarding: |
− | # | + | sudo sysctl net.inet.ip.forwarding=1 |
− | + | # Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host | |
− | + | echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule | |
+ | echo "pass inet proto icmp all" >> ./pfrule | ||
+ | echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule | ||
+ | echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule | ||
+ | sudo pfctl -e | ||
+ | sudo pfctl -f ./pfrule | ||
+ | Do this on your host(Mac OS X)! | ||
+ | |||
+ | |||
+ | ---- | ||
Line 62: | Line 86: | ||
On tab 1, | On tab 1, | ||
− | + | * cd cuckoo | |
+ | * python cuckoo.py | ||
On tab 2, | On tab 2, | ||
− | + | * cd cuckoo/utils | |
− | + | * python web.py | |
+ | * then open localhost:8080 on your web browser | ||
On tab 3, | On tab 3, | ||
− | + | * cd cuckoo/utils | |
− | + | * python submit.py <filename> | |
+ | |||
+ | |||
Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there. | Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there. | ||
+ | |||
<disqus></disqus> | <disqus></disqus> |
Revision as of 01:48, 8 February 2015
Installing Cuckoo 1.1 on Max OS X Mavericks
Setting up the environment
- sudo easy_install pip
- ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- brew install ssdeep
- sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
- brew install libmagic
- download dpkt source code from code.google.com/p/dpkt/downloads/list (current version is dpkt-1.8.tar.gz May 2013)
- extract file and move to dpkt folder
- python setup.py build
- sudo python setup.py install
- sudo pip install Mako
- install tcpdump
- sudo chmod +s /usr/sbin/tcpdump
Setting up the virtual machine
- install VirtualBox on your Mac OS X
- install either Windows XP SP1 or SP2 or SP3 or Windows 7
- set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
- power on Windows XP image
- download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi)
- download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe)
- install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK
Setting up cuckoo agent
- copy agent (agent.py) to virtual machine
- place it on "C:\Python27\"
- rename agent.py to agent.pyw
- double click agent.pyw to run the agent
- to verify agent has started:
- netstat -an an look for listening port 8000
Setting up the sandbox
- download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz
- edit conf/virtualbox.conf file.
- search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
- this name refer at Virtualbox -> Settings -> General -> Basic -> Name
Internet for Analysis Machine
- Enable IP forwarding:
sudo sysctl net.inet.ip.forwarding=1
- Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule echo "pass inet proto icmp all" >> ./pfrule echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule sudo pfctl -e sudo pfctl -f ./pfrule
Do this on your host(Mac OS X)!
Saving the Virtual Machine
- Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.
- VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
- e.g. - VBoxManage snapshot "XP" take "XP1" --pause
After the snapshot creation is completed, you can power off the machine and restore it:
- VBoxManage controlvm "<Name of VM>" poweroff
- VBoxManage snapshot "<Name of VM>" restorecurrent
e.g.
- - VBoxManage controlvm "XP" poweroff
- - VBoxManage snapshot "XP" restorecurrent
Running a Sample for the first time
On terminal, open 3-seperated tabs.
On tab 1,
- cd cuckoo
- python cuckoo.py
On tab 2,
- cd cuckoo/utils
- python web.py
- then open localhost:8080 on your web browser
On tab 3,
- cd cuckoo/utils
- python submit.py <filename>
Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.