Difference between revisions of "Installing Cuckoo 1.1 on Mac OS X Maverick"
From Zam Wiki
Line 50: | Line 50: | ||
'''Internet for Analysis Machine''' | '''Internet for Analysis Machine''' | ||
− | + | * Enable IP forwarding: | |
sudo sysctl net.inet.ip.forwarding=1 | sudo sysctl net.inet.ip.forwarding=1 | ||
− | + | ||
+ | * Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host. | ||
+ | * We going to save this rule to file '''pfrule''' | ||
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule | echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule | ||
echo "pass inet proto icmp all" >> ./pfrule | echo "pass inet proto icmp all" >> ./pfrule | ||
echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule | echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule | ||
echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule | echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule | ||
+ | |||
+ | * Enable the packet filter (pfctl) | ||
sudo pfctl -e | sudo pfctl -e | ||
+ | |||
+ | * Load the rules contained in file: | ||
sudo pfctl -f ./pfrule | sudo pfctl -f ./pfrule | ||
+ | |||
Do this on your host(Mac OS X)! | Do this on your host(Mac OS X)! | ||
Latest revision as of 11:56, 26 February 2015
Installing Cuckoo 1.1 on Max OS X Mavericks
Setting up the environment
- sudo easy_install pip
- ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- brew install ssdeep
- sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
- brew install libmagic
- download dpkt source code from code.google.com/p/dpkt/downloads/list (current version is dpkt-1.8.tar.gz May 2013)
- extract file and move to dpkt folder
- python setup.py build
- sudo python setup.py install
- sudo pip install Mako
- install tcpdump
- sudo chmod +s /usr/sbin/tcpdump
Setting up the virtual machine
- install VirtualBox on your Mac OS X
- install either Windows XP SP1 or SP2 or SP3 or Windows 7
- set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
- power on Windows XP image
- download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi)
- download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe)
- install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK
Setting up cuckoo agent
- copy agent (agent.py) to virtual machine
- place it on "C:\Python27\"
- rename agent.py to agent.pyw
- double click agent.pyw to run the agent
- to verify agent has started:
- netstat -an an look for listening port 8000
Setting up the sandbox
- download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz
- edit conf/virtualbox.conf file.
- search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
- this name refer at Virtualbox -> Settings -> General -> Basic -> Name
Internet for Analysis Machine
- Enable IP forwarding:
sudo sysctl net.inet.ip.forwarding=1
- Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host.
- We going to save this rule to file pfrule
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule echo "pass inet proto icmp all" >> ./pfrule echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule
- Enable the packet filter (pfctl)
sudo pfctl -e
- Load the rules contained in file:
sudo pfctl -f ./pfrule
Do this on your host(Mac OS X)!
Saving the Virtual Machine
- Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.
- VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
- e.g. - VBoxManage snapshot "XP" take "XP1" --pause
After the snapshot creation is completed, you can power off the machine and restore it:
- VBoxManage controlvm "<Name of VM>" poweroff
- VBoxManage snapshot "<Name of VM>" restorecurrent
e.g.
- - VBoxManage controlvm "XP" poweroff
- - VBoxManage snapshot "XP" restorecurrent
Running a Sample for the first time
On terminal, open 3-seperated tabs.
On tab 1,
- cd cuckoo
- python cuckoo.py
On tab 2,
- cd cuckoo/utils
- python web.py
- then open localhost:8080 on your web browser
On tab 3,
- cd cuckoo/utils
- python submit.py <filename>
Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.