Difference between revisions of "Installing Cuckoo 1.1 on Mac OS X Maverick"
From Zam Wiki
(4 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
'''Setting up the environment''' | '''Setting up the environment''' | ||
# sudo easy_install pip | # sudo easy_install pip | ||
− | # ruby -e "$(curl -fsSL https://raw. | + | # ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" |
+ | # brew install ssdeep | ||
# sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara | # sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara | ||
# brew install libmagic | # brew install libmagic | ||
Line 13: | Line 14: | ||
# sudo pip install Mako | # sudo pip install Mako | ||
# install tcpdump | # install tcpdump | ||
− | |||
# sudo chmod +s /usr/sbin/tcpdump | # sudo chmod +s /usr/sbin/tcpdump | ||
+ | |||
+ | |||
+ | ---- | ||
Line 24: | Line 27: | ||
# download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi) | # download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi) | ||
# download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe) | # download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe) | ||
+ | # install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK | ||
+ | |||
+ | |||
+ | '''Setting up cuckoo agent''' | ||
+ | # copy agent (agent.py) to virtual machine | ||
+ | # place it on "C:\Python27\" | ||
+ | # rename agent.py to agent.pyw | ||
+ | # double click agent.pyw to run the agent | ||
+ | # to verify agent has started: | ||
+ | #* netstat -an an look for listening port 8000 | ||
Line 29: | Line 42: | ||
# download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz | # download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz | ||
# edit conf/virtualbox.conf file. | # edit conf/virtualbox.conf file. | ||
− | # search for label = cuckoo1 and change "cuckoo1" to your virtual box label name this name refer at Virtualbox -> Settings -> General -> Basic -> Name | + | # search for label = cuckoo1 and change "cuckoo1" to your virtual box label name |
− | + | #* this name refer at Virtualbox -> Settings -> General -> Basic -> Name | |
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | '''Internet for Analysis Machine''' | ||
+ | * Enable IP forwarding: | ||
+ | sudo sysctl net.inet.ip.forwarding=1 | ||
+ | |||
+ | * Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host. | ||
+ | * We going to save this rule to file '''pfrule''' | ||
+ | echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule | ||
+ | echo "pass inet proto icmp all" >> ./pfrule | ||
+ | echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule | ||
+ | echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule | ||
+ | |||
+ | * Enable the packet filter (pfctl) | ||
+ | sudo pfctl -e | ||
+ | |||
+ | * Load the rules contained in file: | ||
+ | sudo pfctl -f ./pfrule | ||
+ | Do this on your host(Mac OS X)! | ||
− | + | ||
− | + | ---- | |
− | |||
− | |||
− | |||
Line 61: | Line 93: | ||
On tab 1, | On tab 1, | ||
− | + | * cd cuckoo | |
+ | * python cuckoo.py | ||
On tab 2, | On tab 2, | ||
− | + | * cd cuckoo/utils | |
− | + | * python web.py | |
+ | * then open localhost:8080 on your web browser | ||
On tab 3, | On tab 3, | ||
− | + | * cd cuckoo/utils | |
− | + | * python submit.py <filename> | |
+ | |||
+ | |||
Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there. | Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there. | ||
+ | |||
<disqus></disqus> | <disqus></disqus> |
Latest revision as of 11:56, 26 February 2015
Installing Cuckoo 1.1 on Max OS X Mavericks
Setting up the environment
- sudo easy_install pip
- ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- brew install ssdeep
- sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
- brew install libmagic
- download dpkt source code from code.google.com/p/dpkt/downloads/list (current version is dpkt-1.8.tar.gz May 2013)
- extract file and move to dpkt folder
- python setup.py build
- sudo python setup.py install
- sudo pip install Mako
- install tcpdump
- sudo chmod +s /usr/sbin/tcpdump
Setting up the virtual machine
- install VirtualBox on your Mac OS X
- install either Windows XP SP1 or SP2 or SP3 or Windows 7
- set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
- power on Windows XP image
- download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi)
- download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe)
- install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK
Setting up cuckoo agent
- copy agent (agent.py) to virtual machine
- place it on "C:\Python27\"
- rename agent.py to agent.pyw
- double click agent.pyw to run the agent
- to verify agent has started:
- netstat -an an look for listening port 8000
Setting up the sandbox
- download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz
- edit conf/virtualbox.conf file.
- search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
- this name refer at Virtualbox -> Settings -> General -> Basic -> Name
Internet for Analysis Machine
- Enable IP forwarding:
sudo sysctl net.inet.ip.forwarding=1
- Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host.
- We going to save this rule to file pfrule
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule echo "pass inet proto icmp all" >> ./pfrule echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule
- Enable the packet filter (pfctl)
sudo pfctl -e
- Load the rules contained in file:
sudo pfctl -f ./pfrule
Do this on your host(Mac OS X)!
Saving the Virtual Machine
- Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.
- VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
- e.g. - VBoxManage snapshot "XP" take "XP1" --pause
After the snapshot creation is completed, you can power off the machine and restore it:
- VBoxManage controlvm "<Name of VM>" poweroff
- VBoxManage snapshot "<Name of VM>" restorecurrent
e.g.
- - VBoxManage controlvm "XP" poweroff
- - VBoxManage snapshot "XP" restorecurrent
Running a Sample for the first time
On terminal, open 3-seperated tabs.
On tab 1,
- cd cuckoo
- python cuckoo.py
On tab 2,
- cd cuckoo/utils
- python web.py
- then open localhost:8080 on your web browser
On tab 3,
- cd cuckoo/utils
- python submit.py <filename>
Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.