Difference between revisions of "Installing Cuckoo 1.1 on Mac OS X Maverick"

Installing Cuckoo 1.1 on Max OS X Mavericks

Setting up the environment

1. sudo easy_install pip
2. ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
3. brew install ssdeep
4. sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
5. brew install libmagic
6. download dpkt source code from code.google.com/p/dpkt/downloads/list (current version is dpkt-1.8.tar.gz May 2013)
   1. extract file and move to dpkt folder
   2. python setup.py build
   3. sudo python setup.py install
7. sudo pip install Mako
8. install tcpdump
9. sudo chmod +s /usr/sbin/tcpdump

Setting up the virtual machine

1. install VirtualBox on your Mac OS X
2. install either Windows XP SP1 or SP2 or SP3 or Windows 7
3. set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
4. power on Windows XP image
5. download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi)
6. download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe)
7. install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK

Setting up cuckoo agent

1. copy agent (agent.py) to virtual machine
2. place it on "C:\Python27\"
3. rename agent.py to agent.pyw
4. double click agent.pyw to run the agent
5. to verify agent has started:
   • netstat -an an look for listening port 8000

Setting up the sandbox

1. download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz
2. edit conf/virtualbox.conf file.
3. search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
   • this name refer at Virtualbox -> Settings -> General -> Basic -> Name

Internet for Analysis Machine

• Enable IP forwarding:

sudo sysctl net.inet.ip.forwarding=1

• Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host.
• We going to save this rule to file pfrule

echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule
echo "pass inet proto icmp all" >> ./pfrule
echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule
echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule

• Enable the packet filter (pfctl)

sudo pfctl -e

• Load the rules contained in file:

sudo pfctl -f ./pfrule

Do this on your host(Mac OS X)!

Saving the Virtual Machine

• Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.

1. VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
   • e.g. - VBoxManage snapshot "XP" take "XP1" --pause

After the snapshot creation is completed, you can power off the machine and restore it:

1. VBoxManage controlvm "<Name of VM>" poweroff
2. VBoxManage snapshot "<Name of VM>" restorecurrent

e.g.

• - VBoxManage controlvm "XP" poweroff
• - VBoxManage snapshot "XP" restorecurrent

Running a Sample for the first time
On terminal, open 3-seperated tabs.

On tab 1,

• cd cuckoo
• python cuckoo.py

On tab 2,

• cd cuckoo/utils
• python web.py
• then open localhost:8080 on your web browser

On tab 3,

• cd cuckoo/utils
• python submit.py <filename>

Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.

blog comments powered by Disqus