Installing Cuckoo 1.1 on Mac OS X Maverick

From Zam Wiki
Revision as of 11:56, 26 February 2015 by Zam (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Installing Cuckoo 1.1 on Max OS X Mavericks


Setting up the environment

  1. sudo easy_install pip
  2. ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  3. brew install ssdeep
  4. sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
  5. brew install libmagic
  6. download dpkt source code from code.google.com/p/dpkt/downloads/list (current version is dpkt-1.8.tar.gz May 2013)
    1. extract file and move to dpkt folder
    2. python setup.py build
    3. sudo python setup.py install
  7. sudo pip install Mako
  8. install tcpdump
  9. sudo chmod +s /usr/sbin/tcpdump




Setting up the virtual machine

  1. install VirtualBox on your Mac OS X
  2. install either Windows XP SP1 or SP2 or SP3 or Windows 7
  3. set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
  4. power on Windows XP image
  5. download and install Python 2.7 (https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi)
  6. download and install PIL (http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe)
  7. install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK


Setting up cuckoo agent

  1. copy agent (agent.py) to virtual machine
  2. place it on "C:\Python27\"
  3. rename agent.py to agent.pyw
  4. double click agent.pyw to run the agent
  5. to verify agent has started:
    • netstat -an an look for listening port 8000


Setting up the sandbox

  1. download & extract Cuckoo from http://cuckoosandbox.org/downloads/cuckoo-current.tar.gz
  2. edit conf/virtualbox.conf file.
  3. search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
    • this name refer at Virtualbox -> Settings -> General -> Basic -> Name




Internet for Analysis Machine

  • Enable IP forwarding:
sudo sysctl net.inet.ip.forwarding=1
  • Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host.
  • We going to save this rule to file pfrule
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule
echo "pass inet proto icmp all" >> ./pfrule
echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule
echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule
  • Enable the packet filter (pfctl)
sudo pfctl -e
  • Load the rules contained in file:
sudo pfctl -f ./pfrule

Do this on your host(Mac OS X)!




Saving the Virtual Machine

  • Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.
  1. VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
    • e.g. - VBoxManage snapshot "XP" take "XP1" --pause


After the snapshot creation is completed, you can power off the machine and restore it:

  1. VBoxManage controlvm "<Name of VM>" poweroff
  2. VBoxManage snapshot "<Name of VM>" restorecurrent

e.g.

  • - VBoxManage controlvm "XP" poweroff
  • - VBoxManage snapshot "XP" restorecurrent




Running a Sample for the first time
On terminal, open 3-seperated tabs.

On tab 1,

  • cd cuckoo
  • python cuckoo.py

On tab 2,

  • cd cuckoo/utils
  • python web.py
  • then open localhost:8080 on your web browser

On tab 3,

  • cd cuckoo/utils
  • python submit.py <filename>


Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.


blog comments powered by Disqus