** This is a beta and unestable **
This is a MacOS web honey client that read a list of urls from a file and use one or more VM with MacOS Lion to visit each one.
Run on top of VirtualBox.
Capture network traffic.
Capture syscalls via dtrace script.
Dump RAM memory image (this could be analized by volafox)
*** Pre requisites on the host.
A lot of free disk space, because it takes a RAM memory dump for each url. Like 1 Gib.
This is written in python and some libraries are required:
- paramiko for ssh conections.
It is based on VirtualBox, so a working VirtualBox 4.x it's necesary.
Configure the host in the myconf.py file.
The paths are absolute.
For the dump network file path, use :
modifyvm YOURVM --nictrace1 on --nictracefile1 YOUR/PATH/FILE
modifyvm lion --nictrace1 on --nictracefile1 /home/hugo/iHoneyC/dumps/lion.dump
once you yave your VirtualMachine configured, up and running, with the user logged in, take a snapshot, and then restore it, for example:
VBoxManage snapshot lion take current1 --pause
VBoxManage snapshot lion restorecurrent
*** The guest.
It's necesary a VM with MacOS Lion.
Install it on the virtual machine and configure:
- Access via ssh
- A static IP, for ssh conection.
- Add your user to sudoers list, with no password
- Create a directory dtraces and copy the trace.d on it.
- Change permissions to trace.d like chmod +x trace.d
myconf.py configuration file for the VMs
runner.py where the analize function lives (here is all the magic)
iHoneyC.py the main module, deals with urls, queue and threads
urls.txt where the suspicious urls are read.
UPSLP - June 2012