In this article,
we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT )
for initialising foothold on MacOS/OSX like platform . It can dramatically
increase access in a matter of seconds.
Table of Content
·
Introduction
· Installation
· Usage in Exploitation
· Usage in Post-Exploitation
· Installation
· Usage in Exploitation
· Usage in Post-Exploitation
·
System Info
·
Webcam
·
Retrieve iCloud auth tokens
·
Microphone
·
Clipboard
EvilOSX is an
evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX
Platforms. It was developed by Marten4n6.
Its backbone is famous Empire Framework Project. This project can be modified
to be used on Rubber Ducky. This toolkit is fully packed with features. It was
designed on the module system that made the debugging, improvements and
addition of other modules easy. Also being developed in python it provides easy
to be run across different attacking platforms.
Installation
The installation
of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is
pretty simple. To begin with we will visit the EvilOSX GitHub Page. After getting
the git link, we are going to clone the EvilOSX to our attacker machine using
the git clone command.
git clone
https://github.com/Marten4n6/EvilOSX.git
After cloning
the EvilOSX, we traversed in the newly created directory created with the name
of EvilOSX. Now, the tool has some predefined requirements that are required in
order to make the tool function properly. Being a python developed tool, we
will use the “pip” to install those requirements. These requirements are given
by the author in the form of a text file which we used to install them.
pip install
-r requirements.txt
Usage in Exploitation
Since we have
successfully installed all the predefined requirements, it time to run this
tool and gain control over some macOS devices. Now to exploit, we need a
payload. To create this payload, we will use the start.py file with the builder
parameter.
python
start.py --builder
After running the script, it asked us to
enter following information:
·
the Server host, here we
entered our Attacker Machine IP Address (Kali Linux).
·
Next, it asked us for a port,
this can be any random port.
·
After this, we are asked for
the location of the location of the payload.
·
Next, we have to choose if we
want EvilOSX to work upon the rubber ducky or not. Enter 0 for otherwise.
·
Furthermore, we are asked to
choose the loader, leave it default.
·
After that we are asked to name
the payload so as phish the user.
After all these
choices, a launcher is created as shown in the image given below.
Now we can use any method to share
this launcher or payload to the victim. In our case we used a python HTTP
server to get this file to the victim
system. This file is downloaded on the victim system and then after providing
the proper permissions the payload is executed as shown in the image given
below.
chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py
While we are
executing the Launcher on the victim, we have to perform some actions on the
attacker machine simultaneously. We are going execute the start.py again but
this time in the CLI mode. Here we have to specify the port that we used while
creating the launcher as the parameter as shown in the image.
python
start.py –cli --port 4545
Post-Exploitation
After running
the start.py script in the previous steps simultaneously with the launcher on
the victim machine, we have successfully infiltrated the Victim MacOS system.
The terminal converts in a framework as shown in the image. We can configure a
page to shown upon the running. Type in help to show a list of working
commands. We can see the list of active bots by using the command bots. To
establish a connection to a bot, use connect command followed by the number
which in this case is 0. To see the list of available modules we use modules
command.
To use a module,
just type in “use” followed by the module name. As there are a bunch of
available modules, we are demonstrating a bunch of them here for reference. You
can try them all at your convenience.
System Info
To get a brief
summary of the system, we can use the get info module. This gives us the System
Version, Model of the MacOS device. We also get the Battery status in case it
is a Laptop. We have the name of the Wi-Fi Network it is connected to. It also
tells us the privileges the current account has as well as the status of the
FileVault.
Webcam
Now, we will try
to grab a snap from the webcam of the MacOS device. To do this we will need to
use the webcam module. It gives us a warning that there a green LED will show
near the camera.
We have successfully
captured a snap from the victim’s webcam as shown in the given image.
Retrieve iCloud auth tokens
We can extract the iCloud
Authentication that contains information related to the AppleID linked to the
device. However, this will first show a prompt on the victim system.
After agreeing to
continue, a prompt will pop us as show in the image given below. This is
masquerading as a genuine prompt that will spoof the victim and make him enter
the password.
After the victim enters
password, we will successfully capture the mail ID liked to the device as well
as the access tokens as shown in the image given below.
Microphone
We can also
capture the audio from the victim device using the microphone module. After
running the command use microphone, we are asked to enter the time in seconds to
record the audio from the microphone of the victim device and also the name of
the service that would show up in the verification prompt.
Here we entered 5 seconds, and we
left the name of service to be blanked which made the RAT to take it as random
sting as shown in the given image. A permission prompt pops up on the victim
system asking for the permission to access the microphone.
After allowing the we have the
recorder audio in the mp3 format saved on out attacker machine in the tmp
directory.
Clipboard
We can also
sniff the clipboard data from the victim machine. To do this we will have to
use the clipboard. This will start the sniffer on the victim machine for the
specified time in seconds. After starting the sniffer, any text that the victim
will copy can be viewed as shown in the image given below.
Conclusion
EvilOSX has a lot of uses, and the attention
to detail in automating certain exploits makes it a great dedicated tool for
OSX. The ease with which it works and attacks is remarkable, we can launch
phishing attack to escalate privileges or trick a user into letting us deeper
into the system. It’s a great tool and amazing to use as it traverses itself to
connect apple devices.
0 comments:
Post a Comment