This particular weeks’ article on Pupy made me wish for a RAT in which could be targeted at an OS frequently used by gatekeepers at startups, tech companies, along with also creative firms: macOS. Once run, a RAT can do particularly severe damage by dumping a user’s stored credentials for many accounts. The best loot lives inside Chrome Password cache, so today we’ll be using EvilOSX, an OS X RAT, to infiltrate macOS along with also dump these credentials.
Systems like macOS are often neglected in terms of security training, as automatic updates along with also a hands-free expectation of administration can be the experience an Apple user pays for. This particular makes them wonderfully easy to exploit, as a macOS user will often give permission to random system popups in which a Windows user might be more skeptical of.
Don’t Miss: Simulate a RAT on Your Network with Shinobot
The point of a RAT can be to gain a very firm initial foothold into a target computer. For doing This particular, EvilOSX distinguishes itself as a very potent tool. Written primarily in Python, EvilOSX specializes in automating some devastating attacks in which take advantage of the macOS environment.
EvilOSX can be A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
So what can This particular RAT do? To put This particular simply, This particular can easily expand our presence through a user’s Apple-related products along with also services. EvilOSX can bring us dramatically increased access in a matter of seconds, to the point of putting a target’s GPS location through their “Find my iPhone” app in reach. Besides This particular creepy ability, EvilOSX includes a bunch of useful features.
- Ability to emulate a simple terminal instance — This particular means we can input commands directly as though we were sitting behind the machine’s terminal interface.
- Sockets are encrypted with CSR via OpenSSL — Our communications to our infected hosts can be encrypted, ensuring our communications remain secure.
- No dependencies, aside through standard Python libraries, meaning nothing extra to install.
- Persistence, or the ability to migrate to an in-memory process doing sure in which This particular can survive after the terminal This particular’s launched in can be closed.
- Dumping of Chrome passwords, which we will explore today. This particular can be quite a lot of passwords for a lot of accounts.
- Retrieve iCloud contacts, allowing for easy targeted phishing attacks.
- Sophisticated iCloud password phishing attack targeting the password.
- Find along with also show local iOS backups, to steal device backups through the disk.
- Download along with also upload files, allowing you to take or install further files on the infected host.
- Retrieve find my iPhone devices, to start learning about the owner of the devices.
- Attempt to get root via local privilege escalation based on the linked exploit of macOS, which was patched on 10/11/2015.
- A handy auto-installer. Once you run EvilOSX on the target, This particular takes care of the rest automatically.
What You’ll Need
EvilOSX runs on any OS in which supports Python, along with also so This particular tutorial should work on Windows, macOS, along with also Linux systems. To successfully run This particular attack, you’ll need an attack computer to build payloads along with also listen for connections, along with also a target macOS computer to run the RAT along with also be exploited.
In This particular example, we’ll build a payload, start a listening server, along with also run the payload on our victim to start having fun with remotely controlling This particular! To get started off, you’ll need to download EvilOSX by opening a terminal window along with also typing the following.
git clone https://github.com/Marten4n6/EvilOSX.git
Step 1: Building an EvilOSX Payload
To build a payload, we’ll start on our attack machine, which should develop the git repository cloned through the step above. Navigate to your brand-new EvilOSX folder by typing cd EvilOSX into a terminal window. Once inside, type ls to see the contents of the folder.
We’ll need some information to build This particular payload, such as the IP address of our attacking machine. To find This particular, you can type ip a into the terminal window, or ifconfig if you’re on a Mac. If you wanted to run This particular attack outside your local network, you’d need a static, public IP to do so.
Write down the IP address of your attacker machine, along with also then we’ll start building our payload by typing the following in terminal.
sudo ./BUILDER EvilOSX.py
The program will ask you for the IP address of the attacking machine. Enter your IP address, along with also then the server port of your choice. You can use 1337 just for This particular build. This particular may complain a little, nevertheless the end result should be an “EvilOSX.py” build file located inside “Builds” folder.
Load This particular file onto a USB drive, or use something like dat to copy the “EvilOSX.py file you just created to your victim computer.
Step 2: Starting the EvilOSX Server
In order to establish the connection to our victim machine when This particular attempts to connect to us, we’ll have to start a server on our attacker machine to listen for This particular. We will do This particular while still inside EvilOSX directory by running sudo python Server.py in terminal.
The server will start, along with also ask you which port to listen on. in which’s all! Put the same port you put inside step before (1337), along with also press return to start the server.
At any point, you can type help to see all the available commands.
at This particular point in which our server can be set up, let’s run our payload on the victim computer. On the victim macOS computer, run the Python payload you created by typing sudo python file_location/EvilOSX.py, with the location of your file substituted.
Once you run the Python program, This particular will move itself into a memory thread to reduce the risk of detection along with also allow the RAT to be persistent. at This particular point in which our payload can be up, we can close out of the window if we want. Let’s check back on our server.
On our server, we can see the current status by typing status inside terminal window. We should see if there a client connected. To get the ID associated with the client, type clients. Here, we can see the client “probe” has an ID of 0.
To connect to This particular client, we will type connect 0, with 0 substituted for the ID of the client you’re trying to connect to.
Once connected, type help to review the big, long, nasty list of things you can do. Some modules simply yield more data, while others attempt local exploits or getting root. First, let’s send the command get_info inside terminal to pull system information.
As we can see through the result, we are connected along with also can pull some basic data. at This particular point, let’s test one of the more advanced modules.
Run the chrome password dump module by typing chrome_passwords, along with also type y to confirm along with also launch the attack. This particular will launch a phishing attack on the victim computer, attempting to trick the user into allowing access to the Chrome keychain.
This particular attack can be particularly effective while a user can be trying to do work, they will often just accept This particular prompt to get This particular out of the way if This particular pops up repeatedly.
Clicking on This particular “Allow” button can be all This particular takes to dump all the passwords you have stored in Chrome. If the attack can be successful, you should see a lot of passwords dump onto your screen. I could show you a screenshot of a successful run, nevertheless This particular’s just nothing nevertheless lots along with also lots of creds I can’t show.
If the attack was not successful, there are plenty of additional attacks included. Type help to see some of the additional modules you can explore.
Step 5: Cleaning Up
When finished doing whatever remote administration This particular can be in which you’re doing, make sure to send a final kill_server command to kill the connection, along with also clean up along with also remove the client server. After This particular, you won’t be able to connect again, so make sure you’re ready to let go before running This particular final command.
EvilOSX includes a lot of potential uses, along with also the attention to detail in automating certain exploits inside Apple ecosystem makes This particular a wonderfully targeted tool. The ease with which we can launch phishing attack to escalate privileges or trick a user into letting us deeper into the system can be remarkable, along with also I’m excited to see the direction of This particular masOS targeted tool inside future.
If you have any questions, you can leave them inside comments here or on Twitter at @SADMIN2001!