This weeks' article on Pupy made me wish for a RAT that could be targeted at an OS frequently used by gatekeepers at startups, tech companies, and creative firms: macOS. Once run, a RAT can do particularly severe damage by dumping a user's stored credentials for many accounts. The best loot lives in the Chrome Password cache, so today we'll be using EvilOSX, an OS X RAT, to infiltrate macOS and dump these credentials.
Systems like macOS are often neglected in terms of security training, as automatic updates and a hands-free expectation of administration is the experience an Apple user pays for. This makes them wonderfully easy to exploit, as a macOS user will often give permission to random system popups that a Windows user might be more skeptical of.
The point of a RAT is to gain a very firm initial foothold into a target computer. For doing this, EvilOSX distinguishes itself as a very potent tool. Written primarily in Python, EvilOSX specializes in automating some devastating attacks that take advantage of the macOS environment.
EvilOSX is A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
So what can this RAT do? To put it simply, it can easily expand our presence through a user's Apple-related products and services. EvilOSX can bring us dramatically increased access in a matter of seconds, to the point of putting a target's GPS location from their "Find my iPhone" app in reach. Besides this creepy ability, EvilOSX has a bunch of useful features.
- Ability to emulate a simple terminal instance — This means we can input commands directly as though we were sitting behind the machine's terminal interface.
- Sockets are encrypted with CSR via OpenSSL — Our communications to our infected hosts is encrypted, ensuring our communications remain secure.
- No dependencies, aside from standard Python libraries, meaning nothing extra to install.
- Persistence, or the ability to migrate to an in-memory process so that it can survive after the terminal it's launched in is closed.
- Dumping of Chrome passwords, which we will explore today. This can be quite a lot of passwords for a lot of accounts.
- Retrieve iCloud contacts, allowing for easy targeted phishing attacks.
- Sophisticated iCloud password phishing attack targeting the password.
- Find and show local iOS backups, to steal device backups from the disk.
- Download and upload files, allowing you to take or install further files on the infected host.
- Retrieve find my iPhone devices, to start learning about the owner of the devices.
- Attempt to get root via local privilege escalation based on the linked exploit of macOS, which was patched on 10/11/2015.
- A handy auto-installer. Once you run EvilOSX on the target, this takes care of the rest automatically.
EvilOSX runs on any OS that supports Python, and so this tutorial should work on Windows, macOS, and Linux systems. To successfully run this attack, you'll need an attack computer to build payloads and listen for connections, and a target macOS computer to run the RAT and be exploited.
In this example, we'll build a payload, start a listening server, and run the payload on our victim to start having fun with remotely controlling it! To get started, you'll need to download EvilOSX by opening a terminal window and typing the following.
git clone https://github.com/Marten4n6/EvilOSX.git
To build a payload, we'll start on our attack machine, which should have the git repository cloned from the step above. Navigate to your new EvilOSX folder by typing cd EvilOSX into a terminal window. Once inside, type ls to see the contents of the folder.
We'll need some information to build this payload, such as the IP address of our attacking machine. To find this, you can type ip a into the terminal window, or ifconfig if you're on a Mac. If you wanted to run this attack outside your local network, you'd need a static, public IP to do so.
Write down the IP address of your attacker machine, and then we'll start building our payload by typing the following in terminal.
sudo ./BUILDER EvilOSX.py
The program will ask you for the IP address of the attacking machine. Enter your IP address, and then the server port of your choice. You can use 1337 for this build. It may complain a little, but the end result should be an "EvilOSX.py" build file located in the "Builds" folder.
Load this file onto a USB drive, or use something like dat to copy the "EvilOSX.py file you just created to your victim computer.
In order to establish the connection to our victim machine when it attempts to connect to us, we'll have to start a server on our attacker machine to listen for it. We will do this while still in the EvilOSX directory by running sudo python Server.py in terminal.
The server will start, and ask you which port to listen on. That's all! Put the same port you put in the step before (1337), and press return to start the server.
At any point, you can type help to see all the available commands.
Now that our server is set up, let's run our payload on the victim computer. On the victim macOS computer, run the Python payload you created by typing sudo python file_location/EvilOSX.py, with the location of your file substituted.
Once you run the Python program, it will move itself into a memory thread to reduce the risk of detection and allow the RAT to be persistent. Now that our payload is up, we can close out of the window if we want. Let's check back on our server.
On our server, we can see the current status by typing status in the terminal window. We should see if there a client connected. To get the ID associated with the client, type clients. Here, we can see the client "probe" has an ID of 0.
To connect to this client, we will type connect 0, with 0 substituted for the ID of the client you're trying to connect to.
Once connected, type help to review the big, long, nasty list of things you can do. Some modules simply yield more data, while others attempt local exploits or getting root. First, let's send the command get_info in the terminal to pull system information.
As we can see from the result, we are connected and can pull some basic data. Now, let's test one of the more advanced modules.
Run the chrome password dump module by typing chrome_passwords, and type y to confirm and launch the attack. This will launch a phishing attack on the victim computer, attempting to trick the user into allowing access to the Chrome keychain.
This attack is particularly effective while a user is trying to do work, they will often just accept this prompt to get it out of the way if it pops up repeatedly.
Clicking on this "Allow" button is all it takes to dump all the passwords you have stored in Chrome. If the attack is successful, you should see a lot of passwords dump onto your screen. I would show you a screenshot of a successful run, but it's just nothing but lots and lots of creds I can't show.
If the attack was not successful, there are plenty of other attacks included. Type help to see some of the other modules you can explore.
When finished doing whatever remote administration it is that you're doing, make sure to send a final kill_server command to kill the connection, and clean up and remove the client server. After this, you won't be able to connect again, so make sure you're ready to let go before running this final command.
EvilOSX has a lot of potential uses, and the attention to detail in automating certain exploits in the Apple ecosystem makes it a wonderfully targeted tool. The ease with which we can launch phishing attack to escalate privileges or trick a user into letting us deeper into the system is remarkable, and I'm excited to see the direction of this masOS targeted tool in the future.
If you have any questions, you can leave them in the comments here or on Twitter at @SADMIN2001!