EvilOSX : A Remote Administration Tool (RAT) for macOS / OS X | Lucideus Research

EvilOSX : A Remote Administration Tool (RAT) for macOS / OS X
Introduction
EvilOSX is a pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
Features of EvilOSX:
  • Emulate a simple terminal instance
    This means we can input commands directly as though we were sitting behind the machine's terminal interface.
  • Sockets are encrypted with CSR via OpenSSL
    Our communications to our infected hosts is encrypted, ensuring our communications remain secure.
  • No dependencies (pure python)
    No dependencies, aside from standard Python libraries, meaning nothing extra to install.
  • Persistence
    The ability to migrate to an in-memory process so that it can survive after the terminal it's launched in is closed.
  • Retrieve Chrome passwords
  • Retrieve iCloud contacts
  • Attempt to get iCloud password via phishing
  • Show local iOS backups
  • Download and upload files
  • Retrieve find my iphone devices
  • Attempt to get root via local privilege escalation (<= 10.10.5)
    Attempt to get root via local privilege escalation based on the linked exploit of macOS, which was patched on 10/11/2015.
  • Auto installer, simply run EvilOSX on the target and the rest is handled automatically
                            Download EvilOSX: https://github.com/Marten4n6/EvilOSX

Exploitation
Step - 1 - Making the payload
The program will ask you for the IP address of the attacking machine. Enter your IP address, and then the server port of your choice. It may complain a little, but the end result should be an "EvilOSX.py" build file located in the "Builds" folder.
Command - ./BUILDER EvilOSX.py
C:\Users\Tushar\Desktop\Kali Linux-2017-10-30-18-37-07.png


Step - 2 - Starting the Server
In order to establish the connection to our victim machine when it attempts to connect to us, we'll have to start a server on our attacker machine to listen for it. We will do this while still in the EvilOSX directory by running
Command - ./Server
C:\Users\Tushar\Desktop\Kali Linux-2017-10-30-18-46-41.png


Step 3 - Social Engineering
Transfer the file to victim by any method, then ask him to run the file.
Command: - python filename.py
C:\Users\Tushar\Desktop\OS X 10.11 El Capitan-2017-10-30-18-50-18.png
Success
As soon as victim runs the file the victim gets hacked by the attacker without any knowledge and attacker have gained the shell.
C:\Users\Tushar\Desktop\Kali Linux-2017-10-30-18-51-02.png
Help Menu
Command - help - Displays available options to the user.


Available Commands
Status - This option helps the attacker to know that weather the victim is been connected or not.
C:\Users\Tushar\Desktop\Kali Linux-2017-10-30-19-00-41.png


Clients - This option tell the attacker the list of the online clients. Who has run the file.
C:\Users\Tushar\Desktop\Kali Linux-2017-10-30-19-00-41.png


Connect - This options helps the attacker to establish the connection victim
Get_info - This option tell the attacker all the information of the victim machine
State - Not Working

Get_root - This options will give the attacker root access of  the victim machine.
State - Not Working
Download - This option gives the permission to attacker to any type of file from victim machine.
C:\Users\Tushar\Desktop\Kali Linux-2017-10-31-01-15-06.png

Upload - This option give the attacker permission to upload any file to victim machine.
C:\Users\Tushar\Desktop\Kali Linux-2017-10-31-01-23-17.png
C:\Users\Tushar\Desktop\OS X 10.11 El Capitan-2017-10-31-01-23-23.png


Chrome_password - This option can steal all the password which are stored in google chrome of victim
State - Not Working
icloud_contacts - This attack can steal all the password from the victims icloud and give to attacker.
State - Not Working
icloud_phish - This attack make the fake icloud sign in popup on the victim machine by the attacker to get password of his/her account
C:\Users\Tushar\Desktop\Kali Linux-2017-10-31-01-36-24.png


Cleaning Up
When finished doing whatever remote administration it is that you're doing, make sure to send a final kill_server command to kill the connection, and clean up and remove the client server. After this, you won't be able to connect again, so make sure you're ready to let go before running this final command.


Post a Comment

1 Comments

  1. nice info and i like use one like Litemanager for free remote administration too

    ReplyDelete