This port detection is achieved using ps, a tool used to view running background processes. The first line ( n=$(ps aux | grep -o 234)), creates a variable n, which checks to see if port 1234 is already open. The netcat listener will open port 1234 on the macOS device.
There are a few things going on in the script, so I’ll do my best to break it down for readers who aren’t familiar with BASH. The script will need to be typed manually while in single-user mode, so I tried to keep it as simple as possible. Type the following BASH script into the nano terminal, then save and exit by pressing Ctrl + X, then Y, then Enter/Return. Nano can be used to create the payload using the below command. In real attack scenarios, it would make sense to hide the file in a less obvious directory with a less obvious name.
Netcat reverse shell listener mac how to#
For now, I’ll show how to connect to the backdoored MacBook on a shared Wi-Fi network.įor simplicity sake, I’m saving the persistence script to the /etc/ directory and calling the file payload. Continue holding both of the keys until white text appears on the screen.įacilitating persistence to the backdoored device as it moves between Wi-Fi networks in different parts of the world is outside the scope of this demonstration, so stay tuned for future articles. To access single-user mode, power on the target MacBook while holding the Command + S buttons on the keyboard at the same time. Unfortunately, single-user mode is very easily accessed and abused by hackers. Single-user mode was designed for troubleshooting, debugging boot errors, and repairing disk issues, among many other administrative tasks. To begin the attack, single-user mode (another feature of macOS), will be used. To ensure the netcat backdoor is always available, a cron job will be created to persistently open a new netcat listener after it’s closed. Cron jobs are often used by system administrators to automate repetitive tasks, such as creating weekly backups, and executing a specific task when the OS reboots. Netcat is one of the tools already built into macOS that will be utilized during this attack.Ĭron is a task scheduler found in Unix-like operating systems such as Debian, Ubuntu, and macOS. Its list of features includes port scanning, transferring files, and port listening to create backdoors into operating systems and networks. Netcat (referred to as only nc from the command line) is a networking utility which can be used to create TCP or UDP connections. This means not installing advanced payloads which actively evade antivirus detection but instead using applications which are already installed and will not be flagged as malicious. To keep things simple, I’ll exercise a technique coined “living off the land”, which encourages penetration testers to utilize as many resources already present on the compromised device during post-exploitation attacks. There are quite a few payloads, RATs, and backdoors which can be deployed against MacBooks. But the absence of hard drive encryption allows attackers complete access to the files on a MacBook - without a password. Those who do enable it may end up disabling it later due to slower write speeds or encrpytion negatively impacting the CPU. To my surprise, macOS does not use FileVault hard drive encryption (though it may ask to enable it during a clean macOS install/upgrade) or a firewall by default.
0 kommentar(er)
