Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tokyoneon/armor

Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners.
https://github.com/tokyoneon/armor

antivirus antivirus-evasion attack bypass-antivirus bypass-av encoding encryption information-security kali kali-linux kali-scripts libressl macos ncat openssl osx payload penetration-testing shell shell-script

Last synced: about 5 hours ago
JSON representation

Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners.

Host: GitHub
URL: https://github.com/tokyoneon/armor
Owner: tokyoneon
Created: 2018-11-06T18:41:44.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2023-08-24T08:55:00.000Z (about 1 year ago)
Last Synced: 2024-11-14T09:05:13.864Z (about 5 hours ago)
Topics: antivirus, antivirus-evasion, attack, bypass-antivirus, bypass-av, encoding, encryption, information-security, kali, kali-linux, kali-scripts, libressl, macos, ncat, openssl, osx, payload, penetration-testing, shell, shell-script
Language: Shell
Homepage:
Size: 347 KB
Stars: 279
Watchers: 12
Forks: 58
Open Issues: 5
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Armor

Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners. Below is an example gif of Armor being used with a simple Netcat payload.

![Armor](https://raw.githubusercontent.com/tokyoneon/Armor/master/Armor.gif)

A Netcat listener is started on port 4444. The "payload.txt" file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker's Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker's server. When the stager is executed in the target MacBook (not shown in the gif), the bash one-liner is decrypted and executed without writing any data to the harddrive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.

Admittedly, encrypting most macOS-specific payloads is overkill. This specific bash one-liner is capable of bypassing antivirus without the help of Armor. But this is just an exmaple. The same degree of obfuscation can be applied to sophisticated Python, Ruby, and Shell scripts designed to execute a variety of advanced attacks.

## Installation

Armor relies on LibreSSL to encrypt the input file and create the SSL certificate. If LibreSSL isn't found in your system, Armor will attempt to install it. The function for this can be found in the `armor.sh` file. Ncat is also a dependency and can be installed in Kali using `$ apt-get update && apt-get install nmap`.

Armor can be cloned and executed using the below commands.

git clone https://github.com/tokyoneon/Armor
cd Armor/
chmod +x armor.sh
./armor.sh /path/to/payload.txt 1.2.3.4 443

The *1.2.3.4* address is the attacker's IP address where the decryption key will be hosted. This can be a local IP address or VPS. The port number (*443*), is arbitrary and can be changed as needed.

Questions and concerns:
- Twitter: @tokyoneon_
- WonderHowTo: https://creator.wonderhowto.com/tokyoneon/
- Email: dG9reW9uZW9uQHBtLm1lCg==