EvilOSX: A pure python, post-exploitation, remote administration tool (RAT) for macOS / OS X.

The EvilOSX can be used to target any MacOS machine and install a persistence backdoor in it. You can actually get a root access and grab Chrome passwords which the victim will see a pop up asking to allow security chains.

Features of EvilOSX:

  • Emulate a simple terminal instance.
  • Sockets are encrypted with CSR via OpenSSL.
  • No dependencies (pure python).
  • Persistence.
  • Retrieve Chrome passwords.
  • Retrieve iCloud contacts.
  • Auto installer, simply run EvilOSX on the target and the rest is handled automatically.

How to use EvilOSX and generate payload?

Let’s get started!

First, on attacker machine make sure you have python installed I’m using Kali Linux so it has already installed in it.

  1. Python (I’m using Kali Linux!)
  2. git clone: https://github.com/NoorQureshi/EvilOSX.git

After making a clone move to that directory so we can generate our payload. But before that, you need to make sure your target is in LAN or WAN?

  • If it’s in LAN then you have to use your local IP Address mine was 192.168.1.5 you will be probably something else.
  • If your target is in WAN network then you have to use public IP Address and port forwarding. (Or you can use Kali Linux from cloud)

I selected my own Mac machine as a target in LAN network so my IP Address was 192.168.1.5 and Port: 1337

How to generate payload?

After executing this command it will ask you to enter where to connect! That means you have to enter your own IP Address so the payload will bind a connection with your IP Address and it will show you a location where it generated the payload.

Copy that payload to a USB and take your USB to your victim.

Note: The victim should also need to have Python installed on his Mac if he didn’t have you can install it easily through a terminal.

OR you can automate this whole process by using rubber ducky which will also install python for you on his/her Mac and execute the payload as well.

How to execute payload manually on target Mac?

EvilOSX: A Remote Administration Tool (RAT) for macOS / OS X

How to start listening connection? 

After executing payload on victims Macbook you need to start listening to the connection to connect to his computer.

To do that:

It will ask you to Port to listen on:

You have to enter that port which you used while generating payload and enter.

congratulations you have successfully hacked your victim 🙂

Commands which you can use:

“help – Show this help menu.”
“status – Show debug information.”
“clients – Show a list of clients.”
“connect <ID> – Connect to the client.”
“get_info – Show basic information about the client.”
“get_root – Attempt to get root via exploits.”
“chrome_passwords – Retrieve Chrome passwords.”
“icloud_contacts – Retrieve iCloud contacts.”
“icloud_phish – Attempt to get iCloud password via phishing.”
“find_my_iphone – Retrieve find my iphone devices.”
“kill_client – Brutally kill the client (removes the server).”
“Any other command will be executed on the connected client.”