Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile.

Overview

Orthrus Logo

Orthrus

Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile. It effectively runs its own MDM server and allows the operator to interface with it using Mythic.

Talks & Publications

Installation

To install Orthrus, you'll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.

From the Mythic install root, run the command:

./mythic-cli install github https://github.com/MythicAgents/orthrus.git

Once installed, restart Mythic.

Orthrus uses Apple's Push Notification Service to send messages to the target device. For this reason, we need to configure APN push certificates. Some of the options for this can be found at Understanding MDM Certificates.

In my opinion, installing Server.app, setting up Profile Manager and then exporting the push cert from the keychain is the easiest way to do this. Full instructions for getting the APN certs in a more permanent way can be found here.

Instead of running the mdmctl mdmcert upload command manually, put the certificates in the C2_Profiles/mdm/certs/ folder, as apn.pem and apn.key.

Next, generate a SSL certificate for your MDM server.

DNSNAME=mdm.example.org;  (cat /etc/ssl/openssl.cnf ; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdm.key -out mdm.crt -subj "/CN=$DNSNAME" -reqexts SAN -extensions SAN -config /dev/stdin

Once created, base64 both the key and the certificate and put them in the config file using the Mythic UI for the MDM C2 Profile (Global Configurations -> C2 Profiles -> MDM -> Configure). Also set the mdm_host config item whilst you're here.

Restart the container.

./mythic-cli c2 start mdm

and you're good to go.

Notable Features

  • No custom code introduced to the device.
  • No beaconing behaviour, Orthrus will check in to Mythic when the operator tells it to using the force_callback command.
  • SSL certificate of the MDM server trusted for code signing upon installation.
  • Install PKG installers or Profiles.

Executing Packages

Signing

mdmclient will only execute packages that have been signed. If you do not use a signed package, it will silently fail. Usefully, the compromised device will install the TLS certificate of the MDM server (specified in the config) as a CA trusted for code sigining.

First, on an attacker box. Build a PFX file using the certificate and key from the MDM server.

openssl pkcs12 -export -out mdm.pfx -inkey mdm.key -in mdm.crt

Open the resulting pfx file to install it into the keychain.

The certificate can now be used as a signing identity.

pkg-cmd-helper

To automate the process of creating a signed package. I've put together a rough bash script to build packages that execute bash command, and subsequently sign them with an identity - pkg-cmd-helper.sh.

➜  ./pkg-cmd-helper.sh -h
Command line helper to generate pkg files that execute commands.
Author: @rookuu

Syntax: gen.sh -i com.malicious.pkg -o installme.pkg [-s 'My Signing Identity'] command
options:
-h     Print this Help.
-i     Identifier for the package.
-o     File name for the output package.
-s     (optional) Identity to use when signing the package.

➜  ./pkg-cmd-helper.sh -i com.rookuu.pkg -o example.pkg -s 192.168.0.5 mkdir /tmp/hacked
Building in /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i
pkgbuild: Adding top-level preinstall script
pkgbuild: Wrote package to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp.pkg
productbuild: Wrote product to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist.pkg
productsign: signing product with identity "192.168.0.5" from keychain /Library/Keychains/System.keychain
productsign: Wrote signed product archive to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist_signed.pkg
Done, see: example.pkg

Commands Manual Quick Reference

The commands available to us are dependent on the Apple MDM protocol, a full list of commands can be found on Apple's developer docs here.

General Commands

Command Syntax Description
force_callback force_callback Sends a push notification to the device, forcing it to checkin.
certificate_list certificate_list Lists installed certificates.
device_information device_information Returns general information about the device.
installed_applications installed_applications Lists installed applications.
profile_list profile_list Lists installed profiles.
provisioning_profile_list provisioning_profile_list Lists installed provisioning profiles.
security_info security_info Returns information about the security settings and features for the device.
install_profile install_profile Installs a mobile config file (upload using UI).
install_pkg install_pkg Installs a PKG installer file (upload using UI). Must be signed, see above.

Thanks

  • @its_a_feature_ for helping to troubleshoot all of the bugs in my code. :)
Owner
Mythic Agents
A centralized area for installable Mythic Agents based on https://github.com/its-a-feature/Mythic_External_Agent
Mythic Agents
Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts.

πŸ•·οΈ Scarecrow πŸ•·οΈ Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts. It looks for processes with specific names to v

Billy 33 Sep 28, 2022
WpDisect is a wordpress hacking tool that finds vulnerabilities in wordpress.

wpdisect WpDisect is a wordpress hacking tool that finds misconfigurations in wordpress. Prerequisites You need to download wordpress in the wpdisect

3 Feb 20, 2022
A simple automatic tool for finding vulnerable log4j hosts

Log4Scan A simple automatic tool for finding vulnerable log4j hosts Installation pip3 install -r requirements.txt Usage usage: log4scan.py [-h] (-f FI

Federico Rapetti 20018955 6 Mar 10, 2022
This repo is about steps to create a effective custom wordlist in a few clicks/

Custom Wordlist This repo is about steps to take in order to create a effective custom wordlist in a few clicks. this comes handing in pentesting enga

2 Oct 08, 2022
CVE-log4j CheckMK plugin

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue. To discover this

4 Jan 08, 2022
This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Fuzzing PDFs like its 1990s This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things. Some discl

Chaithu 14 Sep 30, 2022
Zero-attacker is an multipurpose hacking tool with over 12 tools

Zero Attacker Zero Attacker is bunch of tools which we made for people.These all tools are for purpose of ethical hacking and discord tools. Who is th

Asjad 300 Dec 28, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
Finite Volume simulation of the Raleigh-Taylor Instability

finitevolume2-python Finite Volume simulation of the Raleigh-Taylor Instability Create Your Own Finite Volume Fluid Simulation (With Python): Part 2 B

Philip Mocz 12 Sep 01, 2022
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
Tool-X is a kali linux hacking Tool installer.

Tool-X is a kali linux hacking Tool installer. Tool-X developed for termux and other Linux based systems. using Tool-X you can install almost 370+ hacking tools in termux app and other linux based di

Rajkumar Dusad 4.2k May 29, 2022
MD5-CRACKER - A gmail brute force app created with python3

MD5-CRACKER So this is my first app i created with python3 . if you guys downloa

2 Nov 10, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
python script for hack gmail account using brute force attack

#Creator: johnry #coded by john ry GBrute python script for hack gmail account using brute force attack Commands apt update && apt upgrade git clone h

6 Dec 09, 2022
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (δΈ­ζ–‡η‰ˆη½‘η«™) Documentation(δΈ­ζ–‡η‰ˆ) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Dec 30, 2022
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
Password List Creator Simple !

Password List Creator Simple !

MR.D3F417 4 Jan 27, 2022