PoisonApple-macOS持久性工具
2021-04-20 11:12:04 Author: mp.weixin.qq.com(查看原文) 阅读量:165 收藏


文章来源:Khan安全攻防实验室

   用于在macOS上执行各种持久性机制技术的命令行工具。

安装:

$ pip3 install poisonapple --user

注意:PoisonApple是使用Python 3.9编写和测试的,应该可以在Python 3.6+上运行

注意!

  • PoisonApple将对您的macOS系统进行修改,建议仅在虚拟机上使用PoisonApple。尽管使用此工具添加的任何持久性机制技术也可以轻松删除(-r),但请谨慎使用

  • 请注意:此工具可能会导致常见的AV / EDR /其他macOS安全产品生成警报。

用法

$ poisonapple --helpusage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]
Command-line tool to perform various persistence mechanism techniques on macOS.
optional arguments: -h, --help show this help message and exit -l, --list list available persistence mechanism techniques -t TECHNIQUE, --technique TECHNIQUE persistence mechanism technique to use -n NAME, --name NAME name for the file or label used for persistence -c COMMAND, --command COMMAND command(s) to execute for persistence -r, --remove remove persistence mechanism
$ poisonapple --list      ,       _______       __  .-.:|.-.   |   _   .-----|__|-----.-----.-----..'        '. |.  |   |  |  |  |__ --|  |  |  |  |'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|  } ` }  {   |:  |  _______             __  } } }  {   |::.| |   _   .-----.-----|  |-----.  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|.-'"~"   '-.       |.  _   |   __|   __|__|_____|'.        .'       |:  |   |__|  |__|  '-_.._-'         |::.|:. |                   `--- ---' v0.2.1
+--------------------+| AtJob |+--------------------+| Bashrc |+--------------------+| Cron |+--------------------+| CronRoot |+--------------------+| Emond |+--------------------+| LaunchAgent |+--------------------+| LaunchAgentUser |+--------------------+| LaunchDaemon |+--------------------+| LoginHook |+--------------------+| LoginHookUser |+--------------------+| LoginItem |+--------------------+| LogoutHook |+--------------------+| LogoutHookUser |+--------------------+| Periodic |+--------------------+| Reopen |+--------------------+| Zshrc |+--------------------+

持久性机制:

$ poisonapple -t LaunchAgentUser -n testing      ,       _______       __  .-.:|.-.   |   _   .-----|__|-----.-----.-----..'        '. |.  |   |  |  |  |__ --|  |  |  |  |'-."~".  .-' |.  ____|_____|__|_____|_____|__|__|  } ` }  {   |:  |  _______             __  } } }  {   |::.| |   _   .-----.-----|  |-----.  } ` }  {   `---' |.  |   |  |  |  |  |  |  -__|.-'"~"   '-.       |.  _   |   __|   __|__|_____|'.        .'       |:  |   |__|  |__|  '-_.._-'         |::.|:. |                   `--- ---' v0.2.1
[+] Success! The persistence mechanism action was successful: LaunchAgentUser

如果未指定任何命令(-c),则将使用默认触发命令,该命令将在每次触发持久性机制时写入Desktop上的文件:

$ cat ~/Desktop/PoisonApple-LaunchAgentUserTriggered @ Tue Mar 23 17:46:02 CDT 2021 Triggered @ Tue Mar 23 17:46:13 CDT 2021 Triggered @ Tue Mar 23 17:46:23 CDT 2021 Triggered @ Tue Mar 23 17:46:33 CDT 2021 Triggered @ Tue Mar 23 17:46:43 CDT 2021 Triggered @ Tue Mar 23 17:46:53 CDT 2021 Triggered @ Tue Mar 23 17:47:03 CDT 2021 Triggered @ Tue Mar 23 17:47:13 CDT 2021 Triggered @ Tue Mar 23 17:48:05 CDT 2021 Triggered @ Tue Mar 23 17:48:15 CDT 2021

删除持久性机制:

$ poisonapple -t LaunchAgentUser -n testing -r

自定义命令:

$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"

推荐文章++++

*渗透测试工具&导航合集

*[工具]勒索病毒解密工具汇总

*恶意软件分析工具集成环境


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650508884&idx=3&sn=ae76aeb1543e3b4f26202d9e6a38339b&chksm=83baebb0b4cd62a65371b995def22830922cdddc90e00008ab959bbac6c38c2f00fc9d7b49f2#rd
如有侵权请联系:admin#unsafe.sh