Hacking Mac With EmPyre

Share this…

I am the stereotypical Apple fan boy that other bloggers write about. We have MacBook Pro’s, Air’s, Apple TV’s, iPhone’s and iPad’s and even subscribe to Apple Music. You literally couldn’t find someone who has become more brainwashed by a brand…BUT, I am still not blinded by the security misconceptions which are rife within the world of Mac users.

To try and understand just how wide spread these misconceptions were I recently did a poll on a facebook group dedicated to Mac products and asked the following question:

Do you think Mac/iMacs need an AntiVirus?

The results were staggering and showed that over 90% of participants (There were over 150 participants before the post was removed by an Admin because he wouldn’t entertain any talk of Mac’s having AV) believed that Mac’s do not need an AV. The comments were even more staggering and filled with all kinds of crazy talk from “Mac’s cannot get malware” through to “Malware  can only infect your Mac if you enter your admin password” and even went into heated debates debating the differences between Trojans, Viruses and Worms and which impacted Mac users.

Of course the bottom line was that almost nobody really understood that the risks are just as real on Mac as they are on Windows, just less common. Mac users get unwanted software, viruses, trojans and can be hacked, and with a little help from Adaptive Threat, we are going to prove it.

So, lets have some fun and look at how to hack into Mac OSX hosts using Social Engineering and Malicious Office Documents.

Introducing EmPyre

edit: I added a new video tutorial to walk through the whole blog below..

EmPyre is a Post Exploitation framework built using Python which offers Ethical Hackers & Baddies(don’t do it) the ability to remotely access OSX hosts. It’s easy to use, has OSX Specific exploits and payloads already built in, and it actually makes for a refreshing change from Metasploit. Visit them on Github to read the nitty gritty about features and support.

Installation is easy from another Unix host like Kali which comes with Git installed already. If you are using OSX or another distro, make sure you have Git installed before you begin. I’m using a fresh Kali install.

Install EmPyre

First, Git Clone from https://github.com/adaptivethreat/EmPyre/EMPYRE1

You should now have a folder called EmPyre,  and you’ll want to run install.sh to finish the install.empyre2

That’s it, EmPyre is installed and ready to go, now just change directory in to EmPyre and run ./empyre to launch the interface.


Once you do that, EmPyre will load up and you will see the following menu.


Create A Listener

Before you do anything, type the help command and check out the options you have, i’d suggest spending some time learning what you can do with the tool. For now, we want to start a listener for our victims to connect back too (y’know – the Macs that don’t need AV).

Go to the listeners menu…and type options to view the current listener options. This is your equivalent of “show options” within Metasploit.


When you hit enter you will see the current settings for the default listener which is called test. You can see the local IP and all the other options which are fine for this guide but you can change anything that suits your objective.


Now, if you decide to get a little fruity here, it’s on you, but to change any of these, you’ll want to set one of the fields and change it accordingly. For instance, changing the host is useful if you are wanting to NAT your IP and go out over the internet like some kind of savage.


Once you are happy with your options, just hit run , followed by your listener name which you can see in the options.


Thats it, we are listening for shells. Now, if you are running this in a lab, just make sure you can reach the target machine and networking is all good. If you are using this against a remote host outside of your LAN, then you should move on to configuring NAT and any rules you need to let the traffic come in. You’re on your own with that.

Create The Malicious Document

This is not so different to attacking windows machines but you’re gonna have the extra helping hand from EmPyre to make things a little easier. First, we need to create the malicious office macro. You can return to the main menu by entering “main” and then we want to enter “usestager“. You can press tab to list all the available options but we will be using a macro for this attack.


Almost there… now, we just need to tell the stager which listener we want it to use which should be easy since we only have 1 created, and then we wrap it up by generating the macro.empyre10If all goes to plan, you should see the macro outputted to the screen(unless you set an output location in the options)


We want to copy this output into an office document and enter into a macro. Open excel or word and save the document as a macro enabled document.


Once you have saved it, head over to tools and create a new macro, name it and then paste the code from your EmPyre host into the Macro. It should look like this.


(Note – If you are targeting x64 architecture you will need to edit the first line to begin “Private Declare PtrSafe Function”)

Save the document and let the games begin. The next time you open this document you should be prompted to enable macros which of course we will (why wouldn’t we!).


Once you hit Enable Macros… Excel will play ball and execute the macro hidden away inside Excel. Over in the attack machine we can see the fruits of our labour with an agent checking in. This can sometimes take a second but no more than around 10-15 seconds.


You’re going to want to then begin interacting with your newly infected Mac host. EmPyre calls them agents, so just enter the agents command.


Notice the string which begins UKFOM…. this is the unique identifier EmPyre has given the host. In order to interact with that host you just need to type the following, but remember to substitute the identifier for whatever yours is called.(you can rename it)


From here, you can start throwing shell code around like some kind of maniac. Try some of the built in modules, there are tons of them and some of them are pretty useful. My personal favourite is troll/osx/say but if you want to list them all, just use tab complete on the end of  usemodule


Of course, like every other screen you can issue the help command and see all the other options you have. Why not drop into the victims Shell, query the sysinfo or execute python code directly onto the host?


And that’s it, now go pop some Macs.

But first, lets take a moment to think about the original question. Do Macs need AntiVirus? Malware might not be as prolific on OSX as it is on Windows, but the concept is the same. Attackers can gain access to your machines in almost the same way they do Windows hosts. Some might argue that AV is not effective against targeted attacks, and I would agree, but right now, attacks are becoming more and more sophisticated and with the rise of OSX users, it’s only a matter of time before we see a shift in Apple users becoming bigger targets.