MacOS Post Exploitation Data Mining & Remote Administration Tool
Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS.
What is it?
Bella is a robust, pure python, post-exploitation and remote administration tool for macOS.
Bella a.k.a. the server is an SSL/TLS encrypted reverse shell that can be dropped on any system running macOS >= 10.6. Bella offers the following features:
Pseudo-TTY that emulates an SSH instance [CTRL-C support for most functions, streaming output, full support for inline bash scripting, tab completion, command history, etc].
Auto installer! Just execute the binary, and Bella takes care of the rest – a persistent reverse shell in a hidden location on the hard drive, undetectable by anti-viruses.
Upload / Download any file[s]
Reverse VNC Connection.
Stream and save the computer’s microphone input.
Login / keychain password phishing through system prompt.
Apple ID password phishing through iTunes prompt.
iCloud Token Extraction.
Accessing all iCloud services of the user through extracted tokens or passwords. This includes: iCloud Contacts, Find my iPhone, Find my Friends, iOS Backups.
Google Chrome Password Extraction.
Chrome and Safari History Extraction.
Auto Keychain decryption upon discovery of kc password.
macOS Chat History.
iTunes iOS Backup enumeration.
Extensive logging of all Bella activity and downloaded files.
VERY comprehensive data storage. All information that Bella discovers [tokens, passwords, etc] is stored in an encrypted SQL database on the computer running Bella. This information is used for faster function execution, and a “smarter” reverse shell.
Complete remote removal of Bella
A lot of other great features! Mess around with it to see it in action.
These are some of the features available when we are in the userland. This shell is accessible at any time when the user has an internet connection, which occurs when they are logged in and the computer is not asleep.
If we get root, Bella’s capabilities greatly expand.
Similar to the getsystem function on a meterpreter shell, Bella has a get_root function that will attempt to gain root access through a variety of means, including through a phished user password and/or local privilege escalation exploits if the system is vulnerable.
Upon gaining root access, Bella will migrate over to a hidden directory in /Library, and will load itself as a LaunchDaemon. This now provides remote access to the Bella instance at all times, as long as the computer has a network connection. Once we get root, we can do the following:
MULTI-USER SUPPORT! Bella will keep track of all information from any active users on the computer in a comprehensive database, and will automatically switch to the active computer user. All of the aforementioned data extraction techniques are now available for every user on the machine.
Decrypt ALL TLS/SSL traffic and redirect it through the control center! [a nice, active, MITM attack]
Disable/Enable the Keyboard and/or Mouse.
Load an Insomnia KEXT to keep a connection open if the user closes their laptop.
Automatic dumping of iCloud Tokens and Chrome passwords [leverages keychaindump and chainbreaker if SIP is disabled]
A lot of behind the scenes automation.
How To
Bella‘s power lies in its high level of automation of most of the painstaking tasks that one faces in a post-exploitation scenario. It is incredibly easy to setup and use, requires no pre-configuration on the target, and very little configuration on the Control Center. It leverages the incredible behind the scenes power of macOS and Python for a fluid post-exploitation experience.
Some design points
As previously stated, Bella is a pseudo-TTY. By this, the base socket and remote code execution handling of Bella is a fairly abstracted version of a very simple request-response socket. Bella receives a command from the server. If the command matches a pre-programmed function (i.e chrome history dump), then it will perform that function, and send the response back to the client. The client will then handle the response in the same way. After processing the response, it will prompt the client for another command to send.
Issues with a low-level socket are numerous, and not limited to:
Program execution that blocks and hangs the pipe, waiting for output that never comes (sudo, nano, ftp)
Not knowing how much data to expect in the socket.recv() call.
Not being able to send ctrl-C, ctrl-Z and similar commands.
No command history
A program that crashes can kill a shell.
One-to-one response and request.
Bella address the above by:
recv() and send() functions that serialize the length of the message, and loop through response/requests accordingly.
Readline integration to give a more ‘tty’ like feel, including ctrl-C support, command history, and tab completion.
Detecting programs that block, and killing them beta
Allowing multiple messages to be sent at once without the client prompting for more input (great for commands like ping, tree, and other commands with live updates).
For full information on the pre-programmed functions, run the manual command when connected to the server.
Download
Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS.
What is it?
Bella is a robust, pure python, post-exploitation and remote administration tool for macOS.
Bella a.k.a. the server is an SSL/TLS encrypted reverse shell that can be dropped on any system running macOS >= 10.6. Bella offers the following features:
Pseudo-TTY that emulates an SSH instance [CTRL-C support for most functions, streaming output, full support for inline bash scripting, tab completion, command history, etc].
Auto installer! Just execute the binary, and Bella takes care of the rest – a persistent reverse shell in a hidden location on the hard drive, undetectable by anti-viruses.
Upload / Download any file[s]
Reverse VNC Connection.
Stream and save the computer’s microphone input.
Login / keychain password phishing through system prompt.
Apple ID password phishing through iTunes prompt.
iCloud Token Extraction.
Accessing all iCloud services of the user through extracted tokens or passwords. This includes: iCloud Contacts, Find my iPhone, Find my Friends, iOS Backups.
Google Chrome Password Extraction.
Chrome and Safari History Extraction.
Auto Keychain decryption upon discovery of kc password.
macOS Chat History.
iTunes iOS Backup enumeration.
Extensive logging of all Bella activity and downloaded files.
VERY comprehensive data storage. All information that Bella discovers [tokens, passwords, etc] is stored in an encrypted SQL database on the computer running Bella. This information is used for faster function execution, and a “smarter” reverse shell.
Complete remote removal of Bella
A lot of other great features! Mess around with it to see it in action.
These are some of the features available when we are in the userland. This shell is accessible at any time when the user has an internet connection, which occurs when they are logged in and the computer is not asleep.
If we get root, Bella’s capabilities greatly expand.
Similar to the getsystem function on a meterpreter shell, Bella has a get_root function that will attempt to gain root access through a variety of means, including through a phished user password and/or local privilege escalation exploits if the system is vulnerable.
Upon gaining root access, Bella will migrate over to a hidden directory in /Library, and will load itself as a LaunchDaemon. This now provides remote access to the Bella instance at all times, as long as the computer has a network connection. Once we get root, we can do the following:
MULTI-USER SUPPORT! Bella will keep track of all information from any active users on the computer in a comprehensive database, and will automatically switch to the active computer user. All of the aforementioned data extraction techniques are now available for every user on the machine.
Decrypt ALL TLS/SSL traffic and redirect it through the control center! [a nice, active, MITM attack]
Disable/Enable the Keyboard and/or Mouse.
Load an Insomnia KEXT to keep a connection open if the user closes their laptop.
Automatic dumping of iCloud Tokens and Chrome passwords [leverages keychaindump and chainbreaker if SIP is disabled]
A lot of behind the scenes automation.
How To
Bella‘s power lies in its high level of automation of most of the painstaking tasks that one faces in a post-exploitation scenario. It is incredibly easy to setup and use, requires no pre-configuration on the target, and very little configuration on the Control Center. It leverages the incredible behind the scenes power of macOS and Python for a fluid post-exploitation experience.
Some design points
As previously stated, Bella is a pseudo-TTY. By this, the base socket and remote code execution handling of Bella is a fairly abstracted version of a very simple request-response socket. Bella receives a command from the server. If the command matches a pre-programmed function (i.e chrome history dump), then it will perform that function, and send the response back to the client. The client will then handle the response in the same way. After processing the response, it will prompt the client for another command to send.
Issues with a low-level socket are numerous, and not limited to:
Program execution that blocks and hangs the pipe, waiting for output that never comes (sudo, nano, ftp)
Not knowing how much data to expect in the socket.recv() call.
Not being able to send ctrl-C, ctrl-Z and similar commands.
No command history
A program that crashes can kill a shell.
One-to-one response and request.
Bella address the above by:
recv() and send() functions that serialize the length of the message, and loop through response/requests accordingly.
Readline integration to give a more ‘tty’ like feel, including ctrl-C support, command history, and tab completion.
Detecting programs that block, and killing them beta
Allowing multiple messages to be sent at once without the client prompting for more input (great for commands like ping, tree, and other commands with live updates).
For full information on the pre-programmed functions, run the manual command when connected to the server.
Download