Macos – How to find the stolen Macbook


A friend of mine just had her Macbook stolen. Her Dropbox account is still working on the Macbook, so she can see each time the Macbook comes online, and she can get its IP address.

She has given this information to the police, who say it may take up to a month to get the real location from the IP address. I was wondering if we could help find the laptop, as then the person with it could be arrested now for handling stolen goods (otherwise they might reinstall it before the police catch them).

Here are the facts about the stolen Macbook:

  • It is running OS X, but I'm not sure exactly which version (I will find out though).
  • There was only a single user account, with no password, and with admin privileges.
  • The original owner's Dropbox is still synchronizing, which gives us the IP address each time it comes online.
  • The original owner isn't a techie, so she's very unlikely to have turned on any of the remote control features like SSH, VNC etc (I've e-mailed her to ask).
  • She does not use iCloud or the .Mac service.

I was considering pushing an enticing file into Dropbox to get the user to click on it. I'm guessing I'll only get one shot at this, so wanted some ideas on the best thing to do.

My ideas so far:

  • Install some sort of key logger to send all the info back to the owner. Is there any way to do this without the user being made aware?
  • Make the file a shell script to slurp up as much useful info as possible, e.g. browser history, look for iPhone backups, etc. I'm not sure of the best way to send this info back though. It sounds like I might be able to use the mail command (to a free e-mail account of course)?
  • Maybe turn on remote management. Is there a way to do this without user accepting security popups?

Does anybody have any tips here? I've written plenty of shell scripts, but was wondering if other OS X options might be better, e.g. Applescript? Has anybody got any better ideas than pushing a Dropbox file to it?

I know this question is basically about writing a form of malware, but I'd love to be able to emulate my hero from the What Happens When You Steal a Hacker’s Computer DEF CON lecture.

We'll make sure to check with the police before we do anything to ensure we don't break any laws.

Best Answer

I remember watching that Dr. Zoz video. Good stuff.

It sounds like you're competent with shell scripting and just need an attack vector. The key to doing something similar to what Zoz did is getting SSH access. Unlike his situation, where the thief was using a dialup modem, it's almost certain, since newer Macs don't do dialup, that the thief is using a broadband connection, and is behind some kind of NAT router.

Even if SSH were enabled on the machine, port forwarding would have to be set up on the router for you to access the machine's SSH listening port from the outside. The upside of a broadband connection is that the IP address will almost definitely change less often than with dialup.

If I were in your position, holding the thief's IP, I'd first try to log in to the web interface of their router and see what I can do from there. It's amazing how many people leave their default router/modem passwords in place, and there are lists online where you can find default passwords for most major manufacturers.

Once inside, check the DHCP client listing on the router and see if you can find the MacBook. A lot of routers will show MAC (hardware) Adress, assigned internal IP address (192.168.1.x most often) and most importantly, the machine name.

Figure out which IP is assigned to the MacBook and then set up a port forward to it in the router's settings. Use some external port other than 22, (port 2222 for example) and forward that to port 22 of the MacBook's IP.

Many routers have SSH access turned on, so accessing the thief's IP @ port 22 might get you to the router shell rather than the machine shell. Now you should have a port on the thief's external IP (that you got from Dropbox) which will get you directly to the port SSH should be bound to on the MacBook. Except SSH isn't turned on yet.

This part requires some action from the thief. I like the email idea but it requires that your friend be using Apple Mail. A better approach might be uploading a tempting .app file to Dropbox that will turn SSH (Remote Login) on.

You can do this through a shell script, but doing it through Applescript, saving the Applescript out as a .app and giving it a nice icon will all go a long way towards fooling your mark and not giving yourself away.

Here's the Applescript code to turn Remote Login on:

do shell script "sudo systemsetup setremotelogin on" user name "Friend's Username" password "Friend's Password" with administrator privileges

This bit of code will return a string with the machine's serial number that you can email to yourself if you want to do that:

do shell script "sudo system_profiler |grep \"r (system)\"" user name "Friend's Username" password "Friend's Password" with administrator privileges

I would write the applescript so that it turns on Remote Login, does whatever else you need. Try not to script the GUI or any applications besides the shell as this will raise suspicion. At the end display a message to the effect of "This application cannot run on this Macintosh." with a "Quit" button to reduce suspicion. Once the script is working in AppleScript Editor, save it out as a run-only .app file.

Try disguising the .app as a popular game, Plants vs. Zombies or Angry Birds or something. You can export the icon from the real game's .app and put it into the .app you export from Applescript. If your friend got a good look at the thief, you can socially profile him/her and disguise the .app as something else they might be interested in.

Provided that you can set up the port forward (your mark doesn't enforce proper security practices), and you can get him/her to run the application, you'll have full SSH access to the machine and can continue looking for clues without immediately giving away your presence. This also requires that the mark doesn't get tired of Dropbox's Growl notifications and quit it, so I'd advise your friend to stop saving files to her Dropbox for a while.

Note: If the thief disconnects from their ISP and reconnects, they'll get a new external IP. Add a file to Dropbox and wait for it to sync. This should get you the updated IP.

Note 2: If the user doesn't connect to the router with the MacBook for a certain amount of time (usually 24 hours) the DHCP lease for the internal IP address that was assigned to the MacBook will expire. Most likely it will get the same IP address next time it connects, unless another device is introduced into the network. In this event you'll have to manually log back into the router and modify the port forward.

This isn't the only means of attack, but this is what I'd do the second I realized the IP was still being updated via Dropbox. Good luck!

EDIT: The "administrator privileges" at the end of each "do shell script" line is very important. The user will be prompted for your friend's admin password and the script will fail, if you do not include username and password inline.