Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-3973: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-06-10 11:06:21 +00:00 committed by gitbook-bot
parent 01df2876d3
commit 8e2f75e86a
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 12 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -149,7 +149,7 @@
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md) * [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md) * [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
* [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md) * [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md)
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md) * [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md) * [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md) * [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
* [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md) * [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md)

10
macos-hardening/macos-security-and-privilege-escalation/README.md
View file

@ -104,20 +104,14 @@ If a process can **inject code in another process with better privileges or enti
[macos-proces-abuse](macos-proces-abuse/) [macos-proces-abuse](macos-proces-abuse/)
{% endcontent-ref %} {% endcontent-ref %}
### File Extension Apps ### File Extension & URL scheme app handlers
Weird apps registered by file extensions could be abused: Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
{% content-ref url="macos-file-extension-apps.md" %} {% content-ref url="macos-file-extension-apps.md" %}
[macos-file-extension-apps.md](macos-file-extension-apps.md) [macos-file-extension-apps.md](macos-file-extension-apps.md)
{% endcontent-ref %} {% endcontent-ref %}
### URL handler applications
Different applications can be resgiter to open specific protocols. They could be abused.
TODO: Create a page about this
## MacOS Privilege Escalation ## MacOS Privilege Escalation
### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation ### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation

8
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
View file

@ -307,7 +307,7 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n
* It's also possible to find **if a process is being debugged** with a simple code such us: * It's also possible to find **if a process is being debugged** with a simple code such us:
* `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }` * `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }`
* It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing. * It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing.
* You can check if the **`sysctl` \*\* or**`ptrace`\*\* function is being **imported** (but the malware could import it dynamically) * You can check if the **`sysctl`** or **`ptrace`** function is being **imported** (but the malware could import it dynamically)
* As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\ * As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\
“_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_” “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_”
@ -354,7 +354,11 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
### Internal Handlers ### Internal Handlers
[**Checkout this section**](../#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**. **Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:**
{% content-ref url="../macos-file-extension-apps.md" %}
[macos-file-extension-apps.md](../macos-file-extension-apps.md)
{% endcontent-ref %}
### Enumerating Network Processes ### Enumerating Network Processes

6
macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md
View file

@ -1,4 +1,4 @@
# macOS File Extension Apps # macOS File Extension & URL scheme app handlers
<details> <details>
@ -12,7 +12,7 @@
</details> </details>
### File Extensions Apps File Extension & URL scheme app handlers
The following line can be useful to find the applications that can open files depending on the extension: The following line can be useful to find the applications that can open files depending on the extension:
@ -22,7 +22,7 @@ The following line can be useful to find the applications that can open files de
Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps):
``` ```bash
./swda getSchemes #Get all the available schemes ./swda getSchemes #Get all the available schemes
./swda getApps #Get all the apps declared ./swda getApps #Get all the apps declared
./swda getUTIs #Get all the UTIs ./swda getUTIs #Get all the UTIs