2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-20 16:08:27 +00:00

Translated ['macos-hardening/macos-auto-start-locations.md', 'macos-hard

This commit is contained in:
Translator 2024-09-21 18:25:59 +00:00
parent 3dcd0ff2e4
commit 90dbb88b0b
5 changed files with 843 additions and 518 deletions
SUMMARY.md
macos-hardening
macos-auto-start-locations.md
macos-security-and-privilege-escalation
macos-files-folders-and-binaries
macos-security-protections
macos-users.md

View file

@ -196,9 +196,10 @@
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
* [macOS TCC Payloads](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md)
* [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
* [macOS MACF](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md)
* [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md)
* [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md)
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
* [macOS Users & External Accounts](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
* [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
* [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)

File diff suppressed because it is too large Load diff

View file

@ -1,8 +1,8 @@
# macOS Sensitive Locations & Interesting Daemons
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -19,8 +19,8 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
### Nywila za Kivuli
Nywila ya kivuli inahifadhiwa pamoja na usanidi wa mtumiaji katika plists zilizoko **`/var/db/dslocal/nodes/Default/users/`**.\
Mfuatano ufuatao unaweza kutumika kutoa **habari zote kuhusu watumiaji** (ikiwemo habari za hash):
Nywila za kivuli huhifadhiwa pamoja na usanidi wa mtumiaji katika plists zilizoko katika **`/var/db/dslocal/nodes/Default/users/`**.\
Mstari ufuatao unaweza kutumika kutoa **habari zote kuhusu watumiaji** (ikiwemo habari za hash):
{% code overflow="wrap" %}
```bash
@ -30,7 +30,7 @@ for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"
[**Scripts kama hii**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) au [**hii**](https://github.com/octomagon/davegrohl.git) zinaweza kutumika kubadilisha hash kuwa **hashcat** **format**.
Mstari mbadala mmoja ambao utatoa creds za akaunti zote zisizo za huduma katika format ya hashcat `-m 7100` (macOS PBKDF2-SHA512):
Mstari mbadala ambao utaondoa creds za akaunti zote zisizo za huduma katika format ya hashcat `-m 7100` (macOS PBKDF2-SHA512):
{% code overflow="wrap" %}
```bash
@ -38,9 +38,15 @@ sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex
```
{% endcode %}
Njia nyingine ya kupata `ShadowHashData` ya mtumiaji ni kwa kutumia `dscl`: ``sudo dscl . -read /Users/`whoami` ShadowHashData``
### /etc/master.passwd
Faili hii inatumika **tu** wakati mfumo unakimbia katika **mode ya mtumiaji mmoja** (hivyo si mara nyingi sana).
### Keychain Dump
Kumbuka kwamba unapotumia binary ya usalama **kutoa nywila zilizofichuliwa**, maelekezo kadhaa yatauliza mtumiaji kuruhusu operesheni hii.
Kumbuka kwamba unapokuwa unatumia binary ya usalama **kudondosha nywila zilizotafsiriwa**, maelekezo kadhaa yatauliza mtumiaji kuruhusu operesheni hii.
```bash
#security
security dump-trust-settings [-s] [-d] #List certificates
@ -57,13 +63,13 @@ Kulingana na maoni haya [juuso/keychaindump#10 (comment)](https://github.com/juu
### Muhtasari wa Keychaindump
Zana inayoitwa **keychaindump** imeandaliwa kutoa nywila kutoka kwa funguo za macOS, lakini inakabiliwa na vizuizi katika toleo jipya la macOS kama Big Sur, kama ilivyoelezwa katika [majadiliano](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760). Matumizi ya **keychaindump** yanahitaji mshambuliaji kupata ufikiaji na kupandisha mamlaka hadi **root**. Zana hii inatumia ukweli kwamba funguo za macOS zimefunguliwa kwa default wakati wa kuingia kwa mtumiaji kwa urahisi, ikiruhusu programu kufikia bila kuhitaji nywila ya mtumiaji mara kwa mara. Hata hivyo, ikiwa mtumiaji atachagua kufunga funguo zao baada ya kila matumizi, **keychaindump** inakuwa isiyo na ufanisi.
Zana inayoitwa **keychaindump** imeandaliwa kutoa nywila kutoka kwa funguo za macOS, lakini inakabiliwa na vizuizi katika toleo jipya la macOS kama Big Sur, kama ilivyoelezwa katika [majadiliano](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760). Matumizi ya **keychaindump** yanahitaji mshambuliaji kupata ufikiaji na kuongeza mamlaka hadi **root**. Zana hii inatumia ukweli kwamba funguo za macOS zimefunguliwa kwa default wakati wa kuingia kwa mtumiaji kwa urahisi, ikiruhusu programu kufikia bila kuhitaji nywila ya mtumiaji mara kwa mara. Hata hivyo, ikiwa mtumiaji atachagua kufunga funguo zao baada ya kila matumizi, **keychaindump** inakuwa isiyo na ufanisi.
**Keychaindump** inafanya kazi kwa kulenga mchakato maalum unaoitwa **securityd**, ambao Apple inaelezea kama daemon waidhinishaji na shughuli za kificho, muhimu kwa kufikia funguo. Mchakato wa kutoa nywila unajumuisha kutambua **Master Key** inayotokana na nywila ya kuingia ya mtumiaji. Funguo hii ni muhimu kwa kusoma faili ya funguo. Ili kupata **Master Key**, **keychaindump** inachanganua kumbukumbu ya **securityd** kwa kutumia amri ya `vmmap`, ikitafuta funguo zinazoweza kuwa ndani ya maeneo yaliyoashiriwa kama `MALLOC_TINY`. Amri ifuatayo inatumika kukagua maeneo haya ya kumbukumbu:
**Keychaindump** inafanya kazi kwa kulenga mchakato maalum unaoitwa **securityd**, ambao Apple inaelezea kama daemon wa mamlaka na operesheni za kificho, muhimu kwa kufikia funguo. Mchakato wa kutoa nywila unajumuisha kutambua **Master Key** inayotokana na nywila ya kuingia ya mtumiaji. Funguo hii ni muhimu kwa kusoma faili ya funguo. Ili kupata **Master Key**, **keychaindump** inachanganua kumbukumbu ya **securityd** kwa kutumia amri ya `vmmap`, ikitafuta funguo zinazoweza kuwa ndani ya maeneo yaliyoashiriwa kama `MALLOC_TINY`. Amri ifuatayo inatumika kukagua maeneo haya ya kumbukumbu:
```bash
sudo vmmap <securityd PID> | grep MALLOC_TINY
```
Baada ya kubaini funguo kuu zinazoweza kuwa, **keychaindump** inatafuta kupitia makundi kwa mfano maalum (`0x0000000000000018`) unaoashiria mgombea wa funguo kuu. Hatua zaidi, ikiwa ni pamoja na kuondoa ufichuzi, zinahitajika ili kutumia funguo hii, kama ilivyoainishwa katika msimbo wa chanzo wa **keychaindump**. Wachambuzi wanaolenga eneo hili wanapaswa kuzingatia kwamba data muhimu ya kufichua funguo za keychain inahifadhiwa ndani ya kumbukumbu ya mchakato wa **securityd**. Mfano wa amri ya kuendesha **keychaindump** ni:
Baada ya kubaini funguo kuu zinazoweza kuwa, **keychaindump** inatafuta kupitia makundi kwa mfano maalum (`0x0000000000000018`) unaoashiria mgombea wa funguo kuu. Hatua zaidi, ikiwa ni pamoja na kuondoa ufichaji, zinahitajika ili kutumia funguo hii, kama ilivyoainishwa katika msimbo wa chanzo wa **keychaindump**. Wachambuzi wanaolenga eneo hili wanapaswa kuzingatia kwamba data muhimu ya kufichua funguo za keychain inahifadhiwa ndani ya kumbukumbu ya mchakato wa **securityd**. Mfano wa amri ya kuendesha **keychaindump** ni:
```bash
sudo ./keychaindump
```
@ -71,16 +77,16 @@ sudo ./keychaindump
[**Chainbreaker**](https://github.com/n0fate/chainbreaker) inaweza kutumika kutoa aina zifuatazo za taarifa kutoka kwa keychain ya OSX kwa njia ya forensically sound:
* Nywila ya Keychain iliyohashwa, inayofaa kwa ajili ya kuvunja kwa kutumia [hashcat](https://hashcat.net/hashcat/) au [John the Ripper](https://www.openwall.com/john/)
* Nywila za Mtandao
* Nywila za Kawaida
* Nenosiri la Keychain lililohashwa, linalofaa kwa ajili ya kuvunja kwa kutumia [hashcat](https://hashcat.net/hashcat/) au [John the Ripper](https://www.openwall.com/john/)
* Nenosiri za Mtandao
* Nenosiri za Kawaida
* Funguo Binafsi
* Funguo za Umma
* Vyeti vya X509
* Maelezo Salama
* Nywila za Appleshare
* Nenosiri za Appleshare
Ikiwa kuna nywila ya kufungua keychain, funguo kuu iliyopatikana kwa kutumia [volafox](https://github.com/n0fate/volafox) au [volatility](https://github.com/volatilityfoundation/volatility), au faili ya kufungua kama SystemKey, Chainbreaker pia itatoa nywila za maandiko.
Ikiwa kuna nenosiri la kufungua keychain, funguo kuu iliyopatikana kwa kutumia [volafox](https://github.com/n0fate/volafox) au [volatility](https://github.com/volatilityfoundation/volatility), au faili ya kufungua kama SystemKey, Chainbreaker pia itatoa nenosiri za maandiko.
Bila moja ya hizi mbinu za kufungua Keychain, Chainbreaker itaonyesha taarifa nyingine zote zinazopatikana.
@ -106,9 +112,9 @@ hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
# Use the key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
#### **Dondoa funguo za keychain (pamoja na nywila) kwa kutumia dump ya kumbukumbu**
#### **Dondoa funguo za keychain (pamoja na nywila) kwa kutumia memory dump**
[Fuata hatua hizi](../#dumping-memory-with-osxpmem) ili kufanya **dump ya kumbumbu**
[Fuata hatua hizi](../#dumping-memory-with-osxpmem) ili kufanya **memory dump**
```bash
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
# Unformtunately volafox isn't working with the latest versions of MacOS
@ -129,11 +135,11 @@ python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library
Faili la **kcpassword** ni faili linaloshikilia **nenosiri la kuingia la mtumiaji**, lakini tu ikiwa mmiliki wa mfumo ame **wezeshwa kuingia kiotomatiki**. Hivyo, mtumiaji ataingia kiotomatiki bila kuulizwa nenosiri (ambayo si salama sana).
Nenosiri linahifadhiwa katika faili **`/etc/kcpassword`** xored na ufunguo **`0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F`**. Ikiwa nenosiri la mtumiaji ni refu zaidi ya ufunguo, ufunguo utarudiwa.\
Hii inafanya nenosiri kuwa rahisi kurejesha, kwa mfano kwa kutumia scripts kama [**hii**](https://gist.github.com/opshope/32f65875d45215c3677d).
Hii inafanya nenosiri kuwa rahisi kurejesha, kwa mfano kwa kutumia scripts kama [**hii moja**](https://gist.github.com/opshope/32f65875d45215c3677d).
## Taarifa za Kuvutia katika Maktaba
### Meseji
### Ujumbe
```bash
sqlite3 $HOME/Library/Messages/chat.db .tables
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
@ -167,23 +173,59 @@ for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.s
```
{% endcode %}
## Mipangilio
## Preferences
Katika programu za macOS, mipangilio iko katika **`$HOME/Library/Preferences`** na katika iOS iko katika `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`.&#x20;
Katika programu za macOS, mapendeleo yanapatikana katika **`$HOME/Library/Preferences`** na katika iOS yanapatikana katika `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`.
Katika macOS, zana ya cli **`defaults`** inaweza kutumika kubadilisha **faili ya Mipangilio**.
Katika macOS, zana ya cli **`defaults`** inaweza kutumika kubadilisha **faili za Mapendeleo**.
**`/usr/sbin/cfprefsd`** inadai huduma za XPC `com.apple.cfprefsd.daemon` na `com.apple.cfprefsd.agent` na inaweza kuitwa kufanya vitendo kama kubadilisha mipangilio.
**`/usr/sbin/cfprefsd`** inadai huduma za XPC `com.apple.cfprefsd.daemon` na `com.apple.cfprefsd.agent` na inaweza kuitwa kufanya vitendo kama kubadilisha mapendeleo.
## Arifa za Mfumo
## OpenDirectory permissions.plist
### Arifa za Darwin
Faili `/System/Library/OpenDirectory/permissions.plist` ina ruhusa zinazotumika kwenye sifa za node na inalindwa na SIP.\
Faili hii inatoa ruhusa kwa watumiaji maalum kwa UUID (na si uid) ili waweze kufikia taarifa nyeti maalum kama `ShadowHashData`, `HeimdalSRPKey` na `KerberosKeys` miongoni mwa zingine:
```xml
[...]
<key>dsRecTypeStandard:Computers</key>
<dict>
<key>dsAttrTypeNative:ShadowHashData</key>
<array>
<dict>
<!-- allow wheel even though it's implicit -->
<key>uuid</key>
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
<key>permissions</key>
<array>
<string>readattr</string>
<string>writeattr</string>
</array>
</dict>
</array>
<key>dsAttrTypeNative:KerberosKeys</key>
<array>
<dict>
<!-- allow wheel even though it's implicit -->
<key>uuid</key>
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
<key>permissions</key>
<array>
<string>readattr</string>
<string>writeattr</string>
</array>
</dict>
</array>
[...]
```
## System Notifications
Daemoni kuu ya arifa ni **`/usr/sbin/notifyd`**. Ili kupokea arifa, wateja lazima wajisajili kupitia bandari ya Mach `com.apple.system.notification_center` (angalia kwa `sudo lsmp -p <pid notifyd>`). Daemoni inaweza kuundwa kwa faili `/etc/notify.conf`.
### Darwin Notifications
Majina yanayotumika kwa arifa ni alama za kipekee za DNS za kinyume na wakati arifa inatumwa kwa moja yao, mteja(wa) ambao umeonyesha wanaweza kushughulikia itapokea.
Daemoni kuu wa arifa ni **`/usr/sbin/notifyd`**. Ili kupokea arifa, wateja lazima wajisajili kupitia bandari ya Mach `com.apple.system.notification_center` (angalia kwa `sudo lsmp -p <pid notifyd>`). Daemoni inaweza kusanidiwa kwa faili `/etc/notify.conf`.
Inawezekana kutoa hali ya sasa (na kuona majina yote) kwa kutuma ishara SIGUSR2 kwa mchakato wa notifyd na kusoma faili iliyozalishwa: `/var/run/notifyd_<pid>.status`:
Majina yanayotumika kwa arifa ni alama za kipekee za DNS za kinyume na wakati arifa inatumwa kwa moja yao, mteja(wateja) ambao wameonyesha wanaweza kushughulikia hiyo watapokea.
Inawezekana kutupa hali ya sasa (na kuona majina yote) kwa kutuma ishara SIGUSR2 kwa mchakato wa notifyd na kusoma faili lililotengenezwa: `/var/run/notifyd_<pid>.status`:
```bash
ps -ef | grep -i notifyd
0 376 1 0 15Mar24 ?? 27:40.97 /usr/sbin/notifyd
@ -224,11 +266,11 @@ Hizi ni arifa ambazo mtumiaji anapaswa kuona kwenye skrini:
* **`CFUserNotification`**: API hii inatoa njia ya kuonyesha kwenye skrini pop-up yenye ujumbe.
* **Bodi ya Tangazo**: Hii inaonyesha kwenye iOS bendera inayotoweka na itahifadhiwa kwenye Kituo cha Arifa.
* **`NSUserNotificationCenter`**: Hii ni bodi ya tangazo ya iOS kwenye MacOS. Hifadhidata yenye arifa iko katika `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`
* **`NSUserNotificationCenter`**: Hii ni bodi ya tangazo ya iOS kwenye MacOS. Hifadhidata ya arifa iko katika `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>

View file

@ -0,0 +1,274 @@
# macOS MACF
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
**MACF** inamaanisha **Mandatory Access Control Framework**, ambayo ni mfumo wa usalama uliojengwa ndani ya mfumo wa uendeshaji kusaidia kulinda kompyuta yako. Inafanya kazi kwa kuweka **kanuni kali kuhusu nani au nini kinaweza kufikia sehemu fulani za mfumo**, kama vile faili, programu, na rasilimali za mfumo. Kwa kutekeleza kanuni hizi kiotomatiki, MACF inahakikisha kwamba ni watumiaji na michakato walioidhinishwa pekee wanaweza kufanya vitendo maalum, kupunguza hatari ya ufikiaji usioidhinishwa au shughuli mbaya.
Kumbuka kwamba MACF haifanyi maamuzi yoyote kwani inachukua tu **hatua** za vitendo, inawaachia maamuzi **moduli za sera** (kernel extensions) inazopiga simu kama `AppleMobileFileIntegrity.kext`, `Quarantine.kext`, `Sandbox.kext`, `TMSafetyNet.kext` na `mcxalr.kext`.
### Flow
1. Mchakato unafanya syscall/mach trap
2. Kazi husika inaitwa ndani ya kernel
3. Kazi inaita MACF
4. MACF inakagua moduli za sera ambazo zilitaka kuunganisha kazi hiyo katika sera zao
5. MACF inaita sera husika
6. Sera zinaonyesha kama zinaruhusu au kukataa hatua hiyo
{% hint style="danger" %}
Apple ndiye pekee anayeweza kutumia KPI ya MAC Framework.
{% endhint %}
### Labels
MACF inatumia **labels** ambazo sera zitakazokagua kama zinapaswa kutoa ufikiaji fulani au la. Kanuni ya kutangaza muundo wa labels inaweza kupatikana [hapa](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/_label.h), ambayo inatumika ndani ya **`struct ucred`** [**hapa**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/sys/ucred.h#L86) katika sehemu ya **`cr_label`**. Label ina bendera na nambari ya **slots** ambazo zinaweza kutumika na **sera za MACF kutoa viashiria**. Kwa mfano, Sanbox itakuwa na kiashiria cha wasifu wa kontena.
## MACF Policies
Sera ya MACF inafafanua **kanuni na masharti yanayopaswa kutumika katika operesheni fulani za kernel**.&#x20;
Kupanua kernel kunaweza kuunda muundo wa `mac_policy_conf` na kisha kujiandikisha kwa kuita `mac_policy_register`. Kutoka [hapa](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac_policy.h.auto.html):
```c
#define mpc_t struct mac_policy_conf *
/**
@brief Mac policy configuration
This structure specifies the configuration information for a
MAC policy module. A policy module developer must supply
a short unique policy name, a more descriptive full name, a list of label
namespaces and count, a pointer to the registered enty point operations,
any load time flags, and optionally, a pointer to a label slot identifier.
The Framework will update the runtime flags (mpc_runtime_flags) to
indicate that the module has been registered.
If the label slot identifier (mpc_field_off) is NULL, the Framework
will not provide label storage for the policy. Otherwise, the
Framework will store the label location (slot) in this field.
The mpc_list field is used by the Framework and should not be
modified by policies.
*/
/* XXX - reorder these for better aligment on 64bit platforms */
struct mac_policy_conf {
const char *mpc_name; /** policy name */
const char *mpc_fullname; /** full name */
const char **mpc_labelnames; /** managed label namespaces */
unsigned int mpc_labelname_count; /** number of managed label namespaces */
struct mac_policy_ops *mpc_ops; /** operation vector */
int mpc_loadtime_flags; /** load time flags */
int *mpc_field_off; /** label slot */
int mpc_runtime_flags; /** run time flags */
mpc_t mpc_list; /** List reference */
void *mpc_data; /** module data */
};
```
It's easy to identify the kernel extensions configuring these policies by checking calls to `mac_policy_register`. Moreover, checking the disassemble of the extension it's also possible to find the used `mac_policy_conf` struct.
Note that MACF policies can be registered and unregistered also **dynamically**.
One of the main fields of the `mac_policy_conf` is the **`mpc_ops`**. This field specifies which operations the policy is interested in. Note that there are hundreds of them, so it's possible to zero all of them and then select just the ones the policy is interested in. From [here](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac_policy.h.auto.html):
Ni rahisi kubaini nyongeza za kernel zinazokamilisha sera hizi kwa kuangalia simu za `mac_policy_register`. Zaidi ya hayo, kuangalia disassemble ya nyongeza pia inawezekana kupata `mac_policy_conf` struct inayotumika.
Kumbuka kwamba sera za MACF zinaweza kuandikishwa na kufutwa pia **kikamilifu**.
Moja ya maeneo makuu ya `mac_policy_conf` ni **`mpc_ops`**. Sehemu hii inaelezea ni shughuli zipi sera inazovutiwa nazo. Kumbuka kwamba kuna mamia yao, hivyo inawezekana kuweka sifuri kwa zote na kisha kuchagua zile tu ambazo sera inavutiwa nazo. Kutoka [hapa](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac_policy.h.auto.html):
```c
struct mac_policy_ops {
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
mpo_cred_check_label_update_t *mpo_cred_check_label_update;
[...]
```
Almost all the hooks will be called back by MACF when one of those operations are intercepted. However, **`mpo_policy_*`** hooks are an exception because `mpo_hook_policy_init()` is a callback called upon registration (so after `mac_policy_register()`) and `mpo_hook_policy_initbsd()` is called during late registration once the BSD subsystem has initialised properly.
Moreover, the **`mpo_policy_syscall`** hook can be registered by any kext to expose a private **ioctl** style call **interface**. Then, a user client will be able to call `mac_syscall` (#381) specifying as parameters the **policy name** with an integer **code** and optional **arguments**.\
For example, the **`Sandbox.kext`** uses this a lot.
Checking the kext's **`__DATA.__const*`** is possible to identify the `mac_policy_ops` structure used when registering the policy. It's possible to find it because its pointer is at an offset inside `mpo_policy_conf` and also because the amount of NULL pointers that will be in that area.
Moreover, it's also possible to get the list of kexts that have configured a policy by dumping from memory the struct **`_mac_policy_list`** which is updated with every policy that is registered.
## MACF Initialization
MACF is initialised very soon. It's set up in XNU's `bootstrap_thread`: after `ipc_bootstrap` a call to `mac_policy_init()` which initializes the `mac_policy_list` and moments later `mac_policy_initmach()` is called. Among other things, this function will get all the Apple kexts with the `AppleSecurityExtension` key in their Info.plist like `ALF.kext`, `AppleMobileFileIntegrity.kext`, `Quarantine.kext`, `Sandbox.kext` and `TMSafetyNet.kext` and loads them.
## MACF Callouts
It's common to find callouts to MACF defined in code like: **`#if CONFIG_MAC`** conditional blocks. Moreover, inside these blocks it's possible to find calls to `mac_proc_check*` which calls MACF to **check for permissions** to perform certain actions. Moreover, the format of the MACF callouts is: **`mac_<object>_<opType>_opName`**.
The object is one of the following: `bpfdesc`, `cred`, `file`, `proc`, `vnode`, `mount`, `devfs`, `ifnet`, `inpcb`, `mbuf`, `ipq`, `pipe`, `sysv[msg/msq/shm/sem]`, `posix[shm/sem]`, `socket`, `kext`.\
The `opType` is usually check which will be used to allow or deny the action. However, it's also possible to find `notify`, which will allow the kext to react to the given action.
You can find an example in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621):
<pre class="language-c"><code class="lang-c">int
mmap(proc_t p, struct mmap_args *uap, user_addr_t *retval)
{
[...]
#if CONFIG_MACF
<strong> error = mac_file_check_mmap(vfs_context_ucred(ctx),
</strong> fp->fp_glob, prot, flags, file_pos + pageoff,
&#x26;maxprot);
if (error) {
(void)vnode_put(vp);
goto bad;
}
#endif /* MAC */
[...]
</code></pre>
Then, it's possible to find the code of `mac_file_check_mmap` in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174)
```c
mac_file_check_mmap(struct ucred *cred, struct fileglob *fg, int prot,
int flags, uint64_t offset, int *maxprot)
{
int error;
int maxp;
maxp = *maxprot;
MAC_CHECK(file_check_mmap, cred, fg, NULL, prot, flags, offset, &maxp);
if ((maxp | *maxprot) != *maxprot) {
panic("file_check_mmap increased max protections");
}
*maxprot = maxp;
return error;
}
```
Ambayo inaita `MAC_CHECK` macro, ambayo msimbo wake unaweza kupatikana katika [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261)
```c
/*
* MAC_CHECK performs the designated check by walking the policy
* module list and checking with each as to how it feels about the
* request. Note that it returns its value via 'error' in the scope
* of the caller.
*/
#define MAC_CHECK(check, args...) do { \
error = 0; \
MAC_POLICY_ITERATE({ \
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_CHECK); \
int __step_err = mpc->mpc_ops->mpo_ ## check (args); \
DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_err); \
error = mac_error_select(__step_err, error); \
} \
}); \
} while (0)
```
Ambayo itapitia sera zote za mac zilizorekodiwa ikitumia kazi zao na kuhifadhi matokeo ndani ya mabadiliko ya makosa, ambayo yanaweza kubadilishwa tu na `mac_error_select` kwa nambari za mafanikio hivyo ikiwa ukaguzi wowote unashindwa ukaguzi mzima utashindwa na hatua haitaruhusiwa.
{% hint style="success" %}
Hata hivyo, kumbuka kwamba si kila kito cha MACF kinatumika tu kukataa hatua. Kwa mfano, `mac_priv_grant` inaita macro [**MAC\_GRANT**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L274), ambayo itatoa kibali kilichohitajika ikiwa sera yoyote itajibu kwa 0:
```c
/*
* MAC_GRANT performs the designated check by walking the policy
* module list and checking with each as to how it feels about the
* request. Unlike MAC_CHECK, it grants if any policies return '0',
* and otherwise returns EPERM. Note that it returns its value via
* 'error' in the scope of the caller.
*/
#define MAC_GRANT(check, args...) do { \
error = EPERM; \
MAC_POLICY_ITERATE({ \
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_GRANT); \
int __step_res = mpc->mpc_ops->mpo_ ## check (args); \
if (__step_res == 0) { \
error = 0; \
} \
DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_res); \
} \
}); \
} while (0)
```
{% endhint %}
### priv\_check & priv\_grant
Hizi callas zinakusudia kuangalia na kutoa (mifumo ya) **privileges** zilizofafanuliwa katika [**bsd/sys/priv.h**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/sys/priv.h).\
Baadhi ya msimbo wa kernel utaita `priv_check_cred()` kutoka [**bsd/kern/kern\_priv.c**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_priv.c) kwa kutumia KAuth credentials za mchakato na moja ya msimbo wa privileges ambayo itaita `mac_priv_check` ili kuona kama sera yoyote **inasitisha** kutoa ile privilege na kisha inaita `mac_priv_grant` ili kuona kama sera yoyote inatoa `privilege`.
### proc\_check\_syscall\_unix
Hii hook inaruhusu kukamata simu zote za mfumo. Katika `bsd/dev/[i386|arm]/systemcalls.c` inawezekana kuona kazi iliyoelezwa [`unix_syscall`](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/dev/arm/systemcalls.c#L160C1-L167C25), ambayo ina msimbo huu:
```c
#if CONFIG_MACF
if (__improbable(proc_syscall_filter_mask(proc) != NULL && !bitstr_test(proc_syscall_filter_mask(proc), syscode))) {
error = mac_proc_check_syscall_unix(proc, syscode);
if (error) {
goto skip_syscall;
}
}
#endif /* CONFIG_MACF */
```
Ambayo itakagua katika mchakato unaoitwa **bitmask** ikiwa syscall ya sasa inapaswa kuita `mac_proc_check_syscall_unix`. Hii ni kwa sababu syscalls zinaitwa mara nyingi sana kwamba ni muhimu kuepuka kuita `mac_proc_check_syscall_unix` kila wakati.
Kumbuka kwamba kazi `proc_set_syscall_filter_mask()`, ambayo huweka bitmask syscalls katika mchakato inaitwa na Sandbox kuweka masks kwenye michakato iliyowekwa kwenye sandbox.
## Syscalls za MACF zilizofichuliwa
Inawezekana kuingiliana na MACF kupitia syscalls zingine zilizofafanuliwa katika [security/mac.h](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac.h#L151):
```c
/*
* Extended non-POSIX.1e interfaces that offer additional services
* available from the userland and kernel MAC frameworks.
*/
#ifdef __APPLE_API_PRIVATE
__BEGIN_DECLS
int __mac_execve(char *fname, char **argv, char **envv, mac_t _label);
int __mac_get_fd(int _fd, mac_t _label);
int __mac_get_file(const char *_path, mac_t _label);
int __mac_get_link(const char *_path, mac_t _label);
int __mac_get_pid(pid_t _pid, mac_t _label);
int __mac_get_proc(mac_t _label);
int __mac_set_fd(int _fildes, const mac_t _label);
int __mac_set_file(const char *_path, mac_t _label);
int __mac_set_link(const char *_path, mac_t _label);
int __mac_mount(const char *type, const char *path, int flags, void *data,
struct mac *label);
int __mac_get_mount(const char *path, struct mac *label);
int __mac_set_proc(const mac_t _label);
int __mac_syscall(const char *_policyname, int _call, void *_arg);
__END_DECLS
#endif /*__APPLE_API_PRIVATE*/
```
## References
* [**\*OS Internals Volume III**](https://newosxbook.com/home.html)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

View file

@ -1,8 +1,8 @@
# macOS Users
# macOS Users & External Accounts
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -15,15 +15,14 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}
## Common Users
### Common Users
* **Daemon**: Mtumiaji aliyehifadhiwa kwa ajili ya daemons za mfumo. Majina ya akaunti za daemon za kawaida huanza kwa "\_":
* **Daemon**: Mtumiaji aliyehifadhiwa kwa ajili ya daemons za mfumo. Majina ya akaunti ya daemon ya kawaida huanza na "\_":
```bash
_amavisd, _analyticsd, _appinstalld, _appleevents, _applepay, _appowner, _appserver, _appstore, _ard, _assetcache, _astris, _atsserver, _avbdeviced, _calendar, _captiveagent, _ces, _clamav, _cmiodalassistants, _coreaudiod, _coremediaiod, _coreml, _ctkd, _cvmsroot, _cvs, _cyrus, _datadetectors, _demod, _devdocs, _devicemgr, _diskimagesiod, _displaypolicyd, _distnote, _dovecot, _dovenull, _dpaudio, _driverkit, _eppc, _findmydevice, _fpsd, _ftp, _fud, _gamecontrollerd, _geod, _hidd, _iconservices, _installassistant, _installcoordinationd, _installer, _jabber, _kadmin_admin, _kadmin_changepw, _knowledgegraphd, _krb_anonymous, _krb_changepw, _krb_kadmin, _krb_kerberos, _krb_krbtgt, _krbfast, _krbtgt, _launchservicesd, _lda, _locationd, _logd, _lp, _mailman, _mbsetupuser, _mcxalr, _mdnsresponder, _mobileasset, _mysql, _nearbyd, _netbios, _netstatistics, _networkd, _nsurlsessiond, _nsurlstoraged, _oahd, _ondemand, _postfix, _postgres, _qtss, _reportmemoryexception, _rmd, _sandbox, _screensaver, _scsd, _securityagent, _softwareupdate, _spotlight, _sshd, _svn, _taskgated, _teamsserver, _timed, _timezone, _tokend, _trustd, _trustevaluationagent, _unknown, _update_sharing, _usbmuxd, _uucp, _warmd, _webauthserver, _windowserver, _www, _wwwproxy, _xserverdocs
```
* **Guest**: Akaunti kwa wageni wenye ruhusa kali sana
* **Guest**: Akaunti ya wageni yenye ruhusa kali sana
```bash
state=("automaticTime" "afpGuestAccess" "filesystem" "guestAccount" "smbGuestAccess")
for i in "${state[@]}"; do sysadminctl -"${i}" status; done;
@ -33,16 +32,21 @@ for i in "${state[@]}"; do sysadminctl -"${i}" status; done;
* **Hakuna mtu**: Mchakato unatekelezwa na mtumiaji huyu wakati ruhusa ndogo zinahitajika
* **Root**
### Ruhusa za Mtumiaji
## Ruhusa za Mtumiaji
* **Mtumiaji wa Kawaida:** Mtumiaji wa msingi zaidi. Mtumiaji huyu anahitaji ruhusa zinazotolewa na mtumiaji wa admin anapojaribu kufunga programu au kufanya kazi nyingine za juu. Hawawezi kufanya hivyo peke yao.
* **Mtumiaji wa Admin**: Mtumiaji ambaye anafanya kazi mara nyingi kama mtumiaji wa kawaida lakini pia anaruhusiwa kufanya vitendo vya root kama vile kufunga programu na kazi nyingine za kiutawala. Watumiaji wote wanaotegemea kundi la admin **wanapewa ufikiaji wa root kupitia faili ya sudoers**.
* **Mtumiaji wa Kawaida:** Mtumiaji wa msingi kabisa. Mtumiaji huyu anahitaji ruhusa zinazotolewa na mtumiaji wa admin anapojaribu kufunga programu au kufanya kazi nyingine za juu. Hawawezi kufanya hivyo peke yao.
* **Mtumiaji wa Admin**: Mtumiaji ambaye anafanya kazi mara nyingi kama mtumiaji wa kawaida lakini pia anaruhusiwa kufanya vitendo vya root kama vile kufunga programu na kazi nyingine za kiutawala. Watumiaji wote wanaotokana na kundi la admin **wanapewa ufikiaji wa root kupitia faili ya sudoers**.
* **Root**: Root ni mtumiaji anayeruhusiwa kufanya karibu kila kitendo (kuna vizuizi vinavyowekwa na ulinzi kama vile Ulinzi wa Uadilifu wa Mfumo).
* Kwa mfano root hataweza kuweka faili ndani ya `/System`
## Akaunti za Nje
MacOS pia inasaidia kuingia kupitia watoa huduma za utambulisho wa nje kama FaceBook, Google... Daemon kuu inayofanya kazi hii ni `accountsd` (`/System/Library/Frameworks/Accounts.framework//Versions/A/Support/accountsd`) na inawezekana kupata plugins zinazotumika kwa uthibitishaji wa nje ndani ya folda `/System/Library/Accounts/Authentication/`.\
Zaidi ya hayo, `accountsd` inapata orodha ya aina za akaunti kutoka `/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>