From 997f46a6eeb67e36df251218671ec2446dc6f2f5 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 9 May 2023 15:44:54 +0000 Subject: [PATCH] GITBOOK-3902: change request with no subject merged in GitBook --- SUMMARY.md | 2 +- .../README.md | 18 ++- ...s-apps-inspecting-debugging-and-fuzzing.md | 150 ++++++++++-------- .../macos-red-teaming.md | 32 ++-- 4 files changed, 109 insertions(+), 93 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index a52572a6f..27d90ccf0 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -144,7 +144,7 @@ * [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md) * [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md) * [macOS Basic Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md) - * [macOS Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md) + * [macOS Network Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md) * [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md) * [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md) * [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md index fdd130540..84622c434 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -1,4 +1,4 @@ -# MacOS Security & Privilege Escalation +# macOS Security & Privilege Escalation
@@ -354,6 +354,10 @@ The TCC database is just a **sqlite3 database**, which makes the task of investi This information was [taken from here](https://rainforest.engineering/2021-02-09-macos-tcc/) (read the **original source for more information**). +{% hint style="info" %} +Some TCC permissions are: kTCCServiceAppleEvents, kTCCServiceCalendar, kTCCServicePhotos... However, there is no public list that defines all of them. +{% endhint %} + Some protected directories: * $HOME/Desktop @@ -472,14 +476,20 @@ This post about a **SIP bypass vulnerability** is also very interesting: [https: When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.** ```bash -#Get signer +# Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" -#Check if the app’s contents have been modified +# Check if the app’s contents have been modified codesign --verify --verbose /Applications/Safari.app -#Check if the signature is valid +# Get entitlements from the binary +codesign -d --entitlements :- /System/Applications/Automator.app # Check the TCC perms + +# Check if the signature is valid spctl --assess --verbose /Applications/Safari.app + +# Sign a binary +codesign -s toolsdemo ``` ### Sealed Snapshots diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md index ef57bf5dd..b06d21121 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md @@ -1,37 +1,58 @@ - +# macOS Apps - Inspecting, debugging and Fuzzing
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+## Static Analysis -# Static Analysis - -## otool +### otool ```bash otool -L /bin/ls #List dynamically linked libraries otool -tv /bin/ps #Decompile application ``` -## SuspiciousPackage +### objdump + +```bash +objdump -m --dylibs-used /bin/ls #List dynamically linked libraries +objdump -m -h /bin/ls # Get headers information +objdump -m --syms /bin/ls # Check if the symbol table exists to get function names +objdump -m --full-contents /bin/ls # Dump every section +objdump -d /bin/ls # Dissasemble the binary +``` + +### jtool2 + +The tool can be used as a **replacement** for **codesign**, **otool**, and **objdump**, and provides a few additional features. + +```bash +# Install +brew install --cask jtool2 + +jtool2 -l /bin/ls # Get commands (headers) +jtool2 -L /bin/ls # Get libraries +jtool2 -S /bin/ls # Get symbol info + +# +ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator +``` + +### SuspiciousPackage [**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files (installers) and see what is inside before installing it.\ These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**. -## hdiutil +### hdiutil This tool allows to **mount** Apple disk images (**.dmg**) files to inspect them before running anything: @@ -41,7 +62,7 @@ hdiutil attach ~/Downloads/Firefox\ 58.0.2.dmg It will be mounted in `/Volumes` -## Objective-C +### Objective-C When a function is called in a binary that uses objective-C, the compiled code instead of calling that function, it will call **`objc_msgSend`**. Which will be calling the final function: @@ -49,7 +70,7 @@ When a function is called in a binary that uses objective-C, the compiled code i The params this function expects are: -* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object. +* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object. * The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.** * The remaining parameters are any **values that are required by the method** (op). @@ -63,13 +84,13 @@ The params this function expects are: | **6th argument** | **r9** | **4th argument to the method** | | **7th+ argument** |

rsp+
(on the stack)

| **5th+ argument to the method** | -## Packed binaries +### Packed binaries * Check for high entropy * Check the strings (is there is almost no understandable string, packed) * The UPX packer for MacOS generates a section called "\_\_XHDR" -# Dynamic Analysis +## Dynamic Analysis {% hint style="warning" %} Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil disable` or `csrutil enable --without debug`) or to copy the binaries to a temporary folder and **remove the signature** with `codesign --remove-signature ` or allow the debugging of the binary (you can use [this script](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b)) @@ -79,14 +100,14 @@ Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil dis Note that in order to **instrument system binarie**s, (such as `cloudconfigurationd`) on macOS, **SIP must be disabled** (just removing the signature won't work). {% endhint %} -## dtruss +### dtruss ```bash dtruss -c ls #Get syscalls of ls dtruss -c -p 1000 #get syscalls of PID 1000 ``` -## ktrace +### ktrace You can use this one even with **SIP activated** @@ -94,7 +115,7 @@ You can use this one even with **SIP activated** ktrace trace -s -S -t c -c ls | grep "ls(" ``` -## dtrace +### dtrace It allows users access to applications at an extremely **low level** and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls. @@ -114,7 +135,7 @@ The probe name consists of four parts: the provider, module, function, and name A more detailed explanation and more examples can be found in [https://illumos.org/books/dtrace/chp-intro.html](https://illumos.org/books/dtrace/chp-intro.html) -### Examples +#### Examples * In line @@ -163,15 +184,15 @@ syscall:::return sudo dtrace -s syscalls_info.d -c "cat /etc/hosts" ``` -## ProcessMonitor +### ProcessMonitor [**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating). -## FileMonitor +### FileMonitor [**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events. -## fs\_usage +### fs\_usage Allows to follow actions performed by processes: @@ -180,12 +201,12 @@ fs_usage -w -f filesys ls #This tracks filesystem actions of proccess names cont fs_usage -w -f network curl #This tracks network actions ``` -## TaskExplorer +### TaskExplorer [**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is useful to see the **libraries** used by a binary, the **files** it's using and the **network** connections.\ It also checks the binary processes against **virustotal** and show information about the binary. -## lldb +### lldb **lldb** is the de **facto tool** for **macOS** binary **debugging**. @@ -196,22 +217,22 @@ lldb -n malware.bin lldb -n malware.bin --waitfor ``` -| **(lldb) Command** | **Description** | -| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **run (r)** | Starting execution, which will continue unabated until a breakpoint is hit or the process terminates. | -| **continue (c)** | Continue execution of the debugged process. | -| **nexti (n)** | Execute the next instruction. This command will skip over function calls. | -| **stepi (s)** | Execute the next instruction. Unlike the nexti command, this command will step into function calls. | -| **finish (f)** | Execute the rest of the instructions in the current function (“frame”) return and halt. | -| **control + c** | Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing. | -| **breakpoint (b)** |

b main

b -[NSDictionary objectForKey:]

b 0x0000000100004bd9

br l #Breakpoint list

br e/dis <num> #Enable/Disable breakpoint

breakpoint delete <num>

| -| **help** |

help breakpoint #Get help of breakpoint command

help memory write #Get help to write into the memory

| -| **reg** |

reg read $rax

reg write $rip 0x100035cc0

| -| **x/s \** | Display the memory as a null-terminated string. | -| **x/i \** | Display the memory as assembly instruction. | -| **x/b \** | Display the memory as byte. | -| **print object (po)** |

This will print the object referenced by the param

po $raw

{

dnsChanger = {

"affiliate" = "";

"blacklist_dns" = ();

Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b

| -| **memory write** | memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address | +| **(lldb) Command** | **Description** | +| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **run (r)** | Starting execution, which will continue unabated until a breakpoint is hit or the process terminates. | +| **continue (c)** | Continue execution of the debugged process. | +| **nexti (n)** | Execute the next instruction. This command will skip over function calls. | +| **stepi (s)** | Execute the next instruction. Unlike the nexti command, this command will step into function calls. | +| **finish (f)** | Execute the rest of the instructions in the current function (“frame”) return and halt. | +| **control + c** | Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing. | +| **breakpoint (b)** |

b main

b -[NSDictionary objectForKey:]

b 0x0000000100004bd9

br l #Breakpoint list

br e/dis <num> #Enable/Disable breakpoint

breakpoint delete <num>

| +| **help** |

help breakpoint #Get help of breakpoint command

help memory write #Get help to write into the memory

| +| **reg** |

reg read $rax

reg write $rip 0x100035cc0

| +| **x/s \** | Display the memory as a null-terminated string. | +| **x/i \** | Display the memory as assembly instruction. | +| **x/b \** | Display the memory as byte. | +| **print object (po)** |

This will print the object referenced by the param

po $raw

{

dnsChanger = {

"affiliate" = "";

"blacklist_dns" = ();

Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b

| +| **memory write** | memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address | {% hint style="info" %} When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do: @@ -221,12 +242,12 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n `(lldb) print (char*)$rsi:`\ `(char *) $1 = 0x00000001000f1576 "startMiningWithPort:password:coreCount:slowMemory:currency:"` -`(lldb) reg read $rsi: rsi = 0x00000001000f1576 "startMiningWithPort:password:coreCount:slowMemory:currency:"` +`(lldb) reg read $rsi: rsi = 0x00000001000f1576 "startMiningWithPort:password:coreCount:slowMemory:currency:"` {% endhint %} -## Anti-Dynamic Analysis +### Anti-Dynamic Analysis -### VM detection +#### VM detection * The command **`sysctl hw.model`** returns "Mac" when the **host is a MacOS** but something different when it's a VM. * Playing with the values of **`hw.logicalcpu`** and **`hw.physicalcpu`** some malwares try to detect if it's a VM. @@ -234,13 +255,13 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n * It's also possible to find **if a process is being debugged** with a simple code such us: * `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }` * It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing. - * You can check if the **`sysctl` ** or**`ptrace`** function is being **imported** (but the malware could import it dynamically) + * You can check if the **`sysctl` \*\* or**`ptrace`\*\* function is being **imported** (but the malware could import it dynamically) * As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\ “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_” -# Fuzzing +## Fuzzing -## [ReportCrash](https://ss64.com/osx/reportcrash.html#:\~:text=ReportCrash%20analyzes%20crashing%20processes%20and%20saves%20a%20crash%20report%20to%20disk.\&text=ReportCrash%20also%20records%20the%20identity,when%20a%20crash%20is%20detected.) +### [ReportCrash](https://ss64.com/osx/reportcrash.html) ReportCrash **analyzes crashing processes and saves a crash report to disk**. A crash report contains information that can **help a developer diagnose** the cause of a crash.\ For applications and other processes **running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\ @@ -258,7 +279,7 @@ launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist ``` -## Sleep +### Sleep While fuzzing in a MacOS it's important to not allow the Mac to sleep: @@ -266,7 +287,7 @@ While fuzzing in a MacOS it's important to not allow the Mac to sleep: * pmset, System Preferences * [KeepingYouAwake](https://github.com/newmarcel/KeepingYouAwake) -### SSH Disconnect +#### SSH Disconnect If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd\_config file with: @@ -279,11 +300,11 @@ sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist ``` -## Internal Handlers +### Internal Handlers [**Checkout this section**](./#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**. -## Enumerating Network Processes +### Enumerating Network Processes This interesting to find processes that are managing network data: @@ -296,33 +317,26 @@ cat procs.txt Or use `netstat` or `lsof` -## More Fuzzing MacOS Info +### More Fuzzing MacOS Info * [https://github.com/bnagy/slides/blob/master/OSXScale.pdf](https://github.com/bnagy/slides/blob/master/OSXScale.pdf) * [https://github.com/bnagy/francis/tree/master/exploitaben](https://github.com/bnagy/francis/tree/master/exploitaben) * [https://github.com/ant4g0nist/crashwrangler](https://github.com/ant4g0nist/crashwrangler) -# References +## References * [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) * [**https://www.youtube.com/watch?v=T5xfL9tEg44**](https://www.youtube.com/watch?v=T5xfL9tEg44) * [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) -
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
- - diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md index 997e55cb1..625624428 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md @@ -1,18 +1,14 @@ -# MacOS Red Teaming +# macOS Red Teaming
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -78,7 +74,7 @@ The three types of MacOS users are: * **Mobile Users** — Active Directory users with a local backup for their credentials and files. The local information about users and groups is stored in in the folder _/var/db/dslocal/nodes/Default._\ -\_\_For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_. +For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_. In addition to using the HasSession and AdminTo edges, **MacHound adds three new edges** to the Bloodhound database: @@ -128,14 +124,10 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M ☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).