mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GITBOOK-3965: change request with no subject merged in GitBook
This commit is contained in:
parent
2f0f8ff2dd
commit
f06b553ee0
11 changed files with 588 additions and 38 deletions
35
SUMMARY.md
35
SUMMARY.md
|
@ -139,12 +139,22 @@
|
||||||
## 🍏 MacOS Hardening
|
## 🍏 MacOS Hardening
|
||||||
|
|
||||||
* [macOS Security & Privilege Escalation](macos-hardening/macos-security-and-privilege-escalation/README.md)
|
* [macOS Security & Privilege Escalation](macos-hardening/macos-security-and-privilege-escalation/README.md)
|
||||||
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
||||||
|
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
||||||
|
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
||||||
|
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
||||||
|
* [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
|
||||||
|
* [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
|
||||||
|
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
|
||||||
|
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
||||||
|
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
||||||
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
||||||
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
||||||
* [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md)
|
* [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md)
|
||||||
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||||
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||||
|
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
||||||
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
||||||
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md)
|
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md)
|
||||||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||||
|
@ -153,22 +163,15 @@
|
||||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
||||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
|
||||||
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
* [macOS SIP](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md)
|
||||||
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md)
|
||||||
* [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
|
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
||||||
* [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
|
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
|
||||||
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
|
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-scripts.md)
|
||||||
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
||||||
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
|
||||||
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
|
||||||
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-tcc.md)
|
|
||||||
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/macos-apple-scripts.md)
|
|
||||||
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/README.md)
|
|
||||||
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
|
||||||
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
|
||||||
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
|
||||||
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
||||||
|
* [macOS Useful Commands](macos-hardening/macos-useful-commands.md)
|
||||||
* [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
|
* [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
|
||||||
|
|
||||||
## 🪟 Windows Hardening
|
## 🪟 Windows Hardening
|
||||||
|
|
|
@ -72,8 +72,8 @@ In companies **macOS** systems are highly probably going to be **managed with a
|
||||||
|
|
||||||
## MacOS Security Protections
|
## MacOS Security Protections
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-security-protections/" %}
|
||||||
[Broken link](broken-reference)
|
[macos-security-protections](macos-security-protections/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Attack Surface
|
## Attack Surface
|
||||||
|
@ -92,18 +92,18 @@ Being able to **create a file** that is going to be **used by root**, allows a u
|
||||||
|
|
||||||
### Entitlements and Privileges abuse via process abuse
|
### Entitlements and Privileges abuse via process abuse
|
||||||
|
|
||||||
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-sandbox/) or [TCC](macos-tcc.md).
|
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-security-protections/macos-sandbox/) or [TCC](macos-security-protections/macos-tcc/).
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-proces-abuse/" %}
|
||||||
[Broken link](broken-reference)
|
[macos-proces-abuse](macos-proces-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### File Extension Apps
|
### File Extension Apps
|
||||||
|
|
||||||
Weird apps registered by file extensions could be abused:
|
Weird apps registered by file extensions could be abused:
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-file-extension-apps.md" %}
|
||||||
[Broken link](broken-reference)
|
[macos-file-extension-apps.md](macos-file-extension-apps.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### URL handler applications
|
### URL handler applications
|
||||||
|
@ -145,8 +145,8 @@ A more detailed explanation can be [**found in the original report**](https://th
|
||||||
|
|
||||||
### Sensitive Information
|
### Sensitive Information
|
||||||
|
|
||||||
{% content-ref url="broken-reference" %}
|
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
|
||||||
[Broken link](broken-reference)
|
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Linux Privesc
|
### Linux Privesc
|
||||||
|
|
|
@ -0,0 +1,203 @@
|
||||||
|
# macOS Security Protections
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Gatekeeper
|
||||||
|
|
||||||
|
**Gatekeeper** is a security feature developed for Mac operating systems, designed to ensure that users **run only trusted software** on their systems. It functions by **validating software** that a user downloads and attempts to open from **sources outside the App Store**, such as an app, a plug-in, or an installer package.
|
||||||
|
|
||||||
|
The key mechanism of Gatekeeper lies in its **verification** process. It checks if the downloaded software is **signed by a recognized developer**, ensuring the software's authenticity. Further, it ascertains whether the software is **notarised by Apple**, confirming that it is devoid of known malicious content and has not been tampered with after notarisation.
|
||||||
|
|
||||||
|
Additionally, Gatekeeper reinforces user control and security by **prompting users to approve the opening** of downloaded software for the first time. This safeguard helps prevent users from inadvertently running potentially harmful executable code that they may have mistaken for a harmless data file.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Check the status
|
||||||
|
spctl --status
|
||||||
|
# Enable Gatekeeper
|
||||||
|
sudo spctl --master-enable
|
||||||
|
# Disable Gatekeeper
|
||||||
|
sudo spctl --master-disable
|
||||||
|
```
|
||||||
|
|
||||||
|
### Application Signatures
|
||||||
|
|
||||||
|
Application signatures, also known as code signatures, are a critical component of Apple's security infrastructure. They're used to **verify the identity of the software author** (the developer) and to ensure that the code hasn't been tampered with since it was last signed.
|
||||||
|
|
||||||
|
Here's how it works:
|
||||||
|
|
||||||
|
1. **Signing the Application:** When a developer is ready to distribute their application, they **sign the application using a private key**. This private key is associated with a **certificate that Apple issues to the developer** when they enroll in the Apple Developer Program. The signing process involves creating a cryptographic hash of all parts of the app and encrypting this hash with the developer's private key.
|
||||||
|
2. **Distributing the Application:** The signed application is then distributed to users along with the developer's certificate, which contains the corresponding public key.
|
||||||
|
3. **Verifying the Application:** When a user downloads and attempts to run the application, their Mac operating system uses the public key from the developer's certificate to decrypt the hash. It then recalculates the hash based on the current state of the application and compares this with the decrypted hash. If they match, it means **the application hasn't been modified** since the developer signed it, and the system permits the application to run.
|
||||||
|
|
||||||
|
Application signatures are an essential part of Apple's Gatekeeper technology. When a user attempts to **open an application downloaded from the internet**, Gatekeeper verifies the application signature. If it's signed with a certificate issued by Apple to a known developer and the code hasn't been tampered with, Gatekeeper permits the application to run. Otherwise, it blocks the application and alerts the user.
|
||||||
|
|
||||||
|
Starting from macOS Catalina, **Gatekeeper also checks whether the application has been notarized** by Apple, adding an extra layer of security. The notarization process checks the application for known security issues and malicious code, and if these checks pass, Apple adds a ticket to the application that Gatekeeper can verify.
|
||||||
|
|
||||||
|
#### Check Signatures
|
||||||
|
|
||||||
|
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get signer
|
||||||
|
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
|
||||||
|
|
||||||
|
# Check if the app’s contents have been modified
|
||||||
|
codesign --verify --verbose /Applications/Safari.app
|
||||||
|
|
||||||
|
# Get entitlements from the binary
|
||||||
|
codesign -d --entitlements :- /System/Applications/Automator.app # Check the TCC perms
|
||||||
|
|
||||||
|
# Check if the signature is valid
|
||||||
|
spctl --assess --verbose /Applications/Safari.app
|
||||||
|
|
||||||
|
# Sign a binary
|
||||||
|
codesign -s <cert-name-keychain> toolsdemo
|
||||||
|
```
|
||||||
|
|
||||||
|
### Notarization
|
||||||
|
|
||||||
|
Apple's notarization process serves as an additional safeguard to protect users from potentially harmful software. It involves the **developer submitting their application for examination** by **Apple's Notary Service**, which should not be confused with App Review. This service is an **automated system** that scrutinizes the submitted software for the presence of **malicious content** and any potential issues with code-signing.
|
||||||
|
|
||||||
|
If the software **passes** this inspection without raising any concerns, the Notary Service generates a notarization ticket. The developer is then required to **attach this ticket to their software**, a process known as 'stapling.' Furthermore, the notarization ticket is also published online where Gatekeeper, Apple's security technology, can access it.
|
||||||
|
|
||||||
|
Upon the user's first installation or execution of the software, the existence of the notarization ticket - whether stapled to the executable or found online - **informs Gatekeeper that the software has been notarized by Apple**. As a result, Gatekeeper displays a descriptive message in the initial launch dialog, indicating that the software has undergone checks for malicious content by Apple. This process thereby enhances user confidence in the security of the software they install or run on their systems.
|
||||||
|
|
||||||
|
### Quarentine Files
|
||||||
|
|
||||||
|
Upon **downloading** an application or file, specific macOS **applications** such as web browsers or email clients **attach an extended file attribute**, commonly known as the "**quarantine flag**," to the downloaded file. This attribute acts as a security measure to **mark the file** as coming from an untrusted source (the internet), and potentially carrying risks. However, not all applications attach this attribute, for instance, common BitTorrent client software usually bypasses this process.
|
||||||
|
|
||||||
|
**The presence of a quarantine flag signals macOS's Gatekeeper security feature when a user attempts to execute the file**.
|
||||||
|
|
||||||
|
In the case where the **quarantine flag is not present** (as with files downloaded via some BitTorrent clients), Gatekeeper's **checks may not be performed**. Thus, users should exercise caution when opening files downloaded from less secure or unknown sources.
|
||||||
|
|
||||||
|
{% hint style="info" %}
|
||||||
|
**Checking** the **validity** of code signatures is a **resource-intensive** process that includes generating cryptographic **hashes** of the code and all its bundled resources. Furthermore, checking certificate validity involves doing an **online check** to Apple's servers to see if it has been revoked after it was issued. For these reasons, a full code signature and notarization check is **impractical to run every time an app is launched**.
|
||||||
|
|
||||||
|
Therefore, these checks are **only run when executing apps with the quarantined attribute.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
**Note that Safari and other web browsers and applications are the ones that need to mark the downloaded files**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
It's possible to **check it's status and enable/disable** (root required) with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
spctl --status
|
||||||
|
assessments enabled
|
||||||
|
|
||||||
|
spctl --enable
|
||||||
|
spctl --disable
|
||||||
|
#You can also allow nee identifies to execute code using the binary "spctl"
|
||||||
|
```
|
||||||
|
|
||||||
|
You can also **find if a file has the quarantine extended attribute** with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
xattr portada.png
|
||||||
|
com.apple.macl
|
||||||
|
com.apple.quarantine
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the **value** of the **extended** **attributes** with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
xattr -l portada.png
|
||||||
|
com.apple.macl:
|
||||||
|
00000000 03 00 53 DA 55 1B AE 4C 4E 88 9D CA B7 5C 50 F3 |..S.U..LN.....P.|
|
||||||
|
00000010 16 94 03 00 27 63 64 97 98 FB 4F 02 84 F3 D0 DB |....'cd...O.....|
|
||||||
|
00000020 89 53 C3 FC 03 00 27 63 64 97 98 FB 4F 02 84 F3 |.S....'cd...O...|
|
||||||
|
00000030 D0 DB 89 53 C3 FC 00 00 00 00 00 00 00 00 00 00 |...S............|
|
||||||
|
00000040 00 00 00 00 00 00 00 00 |........|
|
||||||
|
00000048
|
||||||
|
com.apple.quarantine: 0081;607842eb;Brave;F643CD5F-6071-46AB-83AB-390BA944DEC5
|
||||||
|
```
|
||||||
|
|
||||||
|
And **remove** that attribute with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
xattr -d com.apple.quarantine portada.png
|
||||||
|
#You can also remove this attribute from every file with
|
||||||
|
find . -iname '*' -print0 | xargs -0 xattr -d com.apple.quarantine
|
||||||
|
```
|
||||||
|
|
||||||
|
And find all the quarantined files with:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.quarantine"
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
## XProtect
|
||||||
|
|
||||||
|
XProtect is a built-in **anti-malware** feature in macOS. It is part of Apple's security system that works silently in the background to keep your Mac safe from known malware and malicious plug-ins.
|
||||||
|
|
||||||
|
XProtect functions by **checking any downloaded files against its database** of known malware and unsafe file types. When you download a file through certain apps, such as Safari, Mail, or Messages, XProtect automatically scans the file. If it matches any known malware in its database, XProtect will **prevent the file from running** and alert you to the threat.
|
||||||
|
|
||||||
|
The XProtect database is **updated regularly** by Apple with new malware definitions, and these updates are automatically downloaded and installed on your Mac. This ensures that XProtect is always up-to-date with the latest known threats.
|
||||||
|
|
||||||
|
However, it's worth noting that **XProtect isn't a full-featured antivirus solution**. It only checks for a specific list of known threats and doesn't perform on-access scanning like most antivirus software. Therefore, while XProtect provides a layer of protection against known malware, it's still recommended to exercise caution when downloading files from the internet or opening email attachments.
|
||||||
|
|
||||||
|
You can get information about the latest XProtect update running:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
## MRT - Malware Removal Tool
|
||||||
|
|
||||||
|
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
|
||||||
|
|
||||||
|
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded.
|
||||||
|
|
||||||
|
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
|
||||||
|
|
||||||
|
* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
|
||||||
|
* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
|
||||||
|
|
||||||
|
## Processes Limitants
|
||||||
|
|
||||||
|
### SIP - System Integrity Protection
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Sandbox
|
||||||
|
|
||||||
|
MacOS Sandbox **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**.
|
||||||
|
|
||||||
|
{% content-ref url="macos-sandbox/" %}
|
||||||
|
[macos-sandbox](macos-sandbox/)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### TCC - **Transparency, Consent, and Control**
|
||||||
|
|
||||||
|
**TCC (Transparency, Consent, and Control)** is a mechanism in macOS to **limit and control application access to certain features**, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more.
|
||||||
|
|
||||||
|
{% content-ref url="macos-tcc/" %}
|
||||||
|
[macos-tcc](macos-tcc/)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
## Sandbox loading process
|
## Sandbox loading process
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image.png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
|
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
|
||||||
|
|
||||||
|
@ -178,16 +178,16 @@ Process 2517 exited with status = 0 (0x00000000)
|
||||||
|
|
||||||
If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes:
|
If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes:
|
||||||
|
|
||||||
{% content-ref url="../macos-proces-abuse/" %}
|
{% content-ref url="../../macos-proces-abuse/" %}
|
||||||
[macos-proces-abuse](../macos-proces-abuse/)
|
[macos-proces-abuse](../../macos-proces-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Interposting Bypass
|
### Interposting Bypass
|
||||||
|
|
||||||
For more information about **Interposting** check:
|
For more information about **Interposting** check:
|
||||||
|
|
||||||
{% content-ref url="../mac-os-architecture/macos-function-hooking.md" %}
|
{% content-ref url="../../mac-os-architecture/macos-function-hooking.md" %}
|
||||||
[macos-function-hooking.md](../mac-os-architecture/macos-function-hooking.md)
|
[macos-function-hooking.md](../../mac-os-architecture/macos-function-hooking.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
|
@ -0,0 +1,180 @@
|
||||||
|
# macOS SIP
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## **Basic Information**
|
||||||
|
|
||||||
|
**System Integrity Protection (SIP)** is a security technology in macOS that safeguards certain system directories from unauthorized access, even for the root user. It prevents modifications to these directories, including creation, alteration, or deletion of files. The main directories that SIP protects are:
|
||||||
|
|
||||||
|
* **/System**
|
||||||
|
* **/bin**
|
||||||
|
* **/sbin**
|
||||||
|
* **/usr**
|
||||||
|
|
||||||
|
The protection rules for these directories and their subdirectories are specified in the **`/System/Library/Sandbox/rootless.conf`** file. In this file, paths starting with an asterisk (\*) represent exceptions to SIP's restrictions.
|
||||||
|
|
||||||
|
For instance, the following configuration:
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
javascriptCopy code/usr
|
||||||
|
* /usr/libexec/cups
|
||||||
|
* /usr/local
|
||||||
|
* /usr/share/man
|
||||||
|
```
|
||||||
|
|
||||||
|
indicates that the **`/usr`** directory is generally protected by SIP. However, modifications are allowed in the three subdirectories specified (`/usr/libexec/cups`, `/usr/local`, and `/usr/share/man`), as they are listed with a leading asterisk (\*).
|
||||||
|
|
||||||
|
To verify whether a directory or file is protected by SIP, you can use the **`ls -lOd`** command to check for the presence of the **`restricted`** or **`sunlnk`** flag. For example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -lOd /usr/libexec/cups
|
||||||
|
drwxr-xr-x 11 root wheel sunlnk 352 May 13 00:29 /usr/libexec/cups
|
||||||
|
```
|
||||||
|
|
||||||
|
In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself cannot be deleted, though files within it can be created, modified, or deleted.
|
||||||
|
|
||||||
|
On the other hand:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -lOd /usr/libexec
|
||||||
|
drwxr-xr-x 338 root wheel restricted 10816 May 13 00:29 /usr/libexec
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, the **`restricted`** flag indicates that the `/usr/libexec` directory is protected by SIP. In a SIP-protected directory, files cannot be created, modified, or deleted.
|
||||||
|
|
||||||
|
### SIP Status
|
||||||
|
|
||||||
|
You can check if SIP is enabled on your system with the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
csrutil status
|
||||||
|
```
|
||||||
|
|
||||||
|
If you need to disable SIP, you must restart your computer in recovery mode (by pressing Command+R during startup), then execute the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
csrutil disable
|
||||||
|
```
|
||||||
|
|
||||||
|
If you wish to keep SIP enabled but remove debugging protections, you can do so with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
csrutil enable --without debug
|
||||||
|
```
|
||||||
|
|
||||||
|
### Other Restrictions
|
||||||
|
|
||||||
|
SIP also imposes several other restrictions. For instance, it disallows the **loading of unsigned kernel extensions** (kexts) and prevents the **debugging** of macOS system processes. It also inhibits tools like dtrace from inspecting system processes.
|
||||||
|
|
||||||
|
## SIP Bypasses
|
||||||
|
|
||||||
|
### Installer Packages
|
||||||
|
|
||||||
|
**Installer packages signed with Apple's certificate** can bypass its protections. This means that even packages signed by standard developers will be blocked if they attempt to modify SIP-protected directories.
|
||||||
|
|
||||||
|
### Unexistent SIP file
|
||||||
|
|
||||||
|
One potential loophole is that if a file is specified in **`rootless.conf` but does not currently exist**, it can be created. Malware could exploit this to **establish persistence** on the system. For example, a malicious program could create a .plist file in `/System/Library/LaunchDaemons` if it is listed in `rootless.conf` but not present.
|
||||||
|
|
||||||
|
### com.apple.rootless.install.heritable
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
The entitlement **`com.apple.rootless.install.heritable`** allows to bypass SIP
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
[**Researchers from this blog post**](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/) discovered a vulnerability in macOS's System Integrity Protection (SIP) mechanism, dubbed the 'Shrootless' vulnerability. This vulnerability centers around the `system_installd` daemon, which has an entitlement, **`com.apple.rootless.install.heritable`**, that allows any of its child processes to bypass SIP's file system restrictions.
|
||||||
|
|
||||||
|
Researchers found that during the installation of an Apple-signed package (.pkg file), **`system_installd`** **runs** any **post-install** scripts included in the package. These scripts are executed by the default shell, **`zsh`**, which automatically **runs** commands from the **`/etc/zshenv`** file, if it exists, even in non-interactive mode. This behavior could be exploited by attackers: by creating a malicious `/etc/zshenv` file and waiting for `system_installd` to invoke `zsh`, they could perform arbitrary operations on the device.
|
||||||
|
|
||||||
|
Moreover, it was discovered that **`/etc/zshenv` could be used as a general attack technique**, not just for a SIP bypass. Each user profile has a `~/.zshenv` file, which behaves the same way as `/etc/zshenv` but doesn't require root permissions. This file could be used as a persistence mechanism, triggering every time `zsh` starts, or as an elevation of privilege mechanism. If an admin user elevates to root using `sudo -s` or `sudo <command>`, the `~/.zshenv` file would be triggered, effectively elevating to root.
|
||||||
|
|
||||||
|
### **com.apple.rootless.install**
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
The entitlement **`com.apple.rootless.install`** allows to bypass SIP
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
From [**CVE-2022-26712**](https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/) The system XPC service `/System/Library/PrivateFrameworks/ShoveService.framework/Versions/A/XPCServices/SystemShoveService.xpc` has the entitlement **`com.apple.rootless.install`**, which grants the process permission to bypass SIP restrictions. It also **exposes a method to move files without any security check.**
|
||||||
|
|
||||||
|
## Sealed System Snapshots
|
||||||
|
|
||||||
|
Sealed System Snapshots are a feature introduced by Apple in **macOS Big Sur (macOS 11)** as a part of its **System Integrity Protection (SIP)** mechanism to provide an additional layer of security and system stability. They are essentially read-only versions of the system volume.
|
||||||
|
|
||||||
|
Here's a more detailed look:
|
||||||
|
|
||||||
|
1. **Immutable System**: Sealed System Snapshots make the macOS system volume "immutable", meaning that it cannot be modified. This prevents any unauthorized or accidental changes to the system that could compromise security or system stability.
|
||||||
|
2. **System Software Updates**: When you install macOS updates or upgrades, macOS creates a new system snapshot. The macOS startup volume then uses **APFS (Apple File System)** to switch to this new snapshot. The entire process of applying updates becomes safer and more reliable as the system can always revert to the previous snapshot if something goes wrong during the update.
|
||||||
|
3. **Data Separation**: In conjunction with the concept of Data and System volume separation introduced in macOS Catalina, the Sealed System Snapshot feature makes sure that all your data and settings are stored on a separate "**Data**" volume. This separation makes your data independent from the system, which simplifies the process of system updates and enhances system security.
|
||||||
|
|
||||||
|
Remember that these snapshots are automatically managed by macOS and don't take up additional space on your disk, thanks to the space sharing capabilities of APFS. It’s also important to note that these snapshots are different from **Time Machine snapshots**, which are user-accessible backups of the entire system.
|
||||||
|
|
||||||
|
### Check Snapshots
|
||||||
|
|
||||||
|
The command **`diskutil apfs list`** lists the **details of the APFS volumes** and their layout:
|
||||||
|
|
||||||
|
<pre><code>+-- Container disk3 966B902E-EDBA-4775-B743-CF97A0556A13
|
||||||
|
| ====================================================
|
||||||
|
| APFS Container Reference: disk3
|
||||||
|
| Size (Capacity Ceiling): 494384795648 B (494.4 GB)
|
||||||
|
| Capacity In Use By Volumes: 219214536704 B (219.2 GB) (44.3% used)
|
||||||
|
| Capacity Not Allocated: 275170258944 B (275.2 GB) (55.7% free)
|
||||||
|
| |
|
||||||
|
| +-< Physical Store disk0s2 86D4B7EC-6FA5-4042-93A7-D3766A222EBE
|
||||||
|
| | -----------------------------------------------------------
|
||||||
|
| | APFS Physical Store Disk: disk0s2
|
||||||
|
| | Size: 494384795648 B (494.4 GB)
|
||||||
|
| |
|
||||||
|
| +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7
|
||||||
|
| | ---------------------------------------------------
|
||||||
|
| | APFS Volume Disk (Role): disk3s1 (System)
|
||||||
|
| | Name: Macintosh HD (Case-insensitive)
|
||||||
|
| | Mount Point: /System/Volumes/Update/mnt1
|
||||||
|
| | Capacity Consumed: 12819210240 B (12.8 GB)
|
||||||
|
| | Sealed: Broken
|
||||||
|
| | FileVault: Yes (Unlocked)
|
||||||
|
| | Encrypted: No
|
||||||
|
| | |
|
||||||
|
| | Snapshot: FAA23E0C-791C-43FF-B0E7-0E1C0810AC61
|
||||||
|
| | Snapshot Disk: disk3s1s1
|
||||||
|
| | Snapshot Mount Point: /
|
||||||
|
<strong>| | Snapshot Sealed: Yes
|
||||||
|
</strong>[...]
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
In the previous output it's possible to see that **macOS System volume snapshot is sealed** (cryptographically signed by the OS). SO, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
|
||||||
|
|
||||||
|
It's also possible to verify that seal is enabled by running:
|
||||||
|
|
||||||
|
```
|
||||||
|
csrutil authenticated-root status
|
||||||
|
Authenticated Root status: enabled
|
||||||
|
```
|
||||||
|
|
||||||
|
Moreover, it's mounted as **read-only**:
|
||||||
|
|
||||||
|
```
|
||||||
|
mount
|
||||||
|
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -195,7 +195,7 @@ The **extended attribute `com.apple.macl`** is added to the new **file** to give
|
||||||
|
|
||||||
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
|
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (569).png>)
|
![](<../../../../.gitbook/assets/image (569).png>)
|
||||||
|
|
||||||
Here you can find examples of how some **malwares have been able to bypass this protection**:
|
Here you can find examples of how some **malwares have been able to bypass this protection**:
|
||||||
|
|
||||||
|
@ -250,13 +250,13 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro
|
||||||
|
|
||||||
For more info about Apple Scripts check:
|
For more info about Apple Scripts check:
|
||||||
|
|
||||||
{% content-ref url="macos-tcc/macos-apple-scripts.md" %}
|
{% content-ref url="macos-apple-scripts.md" %}
|
||||||
[macos-apple-scripts.md](macos-tcc/macos-apple-scripts.md)
|
[macos-apple-scripts.md](macos-apple-scripts.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
For example, if an App has **Automation permission over `iTerm`**, for example in this example **`Terminal`** has access over iTerm:
|
For example, if an App has **Automation permission over `iTerm`**, for example in this example **`Terminal`** has access over iTerm:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### Over iTerm
|
#### Over iTerm
|
||||||
|
|
||||||
|
@ -300,8 +300,8 @@ I you manage to **inject code in a process** you will be able to abuse the TCC p
|
||||||
|
|
||||||
Check process abuse techniques in the following page:
|
Check process abuse techniques in the following page:
|
||||||
|
|
||||||
{% content-ref url="macos-proces-abuse/" %}
|
{% content-ref url="../../macos-proces-abuse/" %}
|
||||||
[macos-proces-abuse](macos-proces-abuse/)
|
[macos-proces-abuse](../../macos-proces-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
See some examples in the following sections:
|
See some examples in the following sections:
|
164
macos-hardening/macos-useful-commands.md
Normal file
164
macos-hardening/macos-useful-commands.md
Normal file
|
@ -0,0 +1,164 @@
|
||||||
|
# macOS Useful Commands
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
### MacOS Automatic Enumeration Tools
|
||||||
|
|
||||||
|
* **MacPEAS**: [https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
|
||||||
|
* **Metasploit**: [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb)
|
||||||
|
* **SwiftBelt**: [https://github.com/cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt)
|
||||||
|
|
||||||
|
### Specific MacOS Commands
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#System info
|
||||||
|
date
|
||||||
|
cal
|
||||||
|
uptime #show time from starting
|
||||||
|
w #list users
|
||||||
|
whoami #this user
|
||||||
|
finger username #info about user
|
||||||
|
uname -a #sysinfo
|
||||||
|
cat /proc/cpuinfo #processor
|
||||||
|
cat /proc/meminfo #memory
|
||||||
|
free #check memory
|
||||||
|
df #check disk
|
||||||
|
|
||||||
|
launchctl list #List services
|
||||||
|
atq #List "at" tasks for the user
|
||||||
|
sysctl -a #List kernel configuration
|
||||||
|
diskutil list #List connected hard drives
|
||||||
|
nettop #Monitor network usage of processes in top style
|
||||||
|
|
||||||
|
system_profiler SPSoftwareDataType #System info
|
||||||
|
system_profiler SPPrintersDataType #Printer
|
||||||
|
system_profiler SPApplicationsDataType #Installed Apps
|
||||||
|
system_profiler SPFrameworksDataType #Instaled framework
|
||||||
|
system_profiler SPDeveloperToolsDataType #Developer tools info
|
||||||
|
system_profiler SPStartupItemDataType #Startup Items
|
||||||
|
system_profiler SPNetworkDataType #Network Capabilities
|
||||||
|
system_profiler SPFirewallDataType #Firewall Status
|
||||||
|
system_profiler SPNetworkLocationDataType #Known Network
|
||||||
|
system_profiler SPBluetoothDataType #Bluetooth Info
|
||||||
|
system_profiler SPEthernetDataType #Ethernet Info
|
||||||
|
system_profiler SPUSBDataType #USB info
|
||||||
|
system_profiler SPAirPortDataType #Airport Info
|
||||||
|
|
||||||
|
|
||||||
|
#Searches
|
||||||
|
mdfind password #Show all the files that contains the word password
|
||||||
|
mfind -name password #List all the files containing the word password in the name
|
||||||
|
|
||||||
|
|
||||||
|
#Open any app
|
||||||
|
open -a <Application Name> --hide #Open app hidden
|
||||||
|
open some.doc -a TextEdit #Open a file in one application
|
||||||
|
|
||||||
|
|
||||||
|
#Computer doesn't go to sleep
|
||||||
|
caffeinate &
|
||||||
|
|
||||||
|
|
||||||
|
#Screenshot
|
||||||
|
# This will ask for permission to the user
|
||||||
|
screencapture -x /tmp/ss.jpg #Save screenshot in that file
|
||||||
|
|
||||||
|
|
||||||
|
#Get clipboard info
|
||||||
|
pbpaste
|
||||||
|
|
||||||
|
|
||||||
|
#system_profiler
|
||||||
|
system_profiler --help #This command without arguments take lot of memory and time.
|
||||||
|
system_profiler -listDataTypes
|
||||||
|
system_profiler SPSoftwareDataType SPNetworkDataType
|
||||||
|
|
||||||
|
|
||||||
|
#Network
|
||||||
|
arp -i en0 -l -a #Print the macOS device's ARP table
|
||||||
|
lsof -i -P -n | grep LISTEN
|
||||||
|
smbutil statshares -a #View smb shares mounted to the hard drive
|
||||||
|
|
||||||
|
#networksetup - set or view network options: Proxies, FW options and more
|
||||||
|
networksetup -listallnetworkservices #List network services
|
||||||
|
networksetup -listallhardwareports #Hardware ports
|
||||||
|
networksetup -getinfo Wi-Fi #Wi-Fi info
|
||||||
|
networksetup -getautoproxyurl Wi-Fi #Get proxy URL for Wifi
|
||||||
|
networksetup -getwebproxy Wi-Fi #Wifi Web proxy
|
||||||
|
networksetup -getftpproxy Wi-Fi #Wifi ftp proxy
|
||||||
|
|
||||||
|
|
||||||
|
#Brew
|
||||||
|
brew list #List installed
|
||||||
|
brew search <text> #Search package
|
||||||
|
brew info <formula>
|
||||||
|
brew install <formula>
|
||||||
|
brew uninstall <formula>
|
||||||
|
brew cleanup #Remove older versions of installed formulae.
|
||||||
|
brew cleanup <formula> #Remove older versions of specified formula.
|
||||||
|
|
||||||
|
|
||||||
|
#Make the machine talk
|
||||||
|
say hello -v diego
|
||||||
|
#spanish: diego, Jorge, Monica
|
||||||
|
#mexican: Juan, Paulina
|
||||||
|
#french: Thomas, Amelie
|
||||||
|
|
||||||
|
########### High privileges actions
|
||||||
|
sudo purge #purge RAM
|
||||||
|
#Sharing preferences
|
||||||
|
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist (enable ssh)
|
||||||
|
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist (disable ssh)
|
||||||
|
#Start apache
|
||||||
|
sudo apachectl (start|status|restart|stop)
|
||||||
|
##Web folder: /Library/WebServer/Documents/
|
||||||
|
#Remove DNS cache
|
||||||
|
dscacheutil -flushcache
|
||||||
|
sudo killall -HUP mDNSResponder
|
||||||
|
```
|
||||||
|
|
||||||
|
### Installed Software & Services
|
||||||
|
|
||||||
|
Check for **suspicious** applications installed and **privileges** over the.installed resources:
|
||||||
|
|
||||||
|
```
|
||||||
|
system_profiler SPApplicationsDataType #Installed Apps
|
||||||
|
system_profiler SPFrameworksDataType #Instaled framework
|
||||||
|
lsappinfo list #Installed Apps
|
||||||
|
launchtl list #Services
|
||||||
|
```
|
||||||
|
|
||||||
|
### User Processes
|
||||||
|
|
||||||
|
```
|
||||||
|
# will print all the running services under that particular user domain.
|
||||||
|
launchctl print gui/<users UID>
|
||||||
|
|
||||||
|
# will print all the running services under root
|
||||||
|
launchctl print system
|
||||||
|
|
||||||
|
# will print detailed information about the specific launch agent. And if it’s not running or you’ve mistyped, you will get some output with a non-zero exit code: Could not find service “com.company.launchagent.label” in domain for login
|
||||||
|
launchctl print gui/<user's UID>/com.company.launchagent.label
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -727,7 +727,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
|
||||||
5. Reproduce the problem.
|
5. Reproduce the problem.
|
||||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)
|
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)
|
||||||
|
|
||||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||||
|
|
||||||
|
|
|
@ -176,7 +176,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
|
||||||
|
|
||||||
The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
|
The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (102).png>)
|
![](<../../.gitbook/assets/image (102).png>)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue