SlideShare une entreprise Scribd logo

Nullbyte 6ed. 2019

Ricardo L0gan
Ricardo L0gan

Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.

Technologie
1  sur  29
macOS Hacking Tricks
$Whoami macOS Hacking Tricks ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
Agenda 0x00 Motivation of Research 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks OSX/Cres centCore 2019 OSX/Linker 2019 LoundMiner 2019 OSX/MaMi 2018 Crossrider (OSX/Shalyer) 2018 Mshelper 2018 Mac Auto Fixer 2018 0x00 Motivation of Research
macOS Hacking Tricks  A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
macOS Hacking Tricks SIP (System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
macOS Hacking Tricks 0x01 Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
macOS Hacking Tricks 0x01 Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
macOS Hacking Tricks 0x01 Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
macOS Hacking Tricks 0x01 Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
macOS Hacking Tricks 0x01 Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
macOS Hacking Tricks Source: https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
macOS Hacking Tricks 0x01 Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks Keychain file stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
macOS Hacking Tricks Obtain system user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
macOS Hacking Tricks Hashdump Python Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
macOS Hacking Tricks 0x02 Hacking macOS target Exploit-db
macOS Hacking Tricks Demos 01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
macOS Hacking Tricks Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
macOS Hacking Tricks launchctl-> Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
Hacking is a way of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
Thanks a Lot Any Questions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

Recommandé

Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
Pedro Tavares
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
Andrew Case
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
Akhil Kadangode
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K Trojan
Shinra
 
Presentation mac os x security
Presentation mac os x securityPresentation mac os x security
Presentation mac os x security
reza jalaluddin
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
Cysinfo Cyber Security Community
 

Recommandé

Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
Pedro Tavares
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
Andrew Case
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
Akhil Kadangode
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K Trojan
Shinra
 
Presentation mac os x security
Presentation mac os x securityPresentation mac os x security
Presentation mac os x security
reza jalaluddin
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
Cysinfo Cyber Security Community
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
DefconRussia
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar
 
Hta w22
Hta w22Hta w22
Hta w22
SelectedPresentations
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
Bad transfer
Bad transferBad transfer
Bad transfer
UltraUploader
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
TylerDerdun
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
Cysinfo Cyber Security Community
 
presentation
presentationpresentation
presentation
Peter Oswald
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & Tricks
Raghav Bisht
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
Ricardo L0gan
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 

Contenu connexe

Tendances

Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
DefconRussia
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & Tricks
Raghav Bisht
 

Tendances (20)

Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
Hta w22
Hta w22Hta w22
Hta w22
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Bad transfer
Bad transferBad transfer
Bad transfer
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
presentation
presentationpresentation
presentation
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & Tricks
 

Similaire à Nullbyte 6ed. 2019

Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
Yury Chemerkin
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 

Similaire à Nullbyte 6ed. 2019 (20)

Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Malware Freak Show
Malware Freak ShowMalware Freak Show
Malware Freak Show
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Understand study
Understand studyUnderstand study
Understand study
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 

Dernier

Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 

Dernier (20)

Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 

Nullbyte 6ed. 2019

  • 2. $Whoami macOS Hacking Tricks ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
  • 3. Agenda 0x00 Motivation of Research 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
  • 5. macOS Hacking Tricks 0x00 Motivation of Research
  • 7. macOS Hacking Tricks  A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
  • 8. macOS Hacking Tricks SIP (System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
  • 9. macOS Hacking Tricks 0x01 Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
  • 10. macOS Hacking Tricks 0x01 Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
  • 11. macOS Hacking Tricks 0x01 Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
  • 12. macOS Hacking Tricks 0x01 Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
  • 13. macOS Hacking Tricks 0x01 Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
  • 14. macOS Hacking Tricks Source: https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
  • 15. macOS Hacking Tricks 0x01 Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
  • 16. macOS Hacking Tricks 0x01 Security Characteristics
  • 17. macOS Hacking Tricks Keychain file stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
  • 18. macOS Hacking Tricks 0x01 Security Characteristics
  • 19. macOS Hacking Tricks 0x01 Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
  • 20. macOS Hacking Tricks Obtain system user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
  • 21. macOS Hacking Tricks Hashdump Python Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
  • 22. macOS Hacking Tricks 0x02 Hacking macOS target Exploit-db
  • 23. macOS Hacking Tricks Demos 01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
  • 24. macOS Hacking Tricks Demo 02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
  • 25. macOS Hacking Tricks Demo 03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
  • 26. macOS Hacking Tricks Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
  • 27. macOS Hacking Tricks launchctl-> Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
  • 28. Hacking is a way of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
  • 29. Thanks a Lot Any Questions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

Notes de l'éditeur

  1. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  2. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  3. Lembre-se que por default a senha do keychain e a mesma utilizada pelo usuário de sistema com isso você poderia ter acesso a todas as senhas contidas nele.
  4. Converter um arquivo plist em XML Formatado - plutil -convert xml1 Info.plist
  5. A Falha consiste em o kernel XNU usar a syscall mmap. A mmap_shared está sendo utilizada sem controle de alocação de memória poderia ser utilizada mmap_private e ou mmap_anon.