SlideShare uma empresa Scribd logo

macOS Hacking Tricks: Explore Security Features and Demo Attacks

Ricardo L0gan
Ricardo L0gan

Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.

Tecnologia
1 de 29
macOS Hacking Tricks
$Whoami macOS Hacking Tricks ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
Agenda 0x00 Motivation of Research 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks OSX/Cres centCore 2019 OSX/Linker 2019 LoundMiner 2019 OSX/MaMi 2018 Crossrider (OSX/Shalyer) 2018 Mshelper 2018 Mac Auto Fixer 2018 0x00 Motivation of Research
macOS Hacking Tricks  A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
macOS Hacking Tricks SIP (System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
macOS Hacking Tricks 0x01 Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
macOS Hacking Tricks 0x01 Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
macOS Hacking Tricks 0x01 Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
macOS Hacking Tricks 0x01 Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
macOS Hacking Tricks 0x01 Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
macOS Hacking Tricks Source: https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
macOS Hacking Tricks 0x01 Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks Keychain file stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
macOS Hacking Tricks Obtain system user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
macOS Hacking Tricks Hashdump Python Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
macOS Hacking Tricks 0x02 Hacking macOS target Exploit-db
macOS Hacking Tricks Demos 01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
macOS Hacking Tricks Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
macOS Hacking Tricks launchctl-> Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
Hacking is a way of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
Thanks a Lot Any Questions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

Recomendados

Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Linux Virus
Linux VirusLinux Virus
Linux VirusAkhil Kadangode
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanShinra
 
Presentation mac os x security
Presentation mac os x securityPresentation mac os x security
Presentation mac os x securityreza jalaluddin
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 

Recomendados

Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Linux Virus
Linux VirusLinux Virus
Linux VirusAkhil Kadangode
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanShinra
 
Presentation mac os x security
Presentation mac os x securityPresentation mac os x security
Presentation mac os x securityreza jalaluddin
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Hta w22
Hta w22Hta w22
Hta w22SelectedPresentations
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Bad transfer
Bad transferBad transfer
Bad transferUltraUploader
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Ch0 1
Ch0 1Ch0 1
Ch0 1TylerDerdun
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 
presentation
presentationpresentation
presentationPeter Oswald
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & TricksRaghav Bisht
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 

Mais conteúdo relacionado

Mais procurados

Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & TricksRaghav Bisht
 

Mais procurados (20)

Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
Hta w22
Hta w22Hta w22
Hta w22
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Bad transfer
Bad transferBad transfer
Bad transfer
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
presentation
presentationpresentation
presentation
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & Tricks
 

Semelhante a macOS Hacking Tricks: Explore Security Features and Demo Attacks

Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 

Semelhante a macOS Hacking Tricks: Explore Security Features and Demo Attacks (20)

Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Malware Freak Show
Malware Freak ShowMalware Freak Show
Malware Freak Show
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Understand study
Understand studyUnderstand study
Understand study
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

macOS Hacking Tricks: Explore Security Features and Demo Attacks

  • 2. $Whoami macOS Hacking Tricks ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
  • 3. Agenda 0x00 Motivation of Research 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
  • 5. macOS Hacking Tricks 0x00 Motivation of Research
  • 7. macOS Hacking Tricks  A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
  • 8. macOS Hacking Tricks SIP (System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
  • 9. macOS Hacking Tricks 0x01 Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
  • 10. macOS Hacking Tricks 0x01 Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
  • 11. macOS Hacking Tricks 0x01 Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
  • 12. macOS Hacking Tricks 0x01 Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
  • 13. macOS Hacking Tricks 0x01 Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
  • 14. macOS Hacking Tricks Source: https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
  • 15. macOS Hacking Tricks 0x01 Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
  • 16. macOS Hacking Tricks 0x01 Security Characteristics
  • 17. macOS Hacking Tricks Keychain file stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
  • 18. macOS Hacking Tricks 0x01 Security Characteristics
  • 19. macOS Hacking Tricks 0x01 Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
  • 20. macOS Hacking Tricks Obtain system user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
  • 21. macOS Hacking Tricks Hashdump Python Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
  • 22. macOS Hacking Tricks 0x02 Hacking macOS target Exploit-db
  • 23. macOS Hacking Tricks Demos 01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
  • 24. macOS Hacking Tricks Demo 02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
  • 25. macOS Hacking Tricks Demo 03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
  • 26. macOS Hacking Tricks Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
  • 27. macOS Hacking Tricks launchctl-> Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
  • 28. Hacking is a way of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
  • 29. Thanks a Lot Any Questions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

Notas do Editor

  1. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  2. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  3. Lembre-se que por default a senha do keychain e a mesma utilizada pelo usuário de sistema com isso você poderia ter acesso a todas as senhas contidas nele.
  4. Converter um arquivo plist em XML Formatado - plutil -convert xml1 Info.plist
  5. A Falha consiste em o kernel XNU usar a syscall mmap. A mmap_shared está sendo utilizada sem controle de alocação de memória poderia ser utilizada mmap_private e ou mmap_anon.