SlideShare a Scribd company logo

External to DA, the OS X Way

Download as PPTX, PDF
S
Stephan Borosh

The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.

Internet
1 of 44
External to DA, the OS X Way Operating in an OS X-heavy environment
Contents  Introduction  Overview  Tradecraft Preparation  Challenges  The Agent  Phishing  Situational Awareness: Host Enumeration  Privilege Escalation  Persistence  Situational Awareness: Network and User Enumeration  Lateral Movement
Introductions  Alex Rymdeko-Harvey is a previous US Army Solider that recently transitioned and currently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer. Alex has a wide range of skills and experience from offensive and defensive operations taking place in today's security surface.  Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry Combat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security tools and teaching.
Overview • Typical penetration tests cover Windows / Linux • Assessments become mundane • Client approaches with a large OS X user-base • Use common methodologies with new tools and techniques adapted for OS X • Utilize EmPyre, a Remote Access Trojan based of of the Empire framework
Adversarial Use • WireLurker (Trojanized applications, Infects connected ios devices) • XcodeGhost (Infected xcode package in China) • Hacking Team (Remote Code Systems compromise platform) • OceanLotus (Flash Dropper, Download Mach-O binary) • KeRanger (Ransomware, Infected transmission package)
The Scenario • A client requests an external penetration test against their corporate infrastructure. • Phishing with payloads may be conducted with email addresses harvested from publicly available sources. • 90% of users utilize OS X with several developers using Windows
Scenario: Goals • Phish OS X users • Elevate local privileges • Move Laterally if needed • Gain control of the Active Directory domain
Tradecraft Preparation • Planning and Preparation • Right tools for the job • Live off the land • pbpaste • screencapture • Native vs Non-Native • Methodology • Reconnaissance • Exploitation (gain access) • Sitiuational Awareness • Escalate Privileges • Establish Persistence • Lateral Movement Gain Access Situational Awareness Escalate Privileges Establish Persistence Lateral Movement
Challenges  Limited information on operating in OS X environments  No open-sourced asynchronous Remote Access Trojan (RAT)  Lateral Spread  OS X/Linux  Windows  Less phishing payloads available  No OLE  Less executable types
The Agent: EmPyre
The Agent: EmPyre  Remote Access Trojan (RAT)  Python (core developed by @harmj0y) based on the Empire project  Asynchronous / C2  Secure Diffie-Hellman exchange communications  Post-Exploitation modules  OS X/Linux  Launcher detects Little Snitch
The Agent: EmPyre  The Diffie Hellman implementation is from Mark Loiseau's project at https://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License.  The AES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed under the MIT license.
Phishing  Previous Tradecraft  Browser Exploits  Java Payloads  OLE Documents  Macro Payloads
Phishing: Payload Generation  2015-7007 HTML Applescript launcher  OS X Microsoft Office Macro  Supports 2011  2016 = “Sandbox”
Payload Generation
Situational Awareness: Host  Previous Tradecraft  PowerShell  WMI  PowerUp  Cobalt Strike Beacon modules  Meterpreter modules  The core of knowing your land  How do we priv-esc?
Situational Awareness: Host  Keylog  Keychain Dump  Clipboard Monitoring  Scrape Messages  Hash Dump  Browser Dump
Situational Awareness: Keylogging  Elevated Context  Vital portion of our tradecraft  post exploitation
Situational Awareness: Clipboard Monitoring  Non-Native method  Native pbpaste may be signatured by Carbon Black  Out to file
Situational Awareness: Keychain Dump  Cleartext Keychain Dump  Versions Prior to OS X El Capitan Inspired / Adapted from Juuso: https://github.com/juuso /keychaindump
Situational Awareness: Search Messages  Scrapes Message.app DB  iMessage, Jabber, Google Talk, Yahoo, AIM  Enumerate X messages  Account  Service  Number  message
Situational Awareness: Hashdump  Local Hashes  Hashcat format ready!
Situational Awareness: Browser Dump  Dump Chrome  Dump Safari  Specify length of output
Privilege Escalation  Sudo Spawn
Persistence  Previous Tradecraft  Windows  Registry  Startup Folders  WMI  DLL Hijack  Net user /add  Linux  Crontab  adduser
Persistence  Login Hooks  Login persistence  Crontab  Hourly persistence  LaunchDaemon  Reboot persistence  DyLib Hijacking  Application start persistence
Persistence: Login Hook - User Context Persistence  Mac Login Hooks  Bash / Applescript execution  Accessible to all users  Uses “Defaults” tool  Sets com.apple.loginwindow LoginHook
Persistence: Crontab  Set persistence by time  Requires file on disk
Persistence: Launch Daemon  Requires Sudo  Spawns on reboot  Spawns on agent loss
Persistence: Dylib Hijacking  Hijack Scanner Module  Based on @patrickwardle research
Persistence: Dylib Hijacking  Hijacked Xcode
Situational Awareness: Network  Previous Tradecraft  Arp  Nmap  Net Commands  EyeWitness  PowerView
Situational Awareness: Network  Group Policy Preferences  Active Directory Queries  Port Scanning  Web Discovery
Situational Awareness: Active Directory Modules  situational_awareness/network/active_directory/get_computers  situational_awareness/network/active_directory/get_domaincontrollers  situational_awareness/network/active_directory/get_fileservers  situational_awareness/network/active_directory/get_groupmembers  situational_awareness/network/active_directory/get_groupmemberships  situational_awareness/network/active_directory/get_groups  situational_awareness/network/active_directory/get_ous  situational_awareness/network/active_directory/get_userinformation  situational_awareness/network/active_directory/get_users
Situational Awareness: GPP  Group Policy Preferences  Pulls “Encrypted” passwords from SYSVOL  MS14-025 https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py
Situational Awareness: Finding the Domain Controller
Situational Awareness: LDAP Queries  Utilizes LDAP queries to pull objects such as computers, users, groups and more from Active Directory.
Situational Awareness: Web Services  find_fruit module  Checks for possible vulnerable web applications  Tomcat  jboss  idrac  Apache Axis2  etc..
Lateral Movement  Previous Tradecraft  Linux  SSH  Telnet  Exploitation  Windows  PSEXEC  WMI  Exploitation  RDP
Lateral Movement  Windows  Pivot to “Empire”  Exploit Web Services
Lateral Movement  Linux/OS X  SSH Commands  SSH Launcher
Honorable Mention: REST API  EmPyre implements the same RESTful API specification as Empire  https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API  External users/projects can fully control an EmPyre server in a predictable way REST requests  This opens the possibility for web front ends, Android apps, multi- player CLI UIs, and more
What’s next  Socks Proxy  Community Modules  More Exploitation Modules  Merge with Empire Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!

Recommended

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 

Recommended

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıPRISMA CSI
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakBGA Cyber Security
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

More Related Content

What's hot

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıPRISMA CSI
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakBGA Cyber Security
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 

What's hot (20)

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 

Similar to External to DA, the OS X Way

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataGreat Wide Open
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceDon Anto
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 

Similar to External to DA, the OS X Way (20)

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in Cyberspace
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 

Recently uploaded

Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfMilind Agarwal
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 

Recently uploaded (20)

Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 

External to DA, the OS X Way

  • 1. External to DA, the OS X Way Operating in an OS X-heavy environment
  • 2. Contents  Introduction  Overview  Tradecraft Preparation  Challenges  The Agent  Phishing  Situational Awareness: Host Enumeration  Privilege Escalation  Persistence  Situational Awareness: Network and User Enumeration  Lateral Movement
  • 3. Introductions  Alex Rymdeko-Harvey is a previous US Army Solider that recently transitioned and currently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer. Alex has a wide range of skills and experience from offensive and defensive operations taking place in today's security surface.  Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry Combat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security tools and teaching.
  • 4. Overview • Typical penetration tests cover Windows / Linux • Assessments become mundane • Client approaches with a large OS X user-base • Use common methodologies with new tools and techniques adapted for OS X • Utilize EmPyre, a Remote Access Trojan based of of the Empire framework
  • 5. Adversarial Use • WireLurker (Trojanized applications, Infects connected ios devices) • XcodeGhost (Infected xcode package in China) • Hacking Team (Remote Code Systems compromise platform) • OceanLotus (Flash Dropper, Download Mach-O binary) • KeRanger (Ransomware, Infected transmission package)
  • 6. The Scenario • A client requests an external penetration test against their corporate infrastructure. • Phishing with payloads may be conducted with email addresses harvested from publicly available sources. • 90% of users utilize OS X with several developers using Windows
  • 7. Scenario: Goals • Phish OS X users • Elevate local privileges • Move Laterally if needed • Gain control of the Active Directory domain
  • 8. Tradecraft Preparation • Planning and Preparation • Right tools for the job • Live off the land • pbpaste • screencapture • Native vs Non-Native • Methodology • Reconnaissance • Exploitation (gain access) • Sitiuational Awareness • Escalate Privileges • Establish Persistence • Lateral Movement Gain Access Situational Awareness Escalate Privileges Establish Persistence Lateral Movement
  • 9. Challenges  Limited information on operating in OS X environments  No open-sourced asynchronous Remote Access Trojan (RAT)  Lateral Spread  OS X/Linux  Windows  Less phishing payloads available  No OLE  Less executable types
  • 11. The Agent: EmPyre  Remote Access Trojan (RAT)  Python (core developed by @harmj0y) based on the Empire project  Asynchronous / C2  Secure Diffie-Hellman exchange communications  Post-Exploitation modules  OS X/Linux  Launcher detects Little Snitch
  • 12. The Agent: EmPyre  The Diffie Hellman implementation is from Mark Loiseau's project at https://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License.  The AES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed under the MIT license.
  • 13. Phishing  Previous Tradecraft  Browser Exploits  Java Payloads  OLE Documents  Macro Payloads
  • 14. Phishing: Payload Generation  2015-7007 HTML Applescript launcher  OS X Microsoft Office Macro  Supports 2011  2016 = “Sandbox”
  • 16. Situational Awareness: Host  Previous Tradecraft  PowerShell  WMI  PowerUp  Cobalt Strike Beacon modules  Meterpreter modules  The core of knowing your land  How do we priv-esc?
  • 17. Situational Awareness: Host  Keylog  Keychain Dump  Clipboard Monitoring  Scrape Messages  Hash Dump  Browser Dump
  • 18. Situational Awareness: Keylogging  Elevated Context  Vital portion of our tradecraft  post exploitation
  • 19. Situational Awareness: Clipboard Monitoring  Non-Native method  Native pbpaste may be signatured by Carbon Black  Out to file
  • 20. Situational Awareness: Keychain Dump  Cleartext Keychain Dump  Versions Prior to OS X El Capitan Inspired / Adapted from Juuso: https://github.com/juuso /keychaindump
  • 21. Situational Awareness: Search Messages  Scrapes Message.app DB  iMessage, Jabber, Google Talk, Yahoo, AIM  Enumerate X messages  Account  Service  Number  message
  • 22. Situational Awareness: Hashdump  Local Hashes  Hashcat format ready!
  • 23. Situational Awareness: Browser Dump  Dump Chrome  Dump Safari  Specify length of output
  • 25. Persistence  Previous Tradecraft  Windows  Registry  Startup Folders  WMI  DLL Hijack  Net user /add  Linux  Crontab  adduser
  • 26. Persistence  Login Hooks  Login persistence  Crontab  Hourly persistence  LaunchDaemon  Reboot persistence  DyLib Hijacking  Application start persistence
  • 27. Persistence: Login Hook - User Context Persistence  Mac Login Hooks  Bash / Applescript execution  Accessible to all users  Uses “Defaults” tool  Sets com.apple.loginwindow LoginHook
  • 28. Persistence: Crontab  Set persistence by time  Requires file on disk
  • 29. Persistence: Launch Daemon  Requires Sudo  Spawns on reboot  Spawns on agent loss
  • 30. Persistence: Dylib Hijacking  Hijack Scanner Module  Based on @patrickwardle research
  • 32. Situational Awareness: Network  Previous Tradecraft  Arp  Nmap  Net Commands  EyeWitness  PowerView
  • 33. Situational Awareness: Network  Group Policy Preferences  Active Directory Queries  Port Scanning  Web Discovery
  • 34. Situational Awareness: Active Directory Modules  situational_awareness/network/active_directory/get_computers  situational_awareness/network/active_directory/get_domaincontrollers  situational_awareness/network/active_directory/get_fileservers  situational_awareness/network/active_directory/get_groupmembers  situational_awareness/network/active_directory/get_groupmemberships  situational_awareness/network/active_directory/get_groups  situational_awareness/network/active_directory/get_ous  situational_awareness/network/active_directory/get_userinformation  situational_awareness/network/active_directory/get_users
  • 35. Situational Awareness: GPP  Group Policy Preferences  Pulls “Encrypted” passwords from SYSVOL  MS14-025 https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py
  • 36. Situational Awareness: Finding the Domain Controller
  • 37. Situational Awareness: LDAP Queries  Utilizes LDAP queries to pull objects such as computers, users, groups and more from Active Directory.
  • 38. Situational Awareness: Web Services  find_fruit module  Checks for possible vulnerable web applications  Tomcat  jboss  idrac  Apache Axis2  etc..
  • 39. Lateral Movement  Previous Tradecraft  Linux  SSH  Telnet  Exploitation  Windows  PSEXEC  WMI  Exploitation  RDP
  • 40. Lateral Movement  Windows  Pivot to “Empire”  Exploit Web Services
  • 41. Lateral Movement  Linux/OS X  SSH Commands  SSH Launcher
  • 42.
  • 43. Honorable Mention: REST API  EmPyre implements the same RESTful API specification as Empire  https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API  External users/projects can fully control an EmPyre server in a predictable way REST requests  This opens the possibility for web front ends, Android apps, multi- player CLI UIs, and more
  • 44. What’s next  Socks Proxy  Community Modules  More Exploitation Modules  Merge with Empire Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!

Editor's Notes

  1. Steve starts talking
  2. Introduce ourselves
  3. As a Penetration Tester or Red Teamer, the path to Domain Administrator in many environments may seem all too easy or “cookie cutter” these days. But what happens when you engage a high-security client with an OS X-heavy environment? Do you turn down the engagement or accept the challenge and up your game? This talk explores such a scenario and how testers can utilize various tools, techniques, and lessons-learned to successfully perform a complete assessment in an OS X domain-joined environment. We will cover a custom-built OS X/Linux agent and its associated tradecraft, from gaining initial access, to post-exploitation, lateral spread, persistence, and domain compromise.
  4. Keep in mind, methodologies stay the same for OS X, tradecraft may change. Explain such as “How do we gain access in OS X”? SSH/Phishing.
  5. Different operating systems present their own lateral spread challenges. (linux: no smb, wmi, powershell) (Windows: no ssh, OS X doesnt have net commands)
  6. Alex Start Familiar interface for Empire users.
  7. Currently ,we have two payloads for phishing.
  8. Talk about tradecraft as a whole, This is post exploitation enumeration
  9. Keychain Dump - No el Capitan YET
  10. Currently saves to target in an unencrypted format.
  11. Talk about how messages are stored unencrypted in a database
  12. Currently, only dumps history. Useful for hunting internal web services.
  13. Steve Starts
  14. Utilizes “ldapsearch” for AD enumeration
  15. In order to perform LDAP queries we’ll need to start off by finding the domain controller that we are going to bind our LDAP queries to. One quick solution is a single nslookup query.
  16. During most penetration tests, you may find yourself moving from host to host using common techniques such as PSEXEC, WMI or RDP. Operating in an OS X environment presents challenges as these methods may not be available.