Ricardo L0gan, profile picture
Uploaded byRicardo L0gan
175 views

Nullbyte 6ed. 2019

The document presents an overview of macOS security and hacking techniques, authored by Ricardo Logan, a security specialist with extensive experience. It details security features like System Integrity Protection (SIP), FileVault, and Gatekeeper, as well as common vulnerabilities and hacking methodologies targeting macOS. Additionally, it discusses various tools for exploiting and analyzing macOS systems, alongside references for further exploration in the field of macOS security research.

Embed presentation

macOS Hacking Tricks
$Whoami macOS Hacking Tricks ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
Agenda 0x00 Motivation of Research 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks 0x00 Motivation of Research
macOS Hacking Tricks OSX/Cres centCore 2019 OSX/Linker 2019 LoundMiner 2019 OSX/MaMi 2018 Crossrider (OSX/Shalyer) 2018 Mshelper 2018 Mac Auto Fixer 2018 0x00 Motivation of Research
macOS Hacking Tricks  A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
macOS Hacking Tricks SIP (System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
macOS Hacking Tricks 0x01 Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
macOS Hacking Tricks 0x01 Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
macOS Hacking Tricks 0x01 Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
macOS Hacking Tricks 0x01 Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
macOS Hacking Tricks 0x01 Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
macOS Hacking Tricks Source: https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
macOS Hacking Tricks 0x01 Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks Keychain file stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics
macOS Hacking Tricks 0x01 Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
macOS Hacking Tricks Obtain system user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
macOS Hacking Tricks Hashdump Python Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
macOS Hacking Tricks 0x02 Hacking macOS target Exploit-db
macOS Hacking Tricks Demos 01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
macOS Hacking Tricks Demo 03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
macOS Hacking Tricks Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
macOS Hacking Tricks launchctl-> Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
Hacking is a way of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
Thanks a Lot Any Questions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

More Related Content

PDF
Strategies to design FUD malware
byPedro Tavares
 
PDF
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
PPT
Linux Virus
byAkhil Kadangode
 
PDF
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
PPT
Optix Pro Bo2 K Trojan
byShinra
 
PDF
Presentation mac os x security
byreza jalaluddin
 
PDF
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
PPTX
Automating malware analysis
byCysinfo Cyber Security Community
 
Strategies to design FUD malware
byPedro Tavares
 
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
Linux Virus
byAkhil Kadangode
 
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
Optix Pro Bo2 K Trojan
byShinra
 
Presentation mac os x security
byreza jalaluddin
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
Automating malware analysis
byCysinfo Cyber Security Community
 

What's hot

PPTX
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
PDF
Oleksyk applied-anti-forensics
byDefconRussia
 
PDF
Finfisher- Nguyễn Chấn Việt
bySecurity Bootcamp
 
PPTX
Basic malware analysis
bysecurityxploded
 
PPTX
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
byRootedCON
 
PDF
Hacking Exposed LIVE: Attacking in the Shadows
byPriyanka Aash
 
PDF
Ransomware for fun and non-profit
byYouness Zougar
 
PDF
Hta w22
bySelectedPresentations
 
PPT
Unix Security
byreplay21
 
PDF
The SElinux Notebook :the foundations - Vol 1
byEliel Prado
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
The day I ruled the world (RootedCON 2020)
byJavier Junquera
 
PDF
Fileless Malware Infections
byRamon
 
PDF
Bad transfer
byUltraUploader
 
PPTX
Windows forensic
byMD SAQUIB KHAN
 
PPTX
Ch0 1
byTylerDerdun
 
PDF
Penetrating Windows 8 with syringe utility
byIOSR Journals
 
PPTX
Advanced malware analysis training session4 anti-analysis techniques
byCysinfo Cyber Security Community
 
PPT
presentation
byPeter Oswald
 
PDF
Windows Registry Tips & Tricks
byRaghav Bisht
 
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
Oleksyk applied-anti-forensics
byDefconRussia
 
Finfisher- Nguyễn Chấn Việt
bySecurity Bootcamp
 
Basic malware analysis
bysecurityxploded
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
byRootedCON
 
Hacking Exposed LIVE: Attacking in the Shadows
byPriyanka Aash
 
Ransomware for fun and non-profit
byYouness Zougar
 
Hta w22
bySelectedPresentations
 
Unix Security
byreplay21
 
The SElinux Notebook :the foundations - Vol 1
byEliel Prado
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
The day I ruled the world (RootedCON 2020)
byJavier Junquera
 
Fileless Malware Infections
byRamon
 
Bad transfer
byUltraUploader
 
Windows forensic
byMD SAQUIB KHAN
 
Ch0 1
byTylerDerdun
 
Penetrating Windows 8 with syringe utility
byIOSR Journals
 
Advanced malware analysis training session4 anti-analysis techniques
byCysinfo Cyber Security Community
 
presentation
byPeter Oswald
 
Windows Registry Tips & Tricks
byRaghav Bisht
 

Similar to Nullbyte 6ed. 2019

PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
DOC
hier
bybutest
 
PDF
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
PDF
OWASP: iOS Spelunking
byMikhail Sosonkin
 
PDF
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
byPeter Kálnai
 
PDF
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
byMartin Jirkal
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
PDF
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
PDF
Macdoored
byShakacon
 
PDF
The Mouse is mightier than the sword
byPriyanka Aash
 
PPTX
Mac os administration
bySayed Ahmed
 
PDF
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
PDF
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
byFelipe Prado
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
PPTX
Mac OSX - Presentation for NEWLUG - Nov. 2010
byNEWLUG
 
PDF
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
PDF
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
PDF
ICE Snow Leopard
byTiago Rosado
 
PDF
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
PDF
Building an EmPyre with Python
byWill Schroeder
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
hier
bybutest
 
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
OWASP: iOS Spelunking
byMikhail Sosonkin
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
byPeter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
byMartin Jirkal
 
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
Macdoored
byShakacon
 
The Mouse is mightier than the sword
byPriyanka Aash
 
Mac os administration
bySayed Ahmed
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
byFelipe Prado
 
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
Mac OSX - Presentation for NEWLUG - Nov. 2010
byNEWLUG
 
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
ICE Snow Leopard
byTiago Rosado
 
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
Building an EmPyre with Python
byWill Schroeder
 

More from Ricardo L0gan

PPTX
H2HC - R3MF
byRicardo L0gan
 
PPTX
Andsec Reversing on Mach-o File
byRicardo L0gan
 
PPTX
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
PPTX
Bsides SP 2015 - Mach-O - A New Threat
byRicardo L0gan
 
ODP
Latinoware 2015 Mach-O
byRicardo L0gan
 
PPTX
Bhack 2015 - mach-o Uma Nova Ameaça
byRicardo L0gan
 
PDF
Desofuscando um webshell em php h2hc Ed.9
byRicardo L0gan
 
H2HC - R3MF
byRicardo L0gan
 
Andsec Reversing on Mach-o File
byRicardo L0gan
 
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
Bsides SP 2015 - Mach-O - A New Threat
byRicardo L0gan
 
Latinoware 2015 Mach-O
byRicardo L0gan
 
Bhack 2015 - mach-o Uma Nova Ameaça
byRicardo L0gan
 
Desofuscando um webshell em php h2hc Ed.9
byRicardo L0gan
 

Recently uploaded

PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
apidays New York 2025 | AI in Application Security
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 

Nullbyte 6ed. 2019

  • 1.
  • 2.
    $Whoami macOS Hacking Tricks ###Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC).
  • 3.
    Agenda 0x00 Motivation ofResearch 0x01 macOS Security Characteristics 0x02 Hacking macOS target 0x03 Hacking macOS target + Demo 0x04 macOS Tools 0x05 Reference 0x06 Conclusion macOS Hacking Tricks
  • 4.
  • 5.
    macOS Hacking Tricks 0x00Motivation of Research
  • 6.
  • 7.
    macOS Hacking Tricks A modern Operating system (macOS fanBoy LOL) Unix based  Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD)  Lots of userland applications  Mac OS X has grown significantly in market share. 0x01 Security Characteristics
  • 8.
    macOS Hacking Tricks SIP(System Integrity Protection) FileVault Xprotect Gatekeeper 0x01 Security Characteristics Secure Boot
  • 9.
    macOS Hacking Tricks 0x01Security Characteristics SIP Originally introduced with OS X El Capitan, System Integrity Protection, usually referred to as SIP, is a security feature built into the Mac operating system that's designed to protect most system locations, system processes, and Kernel extensions from being written to, modified, or replaced.
  • 10.
    macOS Hacking Tricks 0x01Security Characteristics XProtect Anti-virus product is internally referred to as XProtect. Implemented within the CoreServicesUIAgent.
  • 11.
    macOS Hacking Tricks 0x01Security Characteristics Filevault Apple implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background
  • 12.
    macOS Hacking Tricks 0x01Security Characteristics Gatekeeper Security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. $ sudo spctl –master-disable
  • 13.
    macOS Hacking Tricks 0x01Security Characteristics SecureBoot Process where the firmware validates the bootloader prior to loading. It is at the start of the chain of trust that ensures that code that gets run (drivers, kernel, applications) is known and validated
  • 14.
    macOS Hacking Tricks Source:https://opensource.apple.com/source/xnu/ 0x01 Security Characteristics XNU
  • 15.
    macOS Hacking Tricks 0x01Security Characteristics Kext files are essentially drivers for macOS. "Kext" stands for Kernel Extension; kext files "extend" Mac OS X's kernel, the core part of the operating system, by providing additional code to be loaded when your computer boots.
  • 16.
    macOS Hacking Tricks 0x01Security Characteristics
  • 17.
    macOS Hacking Tricks Keychainfile stores secrets data like: Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password 0x01 Security Characteristics
  • 18.
    macOS Hacking Tricks 0x01Security Characteristics
  • 19.
    macOS Hacking Tricks 0x01Security Characteristics PLIST file is a settings file, also known as a "properties file," used by macOS applications. It contains properties and configuration settings for various programs. PLIST files are formatted in XML and based on Apple's Core Foundation DTD. $ launchctl load arquivo.plist
  • 20.
    macOS Hacking Tricks Obtainsystem user access From remote access:  By common “server side” vulnerabilities like SMB, SSH, WEB, ...  By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, .. 0x02 Hacking macOS target
  • 21.
    macOS Hacking Tricks HashdumpPython Script + Crack the Hash (Hashcat) 0x02 Hacking macOS target
  • 22.
    macOS Hacking Tricks 0x02Hacking macOS target Exploit-db
  • 23.
    macOS Hacking Tricks Demos01 Service: RAE (Remote Apple Events) Detail: AppleScript and Objects Port TCP/UDP 3031 = eppc 0x03 Hacking macOS target Demo
  • 24.
    macOS Hacking Tricks Demo02 XNU: copy-on-write behavior bypass via mount of user-owned filesystem Autor: Jann Horn (Google Project Zero) https://bugs.chromium.org/p/project- zero/issues/detail?id=1726&q= CVE-2019-6208 Corrigido = macOS Mojave 10.14.3 https://support.apple.com/pt-br/HT209446  buggycow.c  mod.c  pressure.c 0x03 Hacking macOS target Demo
  • 25.
    macOS Hacking Tricks Demo03 0x03 Hacking macOS target Demo Detail: OSASCRIPT (OSA Open Scripting Architecture Language Script) Reference: https://ss64.com/osx/osascript.html “local phishing” Bônus: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-1-creating-stager-0184692/ How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-with- applescript-part-2-disguising-script-0184706/
  • 26.
    macOS Hacking Tricks Lipo-> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes Xcode -> xcode is an (IDE) containing a suite of software development. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. 0x04 macOS Tools
  • 27.
    macOS Hacking Tricks launchctl->Manage and Inspect daemons, agents and XPC Services (PLIST) sysctl -> get or set kernel state nettop -> Display updated information about the network lsmp -> list port used by process ndisasm -> The Netwide Disassembler, an 80x86 binary file disassembler spctl -> SecAssessment system policy security (Gatekeeper) dscl -> Directory Service command line utility csrutil -> Configure system security policies (SIP) open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control. 0x04 macOS Tools
  • 28.
    Hacking is away of life 0x05 Reference Reference: Kernel Architecture Overview https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelP rogramming/Architecture/Architecture.html#//apple_ref/doc/uid/TP30000905-CH1g- TPXREF101 Apple Developer https://developer.apple.com/ macOS Kernel Debugging https://blog.quarkslab.com/an-overview-of-macos-kernel-debugging.html Building XNU for macOS https://kernelshaman.blogspot.com/2018/01/building-xnu-for-macos-high-sierra- 1013.html macOS Hacking Tricks
  • 29.
    Thanks a Lot AnyQuestions ? 0x06 Conclusion ricardologanbr@gmail.com @l0ganbr http://www.slideshare.net/l0ganbr macOS Hacking Tricks

Editor's Notes

  • #5 Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  • #6 Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto por malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html Autor: Stefan Esser
  • #18 Lembre-se que por default a senha do keychain e a mesma utilizada pelo usuário de sistema com isso você poderia ter acesso a todas as senhas contidas nele.
  • #20 Converter um arquivo plist em XML Formatado - plutil -convert xml1 Info.plist
  • #25 A Falha consiste em o kernel XNU usar a syscall mmap. A mmap_shared está sendo utilizada sem controle de alocação de memória poderia ser utilizada mmap_private e ou mmap_anon.