Apple's macOS operating system is as vulnerable to attacks as any Windows 10 computer or Android smartphone. Hackers can embed backdoors, avoid easy-to-use antivirus, and utilize USB memory to compromise completely with a MacBook. In this always-updated guide, we describe dozens of macOS-specific attacks that penetration testers should know about.
How do I hook up a MacBook?
When considering this issue, it's good to consider our proximity to the target Mac device. Our distance from the target unit varies and we get access to difficulties in the further distances we are. Whether we have physical access, share a Wi-Fi network with the device or have enough information to distance a social engineer that a user opens a backward program, determine how much effort an attacker needs to do to get a remote shell. [1
We start by talking about different types of attack vectors and payloads that can be created for macOS. Thereafter, physical and USB flash-driven attacks are discussed, followed by network-based attacks, and how macOS targets can be compromised from anywhere in the world. Finally, we look at exploits and major vulnerabilities that the OS has suffered in recent years to give readers and bug bounty hunters an idea of where the operating system's most alarming issues have been discovered.
Jump to section: Individual commands | Physical access | Trojanized AppleScripts | USB drops | Network Based | Remote intervention | Notifications after exploitation | Privilege Escalation | Zero-Days & Exploits | Protect yourself
Hack macOS with a single command
Before we enter the execution pay and social engineering goals, let's first look at some commands that can be used to compromise the operating system.
Like PowerShell in Windows 10, hackers abuse programming languages that come preinstalled in macOS. Many of these languages are powerful and enable complex interactions with frameworks like EvilOSX, Empire, Bella and Metasploit. In all of my tests, none of the selected macOS or antivirus programs were detected like Avast and AVG.
The use of these built-in commands has been described in the following articles.
first A Python Command to Replace Antivirus
A Python payload is hosted on a remote server and finally driven to the MacBook's goal with a USB Rubber Ducky. It will take some suaveness to get the USB Rubber Ducky to the Mac, but the rest is a cake.
2nd A Ruby Command to Replace Antivirus
For this hack, a Ruby payload is embedded in an AppleScript and designed to look like a regular PDF file. The fake PDF is then shared with the intended goal, which opens it and gives us the profit.
The lesser known, but very powerful Tcl command is used to avoid antivirus and backdoor on a MacBook with just a few characters. The great thing about this attack is that it can handle sudden backdoor shutdowns.
By default, macOS is very vulnerable to physical compromises. User Mode Attacks allow an attacker to change any file or directory – without password or goal knowledge. Although the hard drive is encrypted with FileVault, it can be circumvented using brute force attacks. These methods have been dealt with in the following articles.
4th Use Reset Mode to Extract and Break-Force Hash
Recovery Mode is used to extract a login hash and later brute-forced with Hashcat to reveal the password in plain text. The attacker could use a USB flash drive with another Mac computer to do the hard work or could simply create a temporary user on target Mac instead.
5th Use single user mode to configure a backdoor
Single-use mode is used to embed a Netcat listener in the target device and execute using cron at set intervals. This method is most effective where the target device allows incoming connections and shares a Wi-Fi network with the attacker.
Improved according to the above article, this method completely prevents the target firewall and allows the attacker to control the MacBook when it moves between different Wi-Fi networks.
Some targets may have encrypted the hard drive with FileVault. While this prevents MacBook from compromising in a few seconds, it is not completely bullet-proof. It is possible to automate a password guessing attack against FileVault using the selected software and the Bash script.
Now, let's talk about embedding one-line uploads to AppleScripts.
AppleScript, currently included in all versions of macOS, is a scripting language that allows users to directly manage MacOS applications, as well as parts of MacOS itself. Each AppleScript application has an embedded drive. This makes AppleScript applications easy to one of macOS most formidable attack vectors.
Normally, AppleScripts allows users to create harmless scripts to automate repetitive tasks, combine features from multiple legitimate applications, and create complex workflows. But they can be abused by hackers to take control of a target operating system.
An introduction that covers creating an Empire stunt designed for AppleScript trojans. The stakes are later embedded in AppleScript. After you prepare a stager (or payload), the file extension and icon are spoofed to make .app look like a real PDF.
Apple Drop is used to circumvent the limitations of Mojave's new security features by social technology aiming for a legitimate application requiring administrative privileges.
It may be It's not always possible to physically backdoor a MacBook. The second easiest way to compromise a goal is that social technology allows them to open trojan AppleScripts. This can be accomplished by performing USB drop attacks, which macOS is highly susceptible.
Experiments have taken place, which shows that almost 50% of people who find crooked USB flash drives put them in their computer. This makes USB drop attacks an effective method of getting a shell without touching the MacBook's dimensions.
Shop USB Flash Drives on Amazon | Best Buy | Walmart
The USB flash drive containing AppleScript should be strategically located somewhere. The intended goal will undoubtedly find it. This can be somewhere in their workplace, around the home or by sliding into the bag or backpack if it is possible to approach.
USB drop attacks are covered in the following articles.
10th Use a self-destructive payload to Hack Mojave
Mojave's unsafe USB file permission allows to run all types of files or applications – all around GateKeeper protection. This is utilized using an AppleScript disguised to look like a typical text file.
eleventh Spread Trojans and Pivots to Other Macs
Files found on a target's USB flash drive are changed and trojanized in an attempt to remotely transfer from one Mac to another.
While this article is not focused on macOS and focuses on capturing the target Wi-Fi password, social technology aspect can be applied to a MacBook -user. Using a greeting card to trick a goal to insert an SD card or USB memory into your computer can be used in many different scenarios with many different goals.
MacOS isn & # 39; t immune to man-in-middle (MitM) or network-based attacks. Web traffic transfers between the MacBook and the router just like any other internet connected device. This traffic is easily manipulated and can be used to inject encryption scanners into target web browsers in real time.
Man-in-middle attacks have been dealt with in the following articles.
Images in the target browser are manipulated in fun and obscene ways, using a man-in-center framework.
Packages are captured and analyzed without connecting to the Wi-Fi network. Like Windows 10 and smartphones, MacOS devices are affected and vulnerable to such attacks.
Hacking the MacBook in different parts of the world is a bit more involved than other methods mentioned in this article. GateKeeper, a security feature in macOS, is designed to keep sharp AppleScripts from running in the operating system (shown below).
To protect users from malware, a developer ID is required to sign programs and get "trust" for macOS for apps to run. Unfortunately, anyone with a credit card can acquire a development ID and even share their malicious application with Apple's App Store.
App Store compromises made the first headlines of 2015 when many apps were detected ex filtering user data to an attacker's server. And again later, apps from App Store were removed to steal user data. And these are just the program shifts that have been discovered or revealed by independent security researchers. The actual extent of this vulnerability is unknown. For all we know, Apple removes shady apps every day without informing the public.
It's really not impossible or very difficult to compromise with macOS goals in different states or countries. It's a matter of being motivated enough to join Apple's developer ID software and simply pay for a certificate. In future posts, I can cover this topic in more detail and update this section of the article.
Installations by Attacks
Commands and Attacks Executed After Remote Access has been created, classified as Mail Utility Attacks. These attacks include situational awareness, data extrusion, secret desktop flow, microphone interception, privilege escalation, and data dumping to name a few. I have covered many reuse items as described below.
A two-piece article that shows machine and software billing, ARP cache dumping, location of sensitive files, and identification of connected storage media. After establishing a remote shell, it is important for an attacker to develop an understanding of their physical and networking business.
Netcat is used to increase the functionality of the attacker's primitive backdoor to a fully-equipped framework after exploitation.
Screenshots of the target desktop are taken quite carefully to passively observe behavioral activity. Such information can be used to further compromise the target and is usually abused by blackhats for extortion that has caught embarrassing or compromising conversations and photos.
The concept of observing behavioral activity to the next level flows the entire MacBook to the attacker's computer and is viewed in real time. This allows an attacker to see the target is every mouse click and keystroke without detection.
MacBooks microphone is used to record conversations in the surrounding area and streamed to the attacker's real-time analysis system.
A two-piece article that shows how to easily and easily collect and exfilter a MacBooks unencrypted web traffic using a combination of tools like Netcat, Empire, Tcpdump, Tshark and Wireshark.
The passwords stored in Firefox are dumped using a low privileged backdoor with just a few commands. Knowing the goal's latest password, targeted glossary attacks are possible and the macOS login password can be brutally enforced.
It may be desirable to raise remote permissions to modify sensitive files and directories. Root privileges allow an attacker to execute commands with almost no security restrictions. There are several common methods for escalating to root privileges, see below.
Files owned by a root user are detected to have overridden attributes and are exploited by an attacker by embedding a back door. Alternatively, an Empire Stager is used to enable a reference dial dialog and to trick the target to reveal its login password.
Hacking macOS does not end with the simple attacks outlined in this article. There are very sophisticated macOS vulnerabilities and exploitations currently used in nature.
The term " nolldag" refers to code used by hackers to silently exploit unavoidable vulnerabilities unknown to the software developer. MacOS has had its share of zero days and created news headlines in recent years.
For example, in 2017 Patrick Wardle disclosed a vulnerability that allows unauthorized applications to dumps and exfiles a user key ring with password in plain text. In September 2018, Patrick disclosed a vulnerability that called virtual mouse clicks without user giving, allowing an attacker to bypass any MacOS security feature that involved manual interaction with a messaging dialog. Again, just one month later, Patrick revealed a vulnerability that completely exceeds Mojave's latest security features.
The three vulnerabilities discussed only revealed by just one individual. It's not unreasonable to believe that a team of dedicated hackers can find similar challenges that have not yet been published.
New days are in extremely high demand these days. Not by blackhats, but by cybersecurity companies and professionals. At the time of this writing, sites like Zerodium will pay up to $ 80,000 USD for a MacOS or Safari exploit (as shown below). Other bug bounty programs offer millions of dollars for a single anniversary.
And it does not end there. Vulnerabilities and application-specific exploits that do not create news headlines have appeared on Exploit Database at least once a month in recent years. There were nearly 40 vulnerabilities reported in 2017, including local escalation, memory information, and random execution of file execution.
How to Protect MacOS Attacks
There are certainly many ways to compromise with a macOS device. Below are some things that readers can do to identify and prevent such activity from happening to them.
- Do not use strange USB flash drives . If you have stumbled on a USB flash drive that does not belong to you, do not use it. This is perhaps the best advice we can give. A well-placed USB memory can be the result of a well thought-out social attack against you or your employer. No matter how the USB flash drive is detected or what files appear to be on it – do not insert it into your MacBook.
- Enable password protection for firmware . To prevent the attacker from starting up in a live USB device, user mode or recovery mode, set a password for firmware. Firmware software will only require additional password at startup if someone tries to boot the MacBook in single user, boot manager, target disk or recovery methods. However, a firmware password does not protect the hard drive if the disc is physically removed from the MacBook.
- Enable FileVault Encryption . FileVault can be enabled by navigating to "System Preferences" and then "Security and Privacy" and clicking "Turn on FileVault" (you may need to unlock settings first). When done, MacBook restarts and requires a password to unlock the computer every time Mac starts. No account will be allowed to log in automatically, and access to single user mode also requires a password. This is the best way to prevent attacks on the encrypted disk even if it is physically removed from your laptop. A complex passphrase of over 21 characters is recommended to protect against attacks with dedicated hard-wired hardware.
- Do not double-click on files . It is always best to explicitly choose which application to use when opening files. Right-click the desired file and manually select an application from the "Open With" menu. You will find that AppleScript applications do not have an "Open with" option in the shortcut menu. This is because they are actually directories and can not be opened with applications like TextEdit.
- View All File Name Extensions . The Unicode trick used to spy file extensions only works if "Show All File Name Extensions" is disabled, which is by default. Activate this setting by navigating to "Finder" in the menu bar, then "Settings" and check the option under the "Advanced" tab. . The file extension will be forced and can not be spoofed.
- List files on the USB flash drive . When in doubt, use Terminal to list ( ls ) files on the USB flash drive. File extensions can not under any circumstances be spoofed here. Use this command with -l to print the contents of the USB flash drive in a list format and -a to display all files on the USB flash drive, including hidden files.
ls -la / volymer / USB-NAME-HERE / drwxrwxrwx @ 1 tokyoneon staff 16384 Sep 28 11:01. drwxr-xr-x @ 4 rothjul 128 Sep 28 03:52 .. drwxrwxrwx @ 1 tokyoneon staff 16384 Sep 28 05:03 evil.txṫ.app -rwxrwxrwx 1 tokyoneon personal 3566129 sep 28 02:40 real.txt -rwxrwxrwx 1 tokyoneon personal 1938446 sep 28 02:41 .hiddenfile.txt
- Check for suspicious files . Start demons and directories used by macOS include / Library / LaunchDaemons, / Library / LaunchAgents, and / Users /
/ Library / LaunchAgents. Files in these directories can be inspected by opening Terminal, with commands cd and ls to switch to the desired directory and display the contents. The launchctl command can be used to disable any suspicious demons and remove with the rm command.
- Use Private Browser Mode . Dumpzilla can do a lot more than just extracting passwords from Firefox. It is safer to use the private browser mode 100% of the time. Although it may be inconvenient and surfing the Internet painfully, it is actually quite dangerous to transfer as much data to browsers. Browser data dumps that contain dozens of e-mail addresses and passwords are shared freely in black hack hack mice. If hackers do not sell your data, they become chaos on your accounts for fun because it has no financial value for them.
- Use a master password . If you save passwords in Firefox is a convenience you are not willing to give up, use a strong master password. This will provide a moderate barrier to hackers and can prevent them from learning all your passwords.
- Use a correct password manager . Password managers offer improved password-protected protection. Hackers can still extrile and perform violent attacks against password manager's database, but with a strong and unique password, the attacker must spend weeks (or months) trying to crack the encrypted database.
That's it for the moment. We continue to update this roundup when we detect new macOS attack vectors. And until next time follow me on Twitter @ tokyoneon_ . And make sure to leave a comment below if you have questions!
Do not Miss: Using a Mac as Your Primary Hack Computer