macOS Red Teaming
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
JAMF Pro: jamf checkJSSConnection
Kandji
If you manage to compromise admin credentials to access the management platform, you can potentially compromise all the computers by distributing your malware in the machines.
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
A MDM will have permission to install, query or remove profiles, install applications, create local admin accounts, set firmware password, change the FileVault key...
In order to run your own MDM you need to your CSR signed by a vendor which you could try to get with https://mdmcert.download/. And to run your own MDM for Apple devices you could use MicroMDM.
However, to install an application in an enrolled device, you still need it to be signed by a developer account... however, upon MDM enrolment the device adds the SSL cert of the MDM as a trusted CA, so you can now sign anything.
To enrol the device in a MDM you. need to install a mobileconfig
file as root, which could be delivered via a pkg file (you could compress it in zip and when downloaded from safari it will be decompressed).
Mythic agent Orthrus uses this technique.
JAMF can run custom scripts (scripts developed by the sysadmin), native payloads (local account creation, set EFI password, file/process monitoring...) and MDM (device configurations, device certificates...).
Go to a page such as https://<company-name>.jamfcloud.com/enroll/
to see if they have self-enrolment enabled. If they have it might ask for credentials to access.
You could use the script JamfSniper.py to perform a password spraying attack.
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
The jamf
binary contained the secret to open the keychain which at the time of the discovery was shared among everybody and it was: jk23ucnq91jfu9aj
.
Moreover, jamf persist as a LaunchDaemon in /Library/LaunchAgents/com.jamf.management.agent.plist
The JSS (Jamf Software Server) URL that jamf
will use is located in /Library/Preferences/com.jamfsoftware.jamf.plist
.
This file basically contains the URL:
So, an attacker could drop a malicious package (pkg
) that overwrites this file when installed setting the URL to a Mythic C2 listener from a Typhon agent to now be able to abuse JAMF as C2.
In order to impersonate the communication between a device and JMF you need:
The UUID of the device: ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'
The JAMF keychain from: /Library/Application\ Support/Jamf/JAMF.keychain
which contains the device certificate
With this information, create a VM with the stolen Hardware UUID and with SIP disabled, drop the JAMF keychain, hook the Jamf agent and steal its information.
You could also monitor the location /Library/Application Support/Jamf/tmp/
for the custom scripts admins might want to execute via Jamf as they are placed here, executed and removed. These scripts might contain credentials.
However, credentials might be passed tho these scripts as parameters, so you would need to monitor ps aux | grep -i jamf
(without even being root).
The script JamfExplorer.py can listen for new files being added and new process arguments.
And also about MacOS "special" network protocols:
In some occasions you will find that the MacOS computer is connected to an AD. In this scenario you should try to enumerate the active directory as you are use to it. Find some help in the following pages:
Some local MacOS tool that may also help you is dscl
:
Also there are some tools prepared for MacOS to automatically enumerate the AD and play with kerberos:
Machound: MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts.
Bifrost: Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target.
Orchard: JavaScript for Automation (JXA) tool to do Active Directory enumeration.
The three types of MacOS users are:
Local Users — Managed by the local OpenDirectory service, they aren’t connected in any way to the Active Directory.
Network Users — Volatile Active Directory users who require a connection to the DC server to authenticate.
Mobile Users — Active Directory users with a local backup for their credentials and files.
The local information about users and groups is stored in in the folder /var/db/dslocal/nodes/Default. For example, the info about user called mark is stored in /var/db/dslocal/nodes/Default/users/mark.plist and the info about the group admin is in /var/db/dslocal/nodes/Default/groups/admin.plist.
In addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database:
CanSSH - entity allowed to SSH to host
CanVNC - entity allowed to VNC to host
CanAE - entity allowed to execute AppleEvent scripts on host
More info in https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/
Get passwords using:
It's possible to access the Computer$
password inside the System keychain.
Get a TGT for an specific user and service:
Once the TGT is gathered, it's possible to inject it in the current session with:
With obtained service tickets it's possible to try to access shares in other computers:
The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise:
MacOS Red Teaming is different from a regular Windows Red Teaming as usually MacOS is integrated with several external platforms directly. A common configuration of MacOS is to access to the computer using OneLogin synchronised credentials, and accessing several external services (like github, aws...) via OneLogin.
When a file is downloaded in Safari, if its a "safe" file, it will be automatically opened. So for example, if you download a zip, it will be automatically decompressed:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)