قالب وردپرس درنا توس
Home / Tips and Tricks / How to Perform Situational Awareness Attacks, Part 2 (Finding Files, History & USB Devices) «Null Byte :: WonderHowTo

How to Perform Situational Awareness Attacks, Part 2 (Finding Files, History & USB Devices) «Null Byte :: WonderHowTo



It is important to know who you are dealing with after hacking your target's MacBook. While remote access is easy, capturing information about the user and their system can be a challenge.

With our situational awareness attacks, we will continue to orient ourselves in a compromised Mac device and deepen our knowledge of the goal of behavioral activity. We can do this using tools built into macOS (formerly Mac OS X).

These tools allow us to loot the target's terminal history for previously executed commands, to find recently modified sensitive information files, and to identify hard drives and USB drives for pivotal attacks. Equipped with this information, we can develop a profile of the activities of a goal and continue to use it and its network.

. 1
Find Interesting Files and Directories

If you issue commands from a remote backdoor, we can not access the convenience of Spotlight and Finder. But there are other ways to get the information we want.

Find is an incredibly powerful tool that can be abused by hackers. It allows us to locate specific files with great ease. There are far too many arguments to demonstrate in an article, so instead I'll show some examples that readers can build on.

The following command find recursively searches the Downloads / directory for files ( -type f ) with the PDF ( "*. Pdf" ) extensions. The wildcard (*) tells Find to find any type of PDF, regardless of its filename.

  find / Users /  / Downloads / -type f -name "* .pdf" [19659009] Next, a slightly advanced search command is used, see below. This time, find searches in the Documents directory for files that use multiple (  (... ) ) file extensions that end in ".sh" and ".txt" - discovered text files and bash scripts [19659008] find / user /  / documents / -type f  (-name "* .sh" -o -name "* .txt" ) 

It might be helpful An attacker can know which files the Target user has changed in the last X minutes. The Find Below command searches each file and directory in the tokyoneon / home folder for modified files ( -mmin ) in the last 5 minutes.

  find / Users / tokyoneon / -mmin -5 [19659009] Many of the files found in the Application Support / and Preferences / directories are unconvincing, as shown in the following issue. But recently changed files in Documents / or on the desktop / can be useful for an attacker looking for ways to pan or escalate his privileges. 

  / user / tokyoneon // desktop
/Users/tokyoneon//Desktop/.DS_Store
/Users/tokyoneon//Desktop/important_credentials_2018.rtf
/ User / tokyoneon // library / application support
/ User / tokyoneon // library / application support / com.apple.spotlight.Shortcuts
/ User / tokyoneon // library / application support / com.apple.sharedfilelist
/ User / tokyoneon // library / application support / com.apple.sharedfilelist / com.apple.LSSharedFileList.RecentDocuments.sfl2
/ User / tokyoneon // library / application support / com.apple.sharedfilelist / com.apple.LSSharedFileList.RecentApplications.sfl2
/ User / tokyoneon // library / application support / address book / metadata / .info
/ User / tokyoneon // library / settings
/ User / tokyoneon // library / settings / byhost
/Users/tokyoneon//Library/Preferences/ByHost/com.apple.loginwindow.75294026-DDFE-5804-9373-CA2196D2BD6E.plist
/Users/tokyoneon//Library/Preferences/com.apple.spaces.plist
/Users/tokyoneon//Library/Preferences/com.apple.commerce.plist
/Users/tokyoneon//Library/Preferences/com.apple.AddressBook.plist
/Users/tokyoneon//Library/Preferences/com.apple.textInput.keyboardServices.textReplacement.plist
/Users/tokyoneon//Library/Preferences/com.apple.xpc.activity2.plist
/Users/tokyoneon//Library/Preferences/com.apple.systemuiserver.plist
/Users/tokyoneon//Library/Preferences/com.apple.Spotlight.plist
/Users/tokyoneon//Library/Containers/com.apple.TextEdit/Data/Library/Saved Application Status
/Users/tokyoneon//Library/Containers/com.apple.TextEdit/Data/Library/Preferences
/Users/tokyoneon//Library/Containers/com.apple.TextEdit/Data/Library/Preferences/com.apple.TextEdit.plist
/Users/tokyoneon//Library/KeyboardServices/TextReplacements.db
/Users/tokyoneon//Library/KeyboardServices/TextReplacements.db-wal
/Users/tokyoneon//Library/KeyboardServices/TextReplacements.db-shm
/Users/tokyoneon//Library/Caches/GeoServices/networkDefaults.plist

We can further refine this type of file detection using the argument -mtime . This allows us to identify files that are older than X days old - but also files that are not older than Y days. The + and - characters are used to say older than or not older than . For example, a command that uses +1 and -60 will direct you to find files older than 1 day, but not older than 60 days.

  find / etc / -mtime + 1 -mtime -60 

In my example above, I'm looking for the etc / directory. These files can not be modified by low-privilege users without a password, but we can still read their content, which may contain sensitive configuration information.

  / etc / auto_master
/etc/krb5.keytab
/etc/aliases.db
/ etc / asl
/etc/asl/com.apple.authd
/etc/rtadvd.conf
/ etc / auto_home
/ etc / ppp
/etc/php-fpm.d
/ etc / localtime
/etc/newsyslog.d
/etc/pam.d
/etc/pam.d/chkpasswd
/etc/pam.d/login.term
/etc/pam.d/screensaver
/etc/pam.d/checkpw
/etc/pam.d/authorisation
/etc/pam.d/login
/etc/pam.d/passwd
/ etc / apache2
/etc/apache2/httpd.conf
/ etc / apache2 / originally
/etc/autofs.conf
/ etc / ssh
/etc/resolv.conf
/etc/ntp.conf

2. Examine the Terminal History of the Destination

Some tech savvy macOS users may find themselves in the terminal for a variety of things. For example, SSH and FTP commands are often executed with Terminal. These commands can display additional servers to which the target macOS user has access. Terminal Commands can also help us create behavioral profiles that can be used for future social engineering attacks .

If you are a macOS user, you can open a terminal and use the history command to display recently executed commands. This can also be viewed from a Netcat backdoor.

Below is a terminal output example after running History .

  History

1 nc 192.168.1.44 55555
2 sudo su
3 sudo su
4 sudo su
5 CD Desktop /
6 cat 3
7 ls -la / system / library / start *
8 ssh -X -p 4441 -i / user / tokyoneon / office / ssh / main root@4.3.2.1
9 sudo su
10 ifconfig en0
11 cd / tmp / unix-privesc-check-master /
12 ./upc.sh --help
13 ping 192.168.1.21 

In line 1, we can see some Netcat activity worth investigating. But more importantly, line 8 has SSH login information. The argument -i used in the SSH command indicates that a private SSH key named "main" resides in the / office / ssh / directory. This could potentially be used by an attacker to compromise a remote server operated by the macOS user. In business and corporate environments, such exposures can be catastrophic.

Alternatively, if there are multiple users in the system, we can use the cat command to read the terminal history of a particular user. These history files are usually located in the home directory of each user with the filename ".bash_history".

  cat /Users//.bash_history

For a more comprehensive and tactical approach, we can locate every single bash history file on the device and cat any file automatically.

  find / -type f -iname * bash_history * -exec cat {} ; 

For the above command, find each directory ( / ) for a file ( type f ) with "bash_history" somewhere in the name ( -iname ). It will then command ( -exec ... {} ; ) the cat to print out its contents.

. 3 Identify external hard drives and USB

USB flash drives connected to the Mac OS device are great for propagating malicious files. The concept is simple: the target inserts its own USB stick into the compromised MacBook, and the attacker exchanges files on the USB device for payloads that appear to be ordinary files.

If the USB stick is shared between colleagues and other computers, the attacker would effectively pan to other devices. This attack is explained in more detail in my article "Spread Trojan and Pivot to other Mac computers".

There are several ways to list attached USB device information. We can use the directory / Volumes quickly ls but for a more thorough approach we will use the commands diskutil and system_profiler

Probably be several disks with the following command is displayed.

  diskutil list 

We are looking for disks labeled "external, physical" in the issue below. This indicates that an external hard drive, SD card, or USB drive is connected to the Mac OS device. Due to its size (15.5 GB), the device is most likely a 16 GB USB flash drive.

  / dev / disk3 (external, physical):
#: TYPE DESIGNATION SIZE IDENTIFIER
0: FDisk_partition_scheme * 15.5 GB disk3
2: Windows_FAT_32 KINGSTON 15.5 GB disk3s1 

Here we can also use the command system_profiler with the argument SPUSBDataType for much more detailed viewing of connected devices.

  system_profiler SPUSBDataType 

  19659009] In the following issue, we now know that the target uses a USB 3.0 DataTraveler from Kingston that is formatted as FAT32. This means that the USB flash drive is cross-platform and can be used between Windows, macOS, and Linux operating systems. More importantly, the USB flash drive is installed with write permissions to the operating system, which means we can modify and add malicious files as needed to the device. 

  USB:

USB 3.0 bus:

Host controller driver: AppleUSBXHCIPPT
PCI Device ID: 0x1e31
PCI Revision ID: 0x0004
PCI manufacturer number: 0x8086

DataTraveler 3.0:

Product ID: 0x1666
Supplier ID: 0x0951 (Kingston Technology Company)
Version: 1.00
Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Speed: Up to 5 Gb / sec
Manufacturer: Kingston
Location ID: 0x14400000 / 4
Currently available (mA): 900
Current required (mA): 504
Additional operating current (mA): 0
Media:
DataTraveler 3.0:
Capacity: 15.5 GB (15,502,147,584 bytes)
Removable media: Yes
BSD name: disk3
Logical unit: 0
Partition Type: MBR (Master Boot Record)
USB interface: 0
Volume:
KINGSTON:
Capacity: 15.5 GB (15,498,018,816 bytes)
Available: 15.36 GB (15,359,361,024 bytes)
Writable: Yes
File system: MS-DOS FAT32
BSD name: disk3s1
Mount Point: / Volumes / KINGSTON
Content: Windows_FAT_32
Volume UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX 

Digging Deeper ...

MacOS has a variety of built-in tools that hackers can abuse to obtain information about the target and its system. We can still discover and pivot additional user accounts, identify and bypass installed antivirus software, and use fingerprint services running on the device for evaluation. The opportunities to gather information are huge and we only scratched the surface.

Cover photo from Fancycrave.com/PEXELS

Source link