Apple's MacOS operating system is as vulnerable to attacks as any Windows 10 computer or Android smartphone. Hackers can embed backdoors, handle antivirus programs with simple commands, and use USB flash drives to completely compromise a MacBook. In this ever-updated manual, we'll outline dozens of macOS-specific attacks that penetration testers should know about.
How can I hack a MacBook?
If you think about this question, it is helpful to note our proximity to the Mac target device Our distance varies from the target device, and the farther we move away, the harder the access becomes. Whether we have physical access, share a Wi-Fi network with the device, or have enough information to remotely bring a user to a social engineer who opens a backdoor application, determines the effort an attacker must do to get a remote shell. [1
We will first talk about the different attack vectors and payloads can be made for macOS. It then discusses attacks on physical and USB flash drives, followed by attacks from the network and how MacOS targets can be attacked from anywhere in the world. Finally, we look at the exploits and the biggest weaknesses the operating system has suffered in recent years to give readers and bounty hunters an idea of where the most alarming operating systems were discovered.
Skip to section: Single Commands | Physical Access | Trojanized AppleScripts | USB Drops | Network based | Remote Attacks | Attacks after exploitation | Privileges Escalation | Zero-Days & Exploits | Protect Yourself
Hack MacOS with a Single Command
Before we go into payload execution and social engineering goals, let's take a look at some commands that could endanger the OS.
Similar to PowerShell in Windows 10, hackers abuse programming languages preinstalled in macOS. Many of these languages are powerful and allow complex interactions with frameworks such as EvilOSX, Empire, Bella, and Metasploit. In all my tests, none of the featured one-liners were detected by macOS or antivirus software like Avast and AVG.
The use of these built-in commands has been covered in the following articles.
. 1 A Python Anti-Virus Command
A Python payload is hosted on a remote server and finally executed on the target MacBook with a USB Rubber Ducky . The USB Rubber Ducky will enter the target Mac computer, but the rest is child's play.
. 2 A Ruby Antivirus Command
In this hack, a Ruby payload is embedded in an AppleScript and designed to look like a regular PDF file. The fake PDF is then shared with the intended target that opens it and gives us the victory.
The lesser known but very powerful Tcl command is used to bypass antivirus software and close a MacBook with only a few characters. The good thing about this attack is that it can deal with abrupt backdoor interruptions.
By default, MacOS is very vulnerable to physical compromise. Single-user mode attacks allow an attacker to change any files or directories as root-with no password or knowledge of the target. Even if the hard disk drive is encrypted with FileVault, it can be bypassed by guido's brute-force attacks. These methods were discussed in the following articles.
. 4 Use recovery mode to extract and brute-force hash of the hash
The recovery mode is used to extract a login hash, which is later brutally enforced with Hashcat to display the password in plain text. The attacker could use a USB flash drive with another Mac computer to do the hard work, or instead simply create a temporary user on the target Mac.
. 5 Using a single-user mode to configure a backdoor
Single-user mode is used to embed a Netcat listener in the target device of the target and run at specified intervals with cron. This method is most effective if the target device allows inbound connections and shares a Wi-Fi network with the attacker.
Improving the above article completely bypasses the target's firewall and allows the attacker to control the MacBook while moving between different wireless networks.
Some targets may have their hard drive encrypted with FileVault. Although this prevents the MacBook from being compromised in a few seconds, it is not completely bulletproof. With the help of the introduced software and the bash script, an attack on the guessing of passwords can be automated with the help of software.
Now let's talk about embedding one-liner payloads in AppleScripts.
AppleScript, which is currently included in all macOS versions, is a scripting language that allows users to directly control macOS applications as well as parts of macOS itself. Every AppleScript application has an embedded executable file. This makes AppleScript applications easily one of the most impressive attack vectors in macOS.
Typically, users can use AppleScripts to create harmless scripts to automate repetitive tasks, combine features from multiple legitimate applications, and create complex workflows. However, they can be abused by hackers to take control of the operating system of a target.
An introduction that covers creating an Empire Stager for AppleScript Trojans. The stager will later be embedded in the AppleScript. After preparing a stager (or payload), the file extension and icon are faked to make the .app file look like a real PDF file.
AppleScript is used to circumvent the limitations of Mojave's new security features by providing social engineering with the goal of a legitimate application requesting administrator privileges.
This may be the case It's not always possible to physically close a MacBook. The next easiest way to compromise a goal is to use social engineering to open trojan-flavored AppleScripts. This can be achieved through USB Drop Attacks which is very vulnerable to macOS.
Experiments were conducted in which nearly 50% of people find that malicious USB flash drives are inserted into their computers. Therefore, USB drop attacks are an effective way to get a shell without touching the target MacBook.
USB Flash Drives at Amazon Buy Best Buy | Walmart
The USB flash drive containing AppleScript should be strategically placed in a location where the intended destination is undoubtedly found. This could be anywhere in their workplace, near their home, or by slipping into their purse or backpack if possible.
USB drop attacks were discussed in the following articles.
10th Use a self-destructive payload to hack the Mojave
Mojave's insecure USB file permissions allow files and applications of all kinds to be executed – GateKeeper protection is completely bypassed . This is exploited with an AppleScript that looks like a typical text file.
. 11 Distribute Trojan and Pivot to Other Mac Computers
Files found on a destination USB flash drive are modified and trojanized to allow remote access from one Mac device to another.
Although this article is not focused on macOS and focuses on capturing the Wi-Fi password of the target, social engineering can Aspect to be applied to a MacBook user. Using a greeting card to fool a target when inserting an SD card or USB flash drive into their computer can be used in many different scenarios with many different goals.
MacOS isn & # 39; t immune to man-in-the-middle (MitM) or network-based attacks. Web traffic, like any other device with an Internet connection, is transferred between the MacBook and the router. This traffic is easy to manipulate and can be used to feed crypto currency miners in real time into the target's web browser.
Man-in-the-middle attacks were discussed in the following articles.
Images in the target's web browser are manipulated in a witty and obscene manner using a man-in-the-middle framework.
Packets are captured and analyzed without connecting to the destination Wi-Fi network. Like Windows 10 and smartphones, MacOS devices are affected and vulnerable to such attacks.
Hacking in MacBooks located in different parts of the world is a bit more than other methods mentioned in this article. GateKeeper, a security feature in macOS, prevents casual execution of AppleScripts in the operating system (see below).
Protecting users from malicious applications A developer ID is required to sign applications and gain "trust" in macOS for apps to run. For a fee, anyone with a credit card can purchase a developer ID and even share their malicious application on Apple's App Store.
The App Store closes the headlines in 2015, when many apps were discovered that filter user data onto an attacker's server. Lately apps have been removed from the App Store to steal user data. And these are just the application distances discovered or published by independent security researchers. The true extent of this vulnerability is unknown. As far as we know, Apple removes dodgy apps every day without informing the public.
It is certainly not impossible or very difficult to compromise macOS targets in different states or countries. It's about being motivated enough to join Apple's developer ID program and simply pay for a certificate. In future posts, I will cover this topic in more detail and update this section of the article.
Attempts After Exploitation
Commands and Attacks Running After Remote Access was established are classified as mail exploitation attacks. These attacks may include situational awareness, data exfiltration, hidden desktop streaming, microphones listening, privilege escalation, and data dumping, to name but a few. I have reviewed many articles about the exploitation described below.
A two-part article that describes hardware and software enumeration, ARP cache dumping, locating sensitive files, and identifying connected storage media. After building a remote shell, it is important for an attacker to gain an understanding of their physical and network environment.
Netcat is used to extend the attacker's primitive backdoor functionality to a fully featured post-processing framework.
Screenshots of the desktops of the target are taken covertly to passively observe the behavioral activity. Such information can be used to further endanger the target and is commonly abused by blackmailers who have captured embarrassing or compromising conversations and photos.
Watching Behavioral Activity streams the entire MacBook screen onto the attacker's computer and displays it in real time. This allows an attacker to see every mouse click and keystroke of the target without detection.
The MacBook's microphone is used to record conversations in the environment and is streamed to the attacker's system for real-time analysis.
A two-part article that shows how the unencrypted Web traffic of a MacBook is secretly collected and secretly using a combination of tools such as Netcat, Empire, Tcpdump, Tshark, and Wireshark is filtered off.
Passwords stored in Firefox are issued with a few commands over a low privileged backdoor. Knowing the last passwords of the target allows targeted word list attacks, and the macOS login password can be brutally enforced.
It may be desirable to increase the remote shell permissions to modify sensitive files and directories. Root privileges allow an attacker to execute commands with almost no security restrictions. There are several common ways to get root privileges, as shown below.
Files owned by a root user have overly allowed attributes and are exploited by an attacker by embedding a backdoor. Alternatively, an empire stager is used to invoke a credential phishing dialog that leads the target to reveal the logon password.
Mac OS hacking does not stop with simple attacks This post. MacOS vulnerabilities and attacks are currently being used in the wild.
The term " zero-day" refers to code used by hackers to silently exploit unpatched vulnerabilities that are unknown to the software developer. MacOS has had its share of zero-day headlines in recent years.
For example, Patrick Wardle  disclosed a vulnerability that allowed unsigned applications to wipe a user's keychain and filter with clear-text passwords. In September 2018, Patrick uncovered a vulnerability that triggered virtual mouse clicks without the user's consent. This allowed an attacker to bypass all macOS security features based on manual interaction with a notification dialog box. Just one month later, Patrick revealed a flaw that completely bypasses Mojave's latest security features.
The three vulnerabilities just mentioned were discovered by just one person. It is not unreasonable to believe that a team of dedicated hackers will be able to find similar exploits that have not yet been released.
Zero days are extremely popular today. Not by blackhats, but by cybersecurity companies and professionals. At this time, sites like Zerodium are paying up to $ 80,000 for a MacOS or Safari exploit (as shown below). Other bug bounty programs offer millions of dollars for a single zero-day.
And it does not end there. Vulnerabilities and application-specific exploits that do not make headlines have surfaced in the Exploit Database at least once a month in recent years. In 2017 alone, there were nearly 40 reported vulnerabilities, including local privilege escalation, memory corruption, and arbitrary file exploration.
Protection against macOS attacks
In fact, there are many ways to compromise a macOS device. Here are some ways readers can identify and prevent such activity.
- Do Not Use Foreign USB Flash Drives . If you came across a USB flash drive that you do not own, do not use it. This is possibly the best advice we can give. A well-placed USB key can be the result of a thoughtful social engineering attack against you or your employer. Regardless of how the USB flash drive is labeled or what files are on it – do not put it in your MacBook.
- Enable password protection for the firmware . Set a firmware password to prevent attackers from starting in live USB mode, single-user mode, or recovery mode. The firmware only asks for an additional password at startup when someone attempts to start the MacBook in single user, startup manager, target disk, or recovery mode. However, a firmware password does not protect the hard disk drive when the hard disk is physically removed from the MacBook.
- Enable FileVault Encryption . FileVault can be enabled by navigating to System Preferences, then Security & Privacy, and clicking Enable FileVault (you may need to unlock the settings first). After completing this process, the MacBook will restart and require a password to unlock the computer each time the Mac starts up. No account will be allowed to log in automatically. A password is also required to access single-user mode. This is the best way to prevent attacks on the encrypted disk even if it is physically removed from the laptop. To protect against attackers with dedicated brute force hardware, a complex passphrase of more than 21 characters is recommended.
- Double-click no files . It is always best to explicitly choose which program to use when opening files. Right-click on the desired file and manually select an application from the "Open With" menu. You'll find that AppleScript applications do not have an Open With option in the context menu. This is because they are actually directories and can not be opened with applications like TextEdit.
- Show all file name extensions . The unicode trick that fakes file extensions works only if "Show all file name extensions" is disabled. This is the case by default. Enable this setting by navigating to "Finder" in the menu bar, then to "Settings" and enabling the option on the "Advanced" tab. The .app file extension is enforced and can not be spoofed.
- Lists files on the USB flash drive . If in doubt, use the terminal to list files ( ls ) on the USB flash drive. File extensions can not be forged under any circumstances. Use this command with -l to print the contents of the USB flash drive in a list format, and -a to display all the files on the USB flash drive, including hidden files.
ls -la / Volumes / USB-NAME-HERE / drwxrwxrwx @ 1 tokyoneon staff 16384 28. sep 11:01. drwxr-xr-x @ 4 rootwheel 128 Sep 28 03:52 .. drwxrwxrwx @ 1 tokyoneon staff 16384 Sep 28 05:03 evil.txṫ.app -rwxrwxrwx 1 tokyoneon staff 3566129 Sep 28 02:40 real.txt -rwxrwxrwx 1 tokyoneon staff 1938446 Sep 28 02:41 .hiddenfile.txt
- Search for suspicious files . Startup daemons and directories used by macOS include / Library / LaunchDaemons, / Library / LaunchAgents, and / Users /
/ Library / LaunchAgents. Files in these directories can be checked by opening Terminal with the commands cd and ls to change to the desired directory and display its contents. The launchctl command can disable suspicious daemons and remove them with the rm command.
- Use private browser mode . Dumpzilla can do a lot more than just extract the passwords from Firefox. It is safer to use the private browser mode to 100%. Although it can be uncomfortable and makes surfing the Internet painful, it is actually dangerous to entrust so much data to web browsers. Browser data dumps with dozens of email addresses and passwords are freely shared in Black Hat hacking communities. If hackers do not sell your data, they cause havoc on your accounts because they have no financial value.
- Use a master password . If storing passwords in Firefox is a convenience you do not want to give up, use a strong master password. This is a moderate hackers hurdle and can prevent them from learning all of your passwords.
- Use a suitable password manager . Password managers provide improved protection of stored passwords. Hackers can still exfiltrate and perform brute force attacks on the password manager's database. However, with a strong and clear password, the attacker has to spend weeks (or months) cracking the encrypted database.
That was it's first. We will continue to update this summary when we discover new MacOS attack vectors. And until next time follow me on Twitter @tokyoneon_ . And be sure to leave a comment if you have any questions.
Do not miss: Using a Mac as a Primary Hacking Computer