mardi 3 septembre 2013

Pac4Mac - Forensics Framework for Mac OS X and more ...

Update :

Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.

Main interface

Pac4Mac is based on the information leaks that I detailed in the section mac-security-tips and also on my works detailed in my paper and presentation.

Pac4Mac features:

 Developed in Python 2.x (natively supported)
 Framework usage
 Support of OS X 10.6, 10.7, 10.8 and 10.9(not tested)

 Data extraction through:
  • User or Root access
  • Single Mode access
  • Target Mode access (Storage media by Firewire or Thunderbolt)

3 dumping modes : Quick, Forensics, Advanced (sample here):
  • Dumping Users / User Admin

  • Dumping Mac's Identity (os version, owner)

  • Dumping Miscellaneous files (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook, Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
  • Dumping content of current Keychain (security cmd + securityd process)
  • Dumping Users Keychains

  • Dumping System Keychains

  • Dumping password Hashes

  • Live Cracking hashes password
  • Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)

  • Dumping Browser Places (Safari, Chrome, Firefox, Opera)

  • Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)

  • Dumping printed files

  • Dumping iOS files backups

  • Dumping Calendar and Reminders / Displaying secrets
  • Dumping Skype messages / Displaying secrets on demand
  • Dumping iChat, Messages(.app), Adium messages
  • Dumping Emails content (only text)

  • Dumping Emails content of all or special Mail Boxes
  • Adding root user
  • Dumping RAM
  • Cloning local Disk
  • Dumping system logs, install, audit, firewall
>Please to see mindmap to know differences between Quick mode, Forensics mode, Advanced mode. The last is my favourite.

DMA access features (exploitation of Firewire and Thunderbolt interfaces)
  • Unlock or bypass in writring into RAM
  • Dumping RAM content
  • Exploit extracted data (see Analysis module)

Analysis module in order to easily exploit extracted data by one of dumping modes-
  • Exploit Browser History
 x 4 (Displaying recordings, Local copy for usurpation)
  • Exploit Browser Cookies
 x 4 (Displaying recordings, Local copy for usurpation)
  • Display Browser Downloads
 x 4 (Displaying recordings)
  • Exploit Skype Messages
 (Displaying/Recording all recorded messages, with secret information or containing a special keyword)
  • Exploit iChat, Messages(.app), Adium messages (in the next version)
  • Exploit Calendar Cache
 (Display/Recording all recorded entries, with secret information or containing a special keyword)
  • Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
  • Exploit RAM memory Dump
 (Searching Apple system/applications/Web Passwords)
  • Exploit Keychains
 (Display content Keychain
, Crack Keychain files)
  • Crack Hashes passwords

  • Exploit iOS files
 (Accessing to iPhone without passcode, reading secrets through iTunes backups)
  • Display Stickies Widgets

  • Display Printed Documents
  • Display prospective passwords 
(displaying all found passwords during dump and analysis phases)

Integration of post-intrusion features
  • Hard Disk/RAM image
  • System dump to help to analyse compromission
    • Logs system, syslog, install, firewall, audit

    • System usernames

    • Names and creation dates of launched agents, daemons, applications

    • Scheduled tasks

    • Plist of Mac OS X known malwares

    • Loaded drivers

    • Network connections

    • Active Processes

    • Used ressources (files, libraries, …)

    • Strange files (SUID, important size, …)

    • Last dates of WiFI connections
  • Integration of CheckOut4Mac in order to quickly detect recent malicious activities or if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party (based on USB connections, adding users, attempt to unlock session, access to emails, modification of files, etc.). 
    • Source :
    • Startup activities (Startup dates, Stopping dates, Hibernation dates, Out of hibernation dates)
    • Session activities (Locked session dates, Attempt to unlock session without success, Unlocked session with success)
    • Physical activities (USB connections, USB plugged devices, File system events, Firewire connections with another machine or storage media, Firewire connections with another machine or storage media, Firewire connections to dump RAM)
    • Privileges escalation activities (Opened/Closed TTY terminals, ROOT commands executed with success, Attempt to execute commands with SUDO without success, User, password modification and creation
    • Applications activities (Opened applications)
    • File activities (Modified files like autorun App, LaunchAgents or LaunchDaemons, Added files like trojan or malware App, Accessed files like your secret files, Accessed Mails last access dates)
    • Network activities (Ethernet/WiFI connections, WiFI access points (last connection dates))

 Each launched action is logged and can be easily reviewed
 Easy to add new target (file, directory user, command, …) to extract (with db files and fonctions)
 All passwords found during dump or analysis are displayed
 All passwords found during dump or analysis are stored in common database(human readable format) and used for the next steps
 Multi-users extraction (from root session, single mode and Target Mode)
 Support of 4 browsers (Safari, Chrome, Firefox, Opera)
 Multi-profiles extraction (eg: Firefox, Skype)

Pac4Mac screenshots (and here):
Dumping Modes

Analysis Module

Exploit Keychain

Scenario Example (Keychain)

More screenshots here

mardi 9 juillet 2013

CheckOut4Mac - v0.1

How to quickly detect recent activities on your Mac OS X system? How to detect if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party?

Just by analysing the system logs and files access dates with bash commands 
(like grep, find, ls, stat, awk, etc.)

For example, to identify opened emails on July 8 from 8 am to 8:59 am:
grep /Users/sudoman/Library/Mail/V2/IMAP-yyyy\ -type f -name *.emlx -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8 08:'|grep 2013

Or to identify attempts to unlock session without success on July 8:
grep -i -B 9 'The authtok is incorrect.' /var/log/system.log|grep-i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'

You can find a lot of others fun tricks commands here:

Proof of Concept in Python, CheckOut4Mac [], uses these commands and has been developed in order to automate the search and identify malicious activities from 3 questions:
[1] When did you leave your hotel room? eg: 22/6
[2] At what time did you leave your hotel room? eg: 22
[3] How long did you leave your hotel room? eg: 2

You can download readme here : README

CheckOut4Mac checks the following events for a specific date and/or specific hour:

  [a]Startup dates
  [b]Stopping dates
  [c]Hibernation dates
  [d]Out of hibernation dates

  [a]Locked session dates
  [b]Attempt to unlock session without success
  [c]Unlocked session with success

  [a]USB connections
  [b]USB plugged devices
  [c]File system events
  [d]Firewire connections with another machine or storage media
  [e]Firewire connections with another machine or storage media
  [f]Firewire connections to dump RAM (just a  supposition)

  [a]Opened/Closed TTY terminals
  [b]ROOT commands executed with success
  [c]Attempt to execute commands with SUDO without success
  [d]User, password modification and creation

  [a]Opened applications => not always with success (I search another solution)

  [a]Modified files (like autorun App, LaunchAgents or LaunchDaemons)
  [b]Added files (like trojan or malware App)
  [c]Accessed files (like your secret files)
  [d]Accessed Mails (last access dates)

  [a] Ethernet/WiFI connections (activation of 'enX' interface)
  [b] WiFI access points (last connection dates)

mardi 22 janvier 2013

American series are usefull in pentester's life !

3 days ago, I watched an american series (Shase) in which an actor said, during a crime  investigation : "I'm going to search into the victim's computer to know what is the last printed document ?

Hum, I said me : "Is it possible or not ?" ... yes, it's possible :)
All is into "/var/spool/cups", with root privileges :

If printers use "Generic PostScript" driver, you can find your printed document in PDF format :) Funny, no ?

To copy these files into your home directory :
bash-3.2# find /var/spool/cups -exec file {} \; | grep -i pdf | cut -d : -f 1 > /tmp/file_pdf.txt
bash-3.2# while read line; do cp "$line" ~/; done < /tmp/file_pdf.txt

So, it's an other information leak for Mac OS X ... :) and I added this exploitation to my "private" forensic framework, Pac4Mac.

mardi 15 janvier 2013

Net2SharePwn : Update 1.1b

First update of Net2SharePwn after 2 years...

- Support of special characters (space, accent, ...) in the path of files to download or in the name of Network Share
- Colors are changed
- Support Mountain Lion (but very long to mount/unmount Network Share). I advise to use Net2SharePwn on Backtrack (just arp-scan to install)

You can, if you want to, modify this program to adapt it for your personal usage.
Download : Readme (very important !)
Download : Readme_menu (to understand quickly)
Download : Net2SharePwn-1.1b

Net2SharePwn is an utility to check and exploit automatically the NetBIOS Network Shares available from network access points.

Question: How do you identify THE FILE containing a password to elevate your network or system privileges, when too much domains or IP addresses are present? The time is an important factor in this situation … and during penetration testing, it’s common to identify a VBS script embedding a domain administrator account password.
AnswerNet2SharePwn has been built to allow that.

Net2SharePwn is built in Python (tested on Python2.7) and can be launched only on Linux (tested on Backtrack) and Mac OS x platforms.

I apologize for Python coding, it doesn’t respect the best practices but I didn’t predict to publish Net2SharePwn …
Net2SharePwn is perhaps developed “with my feet” but it is functional.

Net2SharePwn works like that :