Results 1 to 4 of 4

Thread: Beginner mac pentesting query...

  1. #1
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default Beginner mac pentesting query...

    I have just begun to pentest networks where macs (the apple variety) are in use. Are there specific backtrack tools that should be used or vulnerabilities that should be looked for when pentesting a mac-infested network?

    A search here didn't pull up anything relevant.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Beginner mac pentesting query...

    Quote Originally Posted by squishyalt View Post
    I have just begun to pentest networks where macs (the apple variety) are in use. Are there specific backtrack tools that should be used or vulnerabilities that should be looked for when pentesting a mac-infested network?

    A search here didn't pull up anything relevant.
    I don't know about specifics, but working primarily with them has lent me a little amount of experience.

    Probably the best thing you want to try and do is MiTM interception. Bonjour, email protocols, SET (with something other than meterpreter ) and any browser vulnerabilities are your best bet. It is also fairly common that your average mac user has a blank password, or something in the top 10 list - so if they've turned on remote access (ssh) you can brute force against that - though it can be difficult to get a username as "root" is generally not enabled and they don't tend to go with easy ones. A good tip to look for is in Wireshark (or tcpdump etc.) - have a look at what the bonjour protocol is putting out.

    "Gitsnik's iMac" is a bit of a giveaway that the user account is probably "gitsnik" one should think.

    Bonjour is the killer app for gaining information on a Mac network (non-nefariously or otherwise). The whole zero configuration thing lends itself to an overabundance of information about who is around or otherwise. The main problem is that your average mac user is secure by default (in the same way ubuntu is secure by default) by not having anything turned on.

    Unless there is a Mac admin on the network with ARD, then you have VNC and SSH (usually) turned on by default on an image, and the standard brute force applies.

    If you are going after a server then the standard kit applies. Remember every machine has "sudo" enabled, and if you have an administrator account you can use it. If you don't, "su - administrator" works pretty well and you can sudo -s from there.

    Annnd I think that's about all I can impart without actually sitting down with you on the subject. There are the odd exploits around but most systems stay very up to date on their own and it is moderately rare to find a corporation that doesn't have them all at 10.4.11, 10.5.8v1, or 10.6.2.

    There is the whole iTunes attack vector which is becoming common, but I don't find that many shared iTunes libraries.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3

    Default Re: Beginner mac pentesting query...

    hi,

    a good start for any serious MAC OS X pentest, read C. Miller's book ;-)....the only book you will find,
    going into that details about MAC related attack vectors -
    "The Mac Hacker's Handbook", ISBN 9780470395363
    ..some good hints for further xploit research as well (quicktime, mDNSResponder, Safari)!

    Also checkout Collin's 26c3 talk: Fuzzing the Phone in your Phone
    Conference Recordings - 26C3 Public Wiki
    MUlliNER.ORG : SMS Security Research

    BTW: looking for IPhones in the network is always some fun, especially jailbroken onces ;-)
    (look for IPhone MAC's + ssh + default pwd: alpine)


    /brtw2003
    Last edited by brtw2003; 02-06-2010 at 05:11 PM.

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default Re: Beginner mac pentesting query...

    I don't know about current versions because I haven't paid much attention to my MacBook Pro in a while now, Gitsnick, but I think I remember shared libraries being enabled by default in the past. I went to an audio engineering college where everybody had a Mac of some sort and I used to be able to pull up the libraries of two or three different people in my apartment complex. Imagine my surprise when I started up iTunes in my apartment one afternoon and found myself looking at a library overflowing with Destiny's Child or some other such garbage.

Similar Threads

  1. Pentesting with no open ports?
    By newbie in forum Beginners Forum
    Replies: 10
    Last Post: 02-07-2010, 12:26 AM
  2. Pentesting Ethics: Should I do it/ Is it legal?
    By Archangel-Amael in forum Experts Forum
    Replies: 4
    Last Post: 01-24-2010, 12:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •