Overview
Explore advanced Mac post-exploitation techniques in this NolaCon 2018 conference talk. Delve into topics such as malware quality, persistence methods, and system event manipulation. Learn about LaunchD, Keep Alive, Watch Path, and Socket Listener functionalities. Discover how to access and exploit the Keychain, including stealing applications, saving passwords, and copying Keychain values. Examine file system exploration, SSH bypass techniques, and general approaches to post-exploitation on Mac systems. Gain insights into elevated privileges, fuzzy operations, and nonce-based attacks for a comprehensive understanding of Mac security vulnerabilities and exploitation strategies.
Syllabus
Intro
Disclaimer
Agenda
How did I get here
Post exploitation 101
Malware quality
Persistence
LaunchD
Keep Alive
Watch Path
SocketListener
Root
System Events
System Escape Button
Icon File
File Vault iCloud
Popup Dialog
Fake Background
Keychain Access
Keychain Watch
Password Manager
Keychain
Whats Inside
Stealing Applications
Saving Passwords
Users Keychain
Copy Keychain Values
Instruments
Files
Time
General Approach
Steps
SSH Bypass
Conclusion