Will Schroeder, profile picture
Uploaded byWill Schroeder
4,737 views

Building an EmPyre with Python

The document discusses the development of Empyre, a penetration testing tool focused on macOS, addressing the lack of comprehensive post-exploitation tools compared to Windows. It highlights design goals such as modularity and strong encryption while emphasizing the unique challenges of targeting macOS environments. Additionally, the text outlines various functionalities of Empyre, including privilege escalation, host triage, lateral movement, and persistence techniques tailored for macOS systems.

Embed presentation

Downloaded 56 times
Building an Empyre with Python
@harmj0y × Researcher/red teamer for the Adaptive Threat Division × Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire × Microsoft CDM/PowerShell MVP and active PowerSploit developer
@424f424f × U.S. Army Infrantry combat veteran × Red teamer/Penetration Tester for the Adaptive Threat Division × Instructor for ATD’s “Adaptive Penetration Testing” course
@killswitch_gui × Previous US Army Soldier × Red teamer/Penetration Tester for the Adaptive Threat Division × Developed SimplyEmail / SimplyTemplate
tl;dr × Overview/”Why Build This”/RATs 101 × EmPyre × Stagers × Host/network triage × Lateral movement × Persistence × The Future × Demos throughout!
Why Build this?
Motivations × A high-security client wanted a penetration test against their corporate infrastructure × which was 80% OS X … × We did our research and found very few options for ‘complete’ OS X agents × though small post-exploitation pieces did exist
Adversarial OS X × WireLurker (Trojanized applications, Infects connected ios devices) × XcodeGhost (Infected xcode package in China) × Hacking Team (Remote Code Systems compromise platform) × OceanLotus (Flash Dropper, download Mach-O binary) × KeRanger (Ransomware, infected transmission package)
OS X Challenges × Not nearly as many public OS X attack toolsets out there as there are for Windows × Access vectors are significantly more limited than Windows as well × Lateral spread is complicated a bit (no pth!)
RATS 101 × We have a number of broad design goals for our solution: × Staging flexibility × Modularity × (Reasonably) strong crypto × The “Staging problem” × Your malicious code has to SOMEHOW get to the target
Empyre
background × Python agent and controller × heavily based on the PowerShell Empire project × OS X/Linux 2.7 and 2.6 compatible/“living off the land” × Asynchronous communications (HTTP[s]) × Diffie-Hellman based Encrypted Key Exchange × Variety of post-exploitation modules
Module development × Like Empire, development is quick due to the modular structure and use of a scripting language × Modules == metadata containers for an embedded Python script × Things like option sets, needs admin, opsec safe, save file output, etc
stagers
OS X MAcros × Works on Office 2011 and below, otherwise, we’re stuck in the...
Mach-o binaries × Mach object file format for executables, object code, shared libraries, dynamically-loaded code and core dumps × We hot-patch a binary with the EmPyre stager code × Binary contains the python interpreter
Dylib Hijacking × Ported from @patrickwardle research × https://www.virusbulletin.com/uploads/pdf/magazin e/2015/vb201503-dylib-hijacking.pdf × Abuses search-order loading × Also a method of persistence in EmPyre
Hijack Scanner
Dylib Hiijacker
Demo: Phishing with EmPyre
Host triage
Privilege escalation × Users often run as admin × Two prompt modules for credential collection: × Mac app prompting - osascript × Screensaver alleyoop - osascript / security × Elevate using sudo_spawn to spawn a new EmPyre agent
Privilege escalation
Chainbreaker × Keychaindump (juuso) × Keychain exploitable prior to OS X yosemite to recover master key from memory × Decrypt keychain store using master key candidate × Keychaindump_chainbreaker (n0fate) × Allows masterkey and password input for decryption of entire keychain. × Fully ported to allow on target dumps rather offline
Hashdumping × Built in hashdump module: × Sudo required of course × Output is hashcat ready × Hash format is unique to different OS X series × 10.8 + uses Salted-SHA512-PBKDF2 × Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)
Hashdumping
Keylogging × Uses ruby adapted code from MSF: × Captures and logs keystrokes to a file currently × Runs as a separate ruby process
screenshots × Currently supports two separate methods: × Native - screenshot builtin tool × Python - using Quartz API call’s × Environment can dictate the use of native tools × CGImageDestinationCreateWithUR() and screenshot only allows a output path for image
Clipboard theft × Great way to target and collect credentials × Output to file or pipeline: × Timed collection allows continues monitoring using background jobs × Uses non-native method via AppKit API: × Native pbpaste may be signatured by Carbon Black
Demo: Host Triage with EmPyre
Network situational awareness
OS X is on the Domain Too! × Admins want/need to: × Enforce corporate policy via Group Policy × Manage resources × Manage users × Advertise resources such as printers × Benefit from single sign-on access to Active Directory resources through Kerberos
OS X and LDAP × ldapsearch tool × opens a connection to an LDAP server, binds, and performs a search using specified parameters × dig -t SRV _ldap._tcp.example.com
PowerView, OS X Style × Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory × Using ldapsearch, we can mimic “most” features × Unfortunately, creates a log entry for every connection
Situational Awareness, AD Enumeration × get_computers × get_domaincontrollers × get_fileservers × get_groupmembers × get_groupmemberships × get_groups × get_ous × get_userinformation × get_users
PowerView, OS X Style
Overpass-THE-HASH × Original research by @gentilkiwi and @obscuresec and OS X research by @passingthehash × Upgrading an NT hash into a full Kerberos ticket! × Utilities × kinit - acquire initial Kerberos credentials × klist - list Kerberos credentials × kdestroy - remove Kerberos credentials
Demo: Domain Enumeration with EmPyre
Lateral Movement
Os x vs windows × Common Windows lateral movement methods: × WMI, PSEXEC, WinRM, Remote Desktop × OS X disappoints a bit on this front... × SSH is available but disabled by default × WinEXE installed through HomeBrew are possible × EmPyre modules: × ssh_command / ssh_launcher
Web Service Exploitation × JBoss exploit × Pass exploit to Empire server
Persistence
Os x vs windows × Common Windows persistence methods: × Registry keys × Startup folders × WMI × DLL hijacks × Backdoor accounts × OS X is also quite fruitful: × Crontabs × Loginhooks × Daemons × Dylib Hijacking
Crontabs, Daemons, and Login Hooks × Login Hook - User Context × Bash / Applescript / binary execution × User or any user logon executes payload × Sets com.apple.loginwindow × Crontabs - User Context × Requires Bash / Applescript / binary × Timed execution of payload × Great for continued access × Launch Daemons - Root Context × Requires sudo × Spawns determined by XML manifest (reboot) × Daemons (services) once started will restart upon agent loss
Persistence with Dylib Hijacking × EmPyre implements @patrickwardle research to scan for hijackable Dylibs! × rPath search, WeakLib import search × CreateHijacker module × allows for quick exploitation × ease of generating payload × patching in the path to the legitimate Dylib for proper execution
Questions? @harmj0y / will [at] harmj0y.net @424f424f / steveborosh [at] gmail.com @killswitch_gui / a.rymdekoharvey [at] gmail.com

More Related Content

PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
PPTX
Bridging the Gap
byWill Schroeder
 
PDF
A Case Study in Attacking KeePass
byWill Schroeder
 
PPTX
Trusts You Might Have Missed
byWill Schroeder
 
PDF
Ace Up the Sleeve
byWill Schroeder
 
PDF
I Have the Power(View)
byWill Schroeder
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PPTX
Derbycon - Passing the Torch
byWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
Bridging the Gap
byWill Schroeder
 
A Case Study in Attacking KeePass
byWill Schroeder
 
Trusts You Might Have Missed
byWill Schroeder
 
Ace Up the Sleeve
byWill Schroeder
 
I Have the Power(View)
byWill Schroeder
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Derbycon - Passing the Torch
byWill Schroeder
 

What's hot

PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PPTX
I Hunt Sys Admins
byWill Schroeder
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PDF
Power on, Powershell
byRoo7break
 
PDF
Veil-PowerView - NovaHackers
byVeilFramework
 
PPTX
PowerShell for Penetration Testers
byNikhil Mittal
 
PPTX
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
PPTX
Defending Your "Gold"
byWill Schroeder
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
PPTX
Adventures in Asymmetric Warfare
byWill Schroeder
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PDF
A Year in the Empire
byWill Schroeder
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
PPTX
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
PPTX
Wielding a cortana
byWill Schroeder
 
PDF
Trusts You Might Have Missed - 44con
byWill Schroeder
 
PPTX
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
Building an Empire with PowerShell
byWill Schroeder
 
I Hunt Sys Admins
byWill Schroeder
 
I hunt sys admins 2.0
byWill Schroeder
 
Power on, Powershell
byRoo7break
 
Veil-PowerView - NovaHackers
byVeilFramework
 
PowerShell for Penetration Testers
byNikhil Mittal
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
Defending Your "Gold"
byWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
Adventures in Asymmetric Warfare
byWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
A Year in the Empire
byWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
Wielding a cortana
byWill Schroeder
 
Trusts You Might Have Missed - 44con
byWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 

Viewers also liked

PPTX
External to DA, the OS X Way
byStephan Borosh
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PPTX
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
PPTX
Hello World! with Python
byDhanashree Prasad
 
PPTX
Workshop: PowerShell for Penetration Testers
byNikhil Mittal
 
PPTX
Introduction to vSphere APIs Using pyVmomi
byMichael Rice
 
PPTX
Malvertizing Like a Pro
by⭕Alexander Rymdeko-Harvey
 
PDF
RAT - Repurposing Adversarial Tradecraft
by⭕Alexander Rymdeko-Harvey
 
PPTX
Pwnstaller
byWill Schroeder
 
PDF
Using a graph database for analyzing your Liferay data
byMáté Thurzó
 
PPTX
No-Knowledge Crypto Attacks
byBaronZor
 
PPTX
Python Hype June
byBrian Ray
 
External to DA, the OS X Way
byStephan Borosh
 
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
Client side attacks using PowerShell
byNikhil Mittal
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
Hello World! with Python
byDhanashree Prasad
 
Workshop: PowerShell for Penetration Testers
byNikhil Mittal
 
Introduction to vSphere APIs Using pyVmomi
byMichael Rice
 
Malvertizing Like a Pro
by⭕Alexander Rymdeko-Harvey
 
RAT - Repurposing Adversarial Tradecraft
by⭕Alexander Rymdeko-Harvey
 
Pwnstaller
byWill Schroeder
 
Using a graph database for analyzing your Liferay data
byMáté Thurzó
 
No-Knowledge Crypto Attacks
byBaronZor
 
Python Hype June
byBrian Ray
 

Similar to Building an EmPyre with Python

PPTX
Creating Havoc using Human Interface Device
byPositive Hack Days
 
PDF
Open Source Cyber Weaponry
byJoshua L. Davis
 
PPTX
Owning computers without shell access dark
byRoyce Davis
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PPTX
Privilege Escalation with Metasploit
byegypt
 
PDF
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
PPTX
Owning computers without shell access 2
byRoyce Davis
 
PDF
Practical White Hat Hacker Training - Post Exploitation
byPRISMA CSI
 
PDF
Intrusion Techniques
byFestival Software Livre
 
PDF
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
bySegInfo
 
PPTX
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
PPTX
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
PPTX
hacking-embedded-devices.pptx
byssuserfcf43f
 
PDF
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
byFelipe Prado
 
PDF
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
PPTX
HackMiami-Final
byStephan Borosh
 
PDF
Pentester++
byCTruncer
 
PPTX
Pwning with powershell
byjaredhaight
 
PDF
Ranger BSides-FINAL
byChristopher Duffy, D.Sc.
 
DOCX
Backtrack Manual Part8
byNutan Kumar Panda
 
Creating Havoc using Human Interface Device
byPositive Hack Days
 
Open Source Cyber Weaponry
byJoshua L. Davis
 
Owning computers without shell access dark
byRoyce Davis
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
Privilege Escalation with Metasploit
byegypt
 
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
Owning computers without shell access 2
byRoyce Davis
 
Practical White Hat Hacker Training - Post Exploitation
byPRISMA CSI
 
Intrusion Techniques
byFestival Software Livre
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
bySegInfo
 
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
hacking-embedded-devices.pptx
byssuserfcf43f
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
byFelipe Prado
 
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
HackMiami-Final
byStephan Borosh
 
Pentester++
byCTruncer
 
Pwning with powershell
byjaredhaight
 
Ranger BSides-FINAL
byChristopher Duffy, D.Sc.
 
Backtrack Manual Part8
byNutan Kumar Panda
 

More from Will Schroeder

PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Not a Security Boundary
byWill Schroeder
 
PDF
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
PDF
Certified Pre-Owned
byWill Schroeder
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PDF
Nemesis - SAINTCON.pdf
byWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Not a Security Boundary
byWill Schroeder
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
Certified Pre-Owned
byWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
ReCertifying Active Directory
byWill Schroeder
 
Nemesis - SAINTCON.pdf
byWill Schroeder
 

Recently uploaded

PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PPTX
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PDF
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PDF
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Computer Science Degree for College .pptx
byHanenek1
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
html-forms in web development-courseICT.
bymadz33
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 

Building an EmPyre with Python

  • 1.
  • 2.
    @harmj0y × Researcher/red teamerfor the Adaptive Threat Division × Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire × Microsoft CDM/PowerShell MVP and active PowerSploit developer
  • 3.
    @424f424f × U.S. ArmyInfrantry combat veteran × Red teamer/Penetration Tester for the Adaptive Threat Division × Instructor for ATD’s “Adaptive Penetration Testing” course
  • 4.
    @killswitch_gui × Previous USArmy Soldier × Red teamer/Penetration Tester for the Adaptive Threat Division × Developed SimplyEmail / SimplyTemplate
  • 5.
    tl;dr × Overview/”Why BuildThis”/RATs 101 × EmPyre × Stagers × Host/network triage × Lateral movement × Persistence × The Future × Demos throughout!
  • 6.
  • 7.
    Motivations × A high-securityclient wanted a penetration test against their corporate infrastructure × which was 80% OS X … × We did our research and found very few options for ‘complete’ OS X agents × though small post-exploitation pieces did exist
  • 8.
    Adversarial OS X ×WireLurker (Trojanized applications, Infects connected ios devices) × XcodeGhost (Infected xcode package in China) × Hacking Team (Remote Code Systems compromise platform) × OceanLotus (Flash Dropper, download Mach-O binary) × KeRanger (Ransomware, infected transmission package)
  • 9.
    OS X Challenges ×Not nearly as many public OS X attack toolsets out there as there are for Windows × Access vectors are significantly more limited than Windows as well × Lateral spread is complicated a bit (no pth!)
  • 10.
    RATS 101 × Wehave a number of broad design goals for our solution: × Staging flexibility × Modularity × (Reasonably) strong crypto × The “Staging problem” × Your malicious code has to SOMEHOW get to the target
  • 11.
  • 13.
    background × Python agentand controller × heavily based on the PowerShell Empire project × OS X/Linux 2.7 and 2.6 compatible/“living off the land” × Asynchronous communications (HTTP[s]) × Diffie-Hellman based Encrypted Key Exchange × Variety of post-exploitation modules
  • 14.
    Module development × LikeEmpire, development is quick due to the modular structure and use of a scripting language × Modules == metadata containers for an embedded Python script × Things like option sets, needs admin, opsec safe, save file output, etc
  • 15.
  • 16.
    OS X MAcros ×Works on Office 2011 and below, otherwise, we’re stuck in the...
  • 18.
    Mach-o binaries × Machobject file format for executables, object code, shared libraries, dynamically-loaded code and core dumps × We hot-patch a binary with the EmPyre stager code × Binary contains the python interpreter
  • 19.
    Dylib Hijacking × Portedfrom @patrickwardle research × https://www.virusbulletin.com/uploads/pdf/magazin e/2015/vb201503-dylib-hijacking.pdf × Abuses search-order loading × Also a method of persistence in EmPyre
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
    Privilege escalation × Usersoften run as admin × Two prompt modules for credential collection: × Mac app prompting - osascript × Screensaver alleyoop - osascript / security × Elevate using sudo_spawn to spawn a new EmPyre agent
  • 25.
  • 26.
    Chainbreaker × Keychaindump (juuso) ×Keychain exploitable prior to OS X yosemite to recover master key from memory × Decrypt keychain store using master key candidate × Keychaindump_chainbreaker (n0fate) × Allows masterkey and password input for decryption of entire keychain. × Fully ported to allow on target dumps rather offline
  • 27.
    Hashdumping × Built inhashdump module: × Sudo required of course × Output is hashcat ready × Hash format is unique to different OS X series × 10.8 + uses Salted-SHA512-PBKDF2 × Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)
  • 28.
  • 29.
    Keylogging × Uses rubyadapted code from MSF: × Captures and logs keystrokes to a file currently × Runs as a separate ruby process
  • 30.
    screenshots × Currently supportstwo separate methods: × Native - screenshot builtin tool × Python - using Quartz API call’s × Environment can dictate the use of native tools × CGImageDestinationCreateWithUR() and screenshot only allows a output path for image
  • 31.
    Clipboard theft × Greatway to target and collect credentials × Output to file or pipeline: × Timed collection allows continues monitoring using background jobs × Uses non-native method via AppKit API: × Native pbpaste may be signatured by Carbon Black
  • 33.
    Demo: Host Triagewith EmPyre
  • 34.
  • 35.
    OS X ison the Domain Too! × Admins want/need to: × Enforce corporate policy via Group Policy × Manage resources × Manage users × Advertise resources such as printers × Benefit from single sign-on access to Active Directory resources through Kerberos
  • 37.
    OS X andLDAP × ldapsearch tool × opens a connection to an LDAP server, binds, and performs a search using specified parameters × dig -t SRV _ldap._tcp.example.com
  • 38.
    PowerView, OS XStyle × Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory × Using ldapsearch, we can mimic “most” features × Unfortunately, creates a log entry for every connection
  • 39.
    Situational Awareness, ADEnumeration × get_computers × get_domaincontrollers × get_fileservers × get_groupmembers × get_groupmemberships × get_groups × get_ous × get_userinformation × get_users
  • 40.
  • 41.
    Overpass-THE-HASH × Original researchby @gentilkiwi and @obscuresec and OS X research by @passingthehash × Upgrading an NT hash into a full Kerberos ticket! × Utilities × kinit - acquire initial Kerberos credentials × klist - list Kerberos credentials × kdestroy - remove Kerberos credentials
  • 43.
  • 44.
  • 45.
    Os x vswindows × Common Windows lateral movement methods: × WMI, PSEXEC, WinRM, Remote Desktop × OS X disappoints a bit on this front... × SSH is available but disabled by default × WinEXE installed through HomeBrew are possible × EmPyre modules: × ssh_command / ssh_launcher
  • 46.
    Web Service Exploitation ×JBoss exploit × Pass exploit to Empire server
  • 48.
  • 49.
    Os x vswindows × Common Windows persistence methods: × Registry keys × Startup folders × WMI × DLL hijacks × Backdoor accounts × OS X is also quite fruitful: × Crontabs × Loginhooks × Daemons × Dylib Hijacking
  • 50.
    Crontabs, Daemons, andLogin Hooks × Login Hook - User Context × Bash / Applescript / binary execution × User or any user logon executes payload × Sets com.apple.loginwindow × Crontabs - User Context × Requires Bash / Applescript / binary × Timed execution of payload × Great for continued access × Launch Daemons - Root Context × Requires sudo × Spawns determined by XML manifest (reboot) × Daemons (services) once started will restart upon agent loss
  • 51.
    Persistence with DylibHijacking × EmPyre implements @patrickwardle research to scan for hijackable Dylibs! × rPath search, WeakLib import search × CreateHijacker module × allows for quick exploitation × ease of generating payload × patching in the path to the legitimate Dylib for proper execution
  • 52.
    Questions? @harmj0y / will[at] harmj0y.net @424f424f / steveborosh [at] gmail.com @killswitch_gui / a.rymdekoharvey [at] gmail.com