index / pen-testing & exploits /

- penetration testing - exploits - rootkits - MAC spoofing - packet generation & injection - ppc shellcode - key logging - mac hacking sites -

pen-testing:

dsniff by Dug Song - dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).
monkey.org/~dugsong/dsniff - compiling and installing libpcap, libnet, libnids, dsniff, and snort on Mac OS X - osx dsniff installer package - local mirror

ettercap - Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
ettercap.sourceforge.net - ettercap forum The new Ettercap NG 0.7.x is pretty darn cool, especially with the gtk interface. Install from source or via fink or darwinports

Also check out this script archive recently released to help out Enhancing Ettercap for Mac OS X (SSL!)

webstretch - a tool that enables a user to view and alter all aspects of communications with a web site via a proxy. Primarily used for security based penetration testing of web sites.
sourceforge.net/projects/webstretch/

Machilles by Braden - is a proxy that allows editing of outgoing HTTP headers, for use in testing web applications. It also allows you to edit data sent in POST requests. Inspired by Windows programs Achilles (and PenProxy)
machilles.dmg

Metasploit Framework - The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code.
www.metasploit.com/projects/Framework/

Security Focus - Pen Testing section articles
www.securityfocus.com/pen-test/

Breaking In to Mac OS X -
http://cerebus.sandiego.edu/~jerry/blog/article.php?story=20040608094728877

exploits:

Mac OS X / Adobe Version Cue local root exploit POC by Jonathan Bringhurst - local

AppleFileServer Exploit by Priv8security.com - Remote root exploit for Mac OS X versions 10.3.3, 10.3.2, and 10.2.8 that makes use of the stack buffer overflow in the Apple Filing Protocol (AFP).
priv8afp.pl

AppleFileServer LoginExt PathName Buffer Overflow - Vulnerability Advisory - Exploit payload for the Metasploit Framework - Works on unpatched 10.3.3 systems, unknown 10.3.1 & 2. Does not work on unpatched 10.2.8 systems.
afp_loginext

Remote Vulnerability in 4D WebSTAR Server Suite by B-r00t -
4DWS_ftp.c

Priv8 Directory Service local root exploit
priv8osx.sh

OS X 10.2.4 DirectoryService local root PATH exploit
osxds.c

Apple QuickTimePlayer 5.02/5.01 Exploit
applequicktimeexploit.c

Apple QuickTime 4.1.2 plug-in exploit
QT.4.1.2J-x.cpp

CGI-McPanic: script to crash MacOS X with concurrent calls to a CGI-Script
CGI-McPanic.sh

Shutdown Cups - This code produces a denial of service (DoS), because off negative length in memcpy() calls.
shutdown_Cups.c

Insecure.org's Mac Exploit Section - pre '98 os 9.x exploits
www.insecure.org/sploits_mac.html

root kits:

nemo has released WeaponX an OS X kernel extension rootkit that is roughly based off of adore. It hides itself from kextstat, netstat, utmp and wtmp.
wX.tar.gz packetstorm mirror

Doss has released Togroot a beta kernel extension rootkit.

The first ever OS X Root Kit is released by gapple - Has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more. Also includes an older version of Opener
osxrk-0.2.1.tbz - local mirror

Opener (Renepo) "a startup script to turn on services and gather user info & hashes for Mac OS X". The so-called "Virus", "Trojan", "Malware" what bullshit! - Opener version 2.3.8
Threads at MU Forums: dev discuss

MAC spoofing:

Paul Day has a great writeup: Compiling a Mach/xnu kernel for MacOSX

JohnnyCache's kernel spoofing extension not working for wireless connections - kismac mailing list thread.

Johny Cache test 10.3.5 mac_kernel

Johny Cache has released a beta MAC spoofing kernel patch for OSX/darwins xnu kernel. It accomplishes this by rewriting MAC addresses on the fly in and out of the wire. Also forges pertinent ARP payloads and includes a patched ISC dhcp client that is aware of the shadowmac interface.
- packet storm mirror - freshmeat project home

MAC Spoofing on the Mac by Peter Bartoli - info on compiling a custom kernel woth MAC spoofing capabilites
slagheap.net/etherspoof

MacOS X/Darwin ETHERSPOOF patches by Jeff Nathan - For building your own kernel with spoofing capabilities, the only wqay to MAC spoof under 10.3.x
cerberus.sourcefire.com/~jeff/security.html

MAC spoofing for Orinoco and other Prism 2 chipset wireless cards is available with newer versions of KisMac wireless packet sniffer only under Mac OS X 10.2.x. You must first install the Wireless Drivers from SourceForge and then install KisMac which will also install a small utility called WirelessMAC as part of the package. This utility will allow you to change the MAC address of your Orinoco card. For a little more information.

Mac OS X Kernel Compile Guide by BrutalInq - post at ettercap.org forums
compile guide

10.3.3 precompiled kernel by BrutalInq - "...here is my working Mac OS X 10.3.3 precompiled patched kernel as of April 10, 2004 3:59 PM. USE AT YOUR OWN RISK AND BACK UP YOUR WORKING KERNEL."
mach_kernel.brutalinq

kswap.sh by Jean-Pierre Mouilleseaux - Script to easily and safely swap kernel builds.
kswap.sh

packet generation & injection:

packit - Packit (Packet toolkit) is a network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection/prevention systems, port scanning, simulating network traffic, and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.
packit.sourceforge.net

nemesis by Jeff Nathan - Nemesis is a command-line network packet crafting and injection utility
nemesis.sourceforge.net

pdump - is a highly configurable packet sniffer and injector/creator written in Perl, that dumps, greps, monitors, creates, and modifies traffic on a network.
pdump.lucidx.com

gspoof - A GTK+ program written in the C language which makes it easier and more accurate to build and send TCP packets with or without a data-payload. It's possible to modify TCP/IP fields and also ethernet header working to Link Level. You can send one or more packets together.
gspoof.sourceforge.net

ppc shellcode:

PowerPC / OS X (Darwin) Shellcode Assembly paper by B-r00t
packetstormsecurity.org/shellcode/PPC_OSX_Shellcode_Assembly.pdf

PPC Shellcode by Palante - This paper describes the process palante went through to write PPC shellcode for both LinuxPPC and BSD (darwin?). The only difference with the BSD version is that is uses system call 59 instead of 11 as execve().
ppc.shellcode.txt

PowerPC Stack Attacks - by ChristopherShepherd
Part 1 - Part 2 - Part 3

as2hex - A Simple tool to extract the hex shellcode from an ASM program that has been assembled but not linked.
as2hex.tgz

execve() of /bin/sh by palante
execve_binsh.c

execve /bin/sh by ghandi
Assembly execve_binsh.s, C Header execve_binsh.h

shellcode by B-r00t:

Add user r00t
osx-ppc-add_user.c

execve /bin/sh
osx-ppc-execve.c

add inetd backdoor
osx-ppc-inetd_backdoor.c

reboot
osx-ppc-reboot.c

setuid(0) + execve /bin/sh
osx-ppc-setuid_execve.c

create /tmp/suid
osx-ppc-tmpsh.c

simple write()
osx-ppc-write.c

execve /usr/X11R6/bin/xterm
osx-ppc-xterm.c

key logging:

FSB Software has released logKext v 1.2 a kernel extension keylogger. Version 1.1 contains a command-line client that allows communication with the daemon, as well as strong logfile encryption. source

proof of concept:

nvram decode - Decodes Open Firmware Passwords - why oh why is the OPFW password not hashed with better cryto?
nvram.cpp

Macfspwd by Nate Pierce - A utility to decrypt Apple OS 9.x filesharing passwords.
macfspwd2.c

mac hacking sites:

Freaks Macintosh Archive
freaky.staticusers.net

UndergroundMac
undergroundmac.com

Hacking the Mac
www.hackingthemac.com

UndergroundMac Forum
freaky.staticusers.net/ugboard/

The Shared Forums
undergroundmac.com/forums/

Nexus 9 - Programming group
nexus9.org

Digital Calamity - Programming group
http://www.digitalcalamity.com

Team Blank - Programming group
www.theblankpages.com

Team Handicap - Programming group
www.teamhandicap.com