Once upon a time we could hide a process from users: lsappinfo setinfo -app BackgroundRootkitOfDoom ApplicationType=UIElement 1 I’m not sure when that got removed but it’s probably for the best. There were was to hide everything, like users and groups (UID below 500 or insert an _ in front of the username), objects on the file system, etc. Then people abused what admins used for various workflows and much of that has since been removed. The lsappinfo binary is still pretty useful, though. The simplest incantation would be to just list what’s running: lsappinfo list The output has the bundleID and the bundle, the executable, pid and some other metadata.…
-
-
Disable Disk Image Verification On Mac
Sometimes you have to mount a whole lot of disk images (like a script that fires up 9,999 and proceeds to sing the bottles of beer on the wall song but instead transposes those lyrics with “disks images to verify” and we can all understand how excruciating it would be to get down to 0) and just don’t want the Mac to verify each one. To disable that, send skip-verify key with a value of true(so a Boole) into com.apple.frameworks.diskimages as follows: defaults write com.apple.frameworks.diskimages skip-verify -bool true Or course, interacting with corrupt objects is bad if any corruption occurs so run it again with a false to disable that…
-
Secure Keyboard Entry on macOS
The Secure Keyboard Entry option has been in Terminal going back almost a decade. Secure Keyboard Entry was added as EnableSecureEventInput way back in Mac OS X 10.3 and was developed to protect the more sensitive inputs people provided, so also made into a public API. It was meant to protect the more sensitive types of data so if we had a login screen with a password field or something else, we’d protect those with it. The purpose was to lock what other processes could use the GetKeys function (once used to write keystroke loggers), tap the IOHIDDeviceInterace and IOHIDOptionsTypeSeizeDevice processes or tap any events that involved any HID system…
-
Disable Safari Extension Updates During Development
I’ve been experimenting with Safari Extensions for awhile ( https://github.com/krypted/Word-Replacer-Safari-Extension ) and once we publish them we might need to continue to use an old version for testing. Extension updates can then be deleted by writing a boolean InstallExtensionUpdatesAutomatically key into the com.apple.Safari defaults domain and setting the option to false: defaults write com.apple.Safari InstallExtensionUpdatesAutomatically -bool false To remove the key and simply return to the default state: defaults delete com.apple.Safari InstallExtensionUpdatesAutomatically
-
Export Objects from Keychain
Once upon a time, we could run a command like the following to dump all our keychain data: security dump-keychain -d ~/Library/login.keychain > ~/Desktop/dump.txt I go into more detail on those techniques in an article I did back in 2009, here: Now there are more keychains and the entitlements for the security binary to access this kind of information has changed. We can make some changes to the authorizationdb (as explored in https://krypted.com/utilities/authorizationdb-defaults-macos-10-14/) but I’ve yet to find a magic combination that allows me to script interactions with the keychain without a GUI pop-up (and one that blocks synthetic interaction. The data for each keychain is stored in an encrypted…
-
Reviewing TCC dialog prompts using logs on a Mac
I wrote this awhile back on using the logging facilities in macOS to review and parse logs. The log command provides a number of options to see various events on a Mac. I was recently working on an app that was automatically denying a prompt to generate entitlements and thought I’d post how to find the logs for that. First, let’s find all prompts. We’ll do that using the com.apple.TCC subsystem as a predicate. In the below command we simply pipe the output to grep for Prompting. /usr/bin/log show -style syslog --predicate 'subsystem == "com.apple.TCC"' --info --last 12h | grep Prompting I’d much rather use “&& contains” in syslog because…
-
Macsysadmin 2020 Keynote Deck
I’ve decided that it would be awesome if anyone took any of my works and built on top of them. So I’m including the raw keynote deck and the pdf of the deck for my Macsysadmin talk this year. Please feel free to use the raw deck without attribution. No copyright or copyleft or any of that involved. <3
-
Disable Automatic Software Update Downloads
I was on the phone with someone yesterday that has a number of distributed Macs in offices with low bandwidth. So they need to control when updates are downloaded and installed because they can fail or cause issues with other systems when they download automatically. This option is great for home use but can be challenging in larger environments. So it can be disabled with the following command, which creates an AutomaticDownload key in the com.apple.SoftwareUpdate defaults domain and sets it to FALSE: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE Once machines return to areas with better bandwidth or this isn’t a need it can then be re-enabled by using…
-
Tor and Scripting on macOS
Tor, short for The Onion Router, is a tool to anonymize your web traffic. Tor is simple to use and yet incredibly complicated under the hood. You install software, available at www.torproject.org, or a browser extension. Tor routes your data through a bunch of nodes. Each of those computers or routers is only aware of the node in front of or behind it in the communication route and encrypting the next node sent. Since each step is encrypted, these layers of encryption can be considered like a network with layers like an onion. So if each step is partially encrypted, a compromise of any device in the route will still…
-
My Metasploit Cheat Sheet
I’ve been using metasploit for a long time, but it’s not something I use daily. So I started a notes doc on it a long time ago. Here’s that doc. <3 The setup (dependencies install mostly via homebrew for Mac or use whatever other dependency/package manager for others): Install homebrew if needed: ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" brew install libxml2,nmap,ruby21 brew install postresql --without-ossp-uuid git clone https://github.com/rapid7/metasploit-framework.git /usr/local/share/metasploit-framework To launch the Metasploit console: ./msfconsole To update: msfupdate From within the console, use the show verb to see a list of all Encoders, NOP Generators, Exploits, and Payloads: show To just show payloads: Show payloads Set your exploit (from the list…