1. Mac Attack Menu
  2. Mac Attack Racing

STILL NEED HELP? Want to ask other users with the same product a question? Join the conversation. Although Mac OS attacks occur less often than Windows OS attacks, the implications of an attack happening on either OS can be lethal. If you work in cybersecurity, you know that attack trends are a thing. There’s always some new hotness in attacker Tactics, Techniques, and Procedures (TTPs), which often parallels the TTPs of security red teamers. True to its word, Apple released a Java update late on Tuesday for Mac OS X 10.7 or later that patches a number of security vulnerabilities as well as scanning for the most common variants of the. Below are the tactics and techniques representing the MITRE ATT&CK ® Matrix for. Attacks targeting Windows and Mac devices usually differ for one of two reasons: Attacks only work on a specific OS or the profile of the target behind the machine, Kujawa says.

July 27th, 2016 by Oleg Afonin
Category: «Cryptography», «Elcomsoft News», «General», «Security»

In the world of Windows dominance, Apple’s Mac OS X enjoys a healthy market share of 9.5% among desktop operating systems. The adoption of Apple’s desktop OS (macOS seems to be the new name) is steadily growing. This is why we are targeting Mac OS with our tools.

This time, let’s talk about Mac OS X user account passwords. Not only will a user password allow accessing their Mac, but it will also allow decrypting FileVault 2 volumes that are otherwise securely encrypted with virtually unbreakable XTS-AES.

Attacking FileVault 2

FileVault 2 is Apple’s take on whole-disk encryption. Protecting the entire startup partition, FileVault 2 volumes can be unlocked with either of the following:

  • 256-bit XTS-AES key
  • Recovery Key
  • User password from any account with “unlock” privileges

There is also an additional unlock method available called Institutional Recovery Key. These recovery keys are created when system administrators enable FileVault 2 encryption with FileVaultMaster.keychain. This method requires additional steps to activate, and is typically used in organizations with centralized keychain management.

256-bit XTS-AES Key

Location: RAM (only while the encrypted volume is mounted)

The 256-bit XTS-AES key is the actual encryption key that is used by the system to encrypt and decrypt data. This is a binary key. Once the FileVault 2 volume is unlocked, the XTS-AES key is stored in the computer’s RAM.

In order to recover these keys, one would need to dump the content of the computer’s RAM into a file. Note that it is no longer possible to run a FireWire attack on locked or sleeping Macs due to Mac OS X security restrictions, so the RAM capturing tool must be executed on a running computer with FileVault 2 container unlocked and a user logged in.

Recovery Key

Location: printed notes, Apple cloud

Extraction: search, cloud acquisition (coming to Elcomsoft Phone Breaker 6.0), request from Apple

Similar to BitLocker, FileVault 2 employs Recovery Keys to enable users unlock their encrypted volumes if the disk is moved to a different device or if no user account with ‘unlock’ privileges is present in the system. Once FileVault 2 is enabled, the system creates and displays a recovery key. According to http://eprint.iacr.org/2012/374.pdf, the recovery key contains 120 bits (we didn’t check) that are encoded with all letters and numbers 1 through 9, and formatted to look like this:

XDFG-EE8G-KF89-S0FS-9F7Y-XFH8

The user has an option to store the key with Apple. If the user agrees, the recovery key gets stored in the iCloud account associated with the user’s Apple ID (which is required to use the service).

While brute-forcing a 120-bit key seems easier than attempting to brute-force a 256-bit key, the security of a 120-bit key is still enough to make the attack unfeasible. This key is only useful if you can obtain it by searching the premises, downloading from the user’s iCloud account or requesting from Apple (if you have a warrant).

Extracting FileVault 2 Keys from iCloud

It is possible to extract a backup FileVault 2 key from the user’s iCloud account. The backup key can be extracted, processed and converted into a binary 256-bit XTS-AES key that can be used to decrypt the volume.

We are currently finalizing development of a tool for extracting and using FileVault 2 recovery keys to mount FileVault 2 volumes. In order to extract the key, you’ll be able to use Elcomsoft Phone Breaker 6.0 (scheduled for release next month). Once the tool is released, you’ll need to do perform the following steps:

  1. Launch Elcomsoft Phone Breaker and choose iCloud. Select “Decrypt FileVault image”.
  2. Specify path to the forensic image of the encrypted volume. Elcomsoft Phone Breaker accepts raw disk images (.dd), EnCase image files (.e01), and Apple Disk Images (.dmg).
  3. In a case the image contains several encrypted partitions, choose the one which you would like to mount (you may see more than one FileVault 2 volumes if several OS X installations are present).
  4. Elcomsoft Phone Breaker displays Apple ID that has the Recovery Key stored in its iCloud account.
  5. Provide authentication credentials (Apple ID password or authentication token extracted from the user’s computer).
  6. Elcomsoft Phone Breaker obtains the recovery key and decrypts the encrypted partition.

As a result, you will get an image of the decrypted partition in a raw (.dd) format.

Then you can use the “hdiutil” tool (OS X) or FTK Imager (Windows) to mount the partition and explore the data.

FileVault 2 Passwords

Location: hashed, /var/db/shadow/hash/<GUID>

Extraction (hash): cat /var/db/shadow/hash/<GUID> cut -c169-216

Recovery (original password): Elcomsoft Distributed Password Recovery

When setting up a FileVault 2 volume, you may be prompted to enable other user accounts to unlock the encrypted volume:

If this is the case, each user must type their password before they will be able to unlock the disk. In order for other users to be able to unlock FileVault 2, one has to click Enable User and enter the user’s password while setting up encryption (or any time after). If new user accounts are added after FileVault 2 encryption is turned on, they are automatically assigned the correct access rights.

Understanding this scheme is very important from the forensic perspective. If there is more than one user on the computer, you’ll have a much greater chance of recovering at least one of these passwords. This is especially true if the computer was used in a household with kids who tend to use much simpler passwords.

In order to unlock an encrypted volume, you will need to use the original plain-text password. Passwords cannot be extracted from a Mac OS X computer; you can only extract password hashes. In order to recover the original plain-text password, you will have to run an attack using a specialized tool such as Elcomsoft Distributed Password Recovery.

With recent update, Elcomsoft Distributed Password Recovery gained the ability to attack plain-text passwords (in addition to user account passwords) protecting disk volumes encrypted with FileVault 2.

Elcomsoft Distributed Password Recovery uses GPU acceleration techniques making the recovery 20 to 50 times faster compared to a CPU alone. You can choose between dictionary attacks with various mutations and GPU-accelerated brute force. Since attacking a password can be lengthy business, Elcomsoft Distributed Password Recovery can utilize multiple computers to simultaneously attack passwords.

Elcomsoft Distributed Password Recovery can recover passwords for popular disk encryption containers. In order to attack a FileVault 2 password with Elcomsoft Distributed Password Recovery, perform the following steps.

Preparing the Attack

  1. Make an image of the hard drive (physical device) or an image of the encrypted partition and save it into a file. The following formats can be used: Raw disk image (.dd), EnCase image file (.e01), Apple Disk Image (.dmg).
  2. Run EDPR Disk Encryption Info (EDEI) utility located in Start Menu -> Elcomsoft Password Recovery -> Tools.
  3. Specify path to the disk image you created on Step 1.
  4. If more than one encrypted partition is available, specify the volume to attack.
  5. EDEI will extract the necessary information about the encrypted volume.
  6. Save the .esprf file created by EDEI.

Running the Attack

Attack
  1. Launch Elcomsoft Distributed Password Recovery.
  2. Open the .esprf file that was saved by EDEI.
  3. If several Mac OS accounts appear, choose account to attack.
  4. Configure the attack (dictionary, mutations, brute force).
  5. Run the attack.
  6. Once the password is discovered, you can use it to unlock the Mac that contains the encrypted volume.

Mac Attack Menu

Mounting the Volume

After recovering the password to any user account with “Unlock” privileges, you can do the following to mount the encrypted container.

Option 1: [OS X ] In Mac OS X, use “diskutils” to mount the disk volume. Enter the recovered password when prompted. (Applications -> Disk Utility -> File -> Open Disk image -> select image and click Open).

Option 2: [OS X ] You can also use Terminal to mount the encrypted image. Launch Terminal and use the following command line to mount the disk image:

hdiutil mount <image>.dd

You can also mount a .dmg image with the following command line:

Attack Mac OS

hdiutil mount /<image>.dmg

More information on FileVault 2: https://support.apple.com/en-us/HT204837


Tuesday, May 3, 2016 by Jennifer Duits

There has been a long-standing rumor that Macs are immune to viruses and now, someone has proven Macs can be infected. The word is out in CNET’s article: “Apple users beware: First live ransomware targeting Macs found 'in the wild”. What does this mean for Apple users? Has something changed within the Mac OS X and do they need to do anything different?

Rumors

To answer these questions, let’s start by exploring the rumor of Mac is immune. This rumor has been around for a long time. I believe it was five years ago when my father told me that a sales person at a big box retailer told him this “fact.” At that time I knew it wasn’t exactly true and I did a little digging as into why and now I am re-exploring the same issue. Five years ago, How-To Geek published an article: Online Safety: Who Says Macs Don’t Get Viruses? In this article they site three possible reasons why the Mac OS X is less-prone to viruses:

  1. Market share – In 2011, Windows users greatly outnumbered Mac users as illustrated in this very interesting chart from How-to Geek www.howtogeek.com/76628/online-safety-who-says-macs-dont-get-viruses/
  2. Time and effort – Being there were more PCs on the market in 2011, more was known about them and less research was needed by an attacker. “Security by minority” according to How-To Geek.
  3. Short list of viruses – in this article, they state in 2008, there were less than 200 pieces of malware targeting Apple. I will note that their source for this information is no longer available, so take this number with a grain of salt.

Ransomware Attack

Mac Attack Racing

As we have seen from recent news, number three above may not hold true for long. The list of viruses targeting Macs is starting to grow. One such virus is a type called ransomware. If you are unfamiliar with what ransomware does, it infects your computer and locks all of your files. It will then send you to a screen stating that if you want to access your computer again, you will need to pay a certain amount of money to do so. They also typically give you a quick deadline (before they erase your files) to respond by in order to increase the pressure to pay. It is hard to trace as they will use currency like bitcoins to collect the ransom. If infected, there is not much you can do. There are sites now combating the ransomware virus which publish a list of codes which have been given to unlock files that are held hostage. If one of the published ones works, you are in luck, if not, you might have to pay or forgo your files.

Why Mac OS X and Why Now?

It was always a question of “when” and not “if” when it came to Macs becoming a target by viruses. Tech professionals have been saying for years that they knew it was possible, but it was a matter of when someone of a questionable nature was going to invest their time and resources to execute it. Basically, someone took on the challenge of creating a ransomware that will work on the Mac OS X and succeeded. Nothing has changed within the OS and it is nothing that Apple did. So what does this mean going forward?

Safety tips

If you own a Mac and are concerned, there are some tips (adapted from Dan Kusnetzky at Virtualization Review) to help keep your data safe.

Awareness

Understand that you are vulnerable. You are already part of the way to making your Mac safe by reading this article. You have now read that there is a possibility that your Mac could become infected with a virus and you need to act upon this awareness.

Anti-virus software

Own it and keep it updated. It’s not 100% protection, but it will keep a lot of the pesky viruses at bay.

Proceed with caution

Watch the sites you visit and files you open. Sites that offer freeware or free games have a potential to have something nasty hanging onto that program. Only visit sites you know to be safe and do not download anything that you don’t know is 100% safe. I know this is sometimes difficult as you are surfing to gain knowledge on something and are following a never-ending list of links or are on social media and something peaks your interest. Social media is kind of nice as you can check comments to make sure others have had success accessing the site without issue. As for files you have emailed to you, make sure it is legit. If there are any extensions or strange characters in the name of the file, do not open.

Is Apple any less-safe than they were before? Not really. They have always been at risk, it’s just that someone has recently targeted them. Apple is still low as far as the number of viruses out there written for Mac OS X. The big issue is that if you think you are invincible, someone will challenge you on it.

Sources: