domingo, 28 de junio de 2015

Pac4Mac (Plug And Check para Mac OS X)

Esta entrada no es mas que un aporte que hicie en le foro de Undercode y me gustaría compartir contigo ya que he hablado muchas veces de como hacer Forenses en Linux y en Windows pero nunca he tocado Mac OS X. 

Pac4Mac es una herramienta para extraer y analizar información de un MAC OS X (vamos para hacerle un forense en condiciones) Ademas, esta bajo una Apache License 2.0.




Os dejo con las features de Pac4Mac :

• Developed in Python 2.x (natively supported) 
• Framework usage
• Support of OS X 10.6, 10.7, 10.8 and 10.9 (not tested)

Data extraction through:

• User or Root access
• Single Mode access
• Target Mode access (Storage media by Firewire or Thunderbolt)

It use 3 dumping modes : Quick, Forensics, Advanced: 

• Dumping Users / User Admin

• Dumping Mac's Identity (os version, owner)

• Dumping Miscellaneous files (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook, Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
• Dumping content of current Keychain (security cmd + securityd process)
• Dumping Users Keychains

• Dumping System Keychains

• Dumping password Hashes

• Live Cracking hashes password
s
• Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)

• Dumping Browser Places (Safari, Chrome, Firefox, Opera)

• Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)

• Dumping printed files

• Dumping iOS files backups

• Dumping Calendar and Reminders / Displaying secrets
• Dumping Skype messages / Displaying secrets on demand
• Dumping iChat, Messages(.app), Adium messages
• Dumping Emails content (only text)

• Dumping Emails content of all or special Mail Boxes
• Adding root user
• Dumping RAM
• Cloning local Disk
• Dumping system logs, install, audit, firewall

DMA access features (exploitation of Firewire and Thunderbolt interfaces)

• Unlock or bypass in writring into RAM
• Dumping RAM content
• Exploit extracted data (see Analysis module)

Analysis module in order to easily exploit extracted data by one of dumping modes

• Exploit Browser History
 x 4 (Displaying recordings, Local copy for usurpation)
• Exploit Browser Cookies
 x 4 (Displaying recordings, Local copy for usurpation)
• Display Browser Downloads
 x 4 (Displaying recordings)
• Exploit Skype Messages
 (Displaying/Recording all recorded messages, with secret information or containing a special keyword)
• Exploit iChat, Messages(.app), Adium messages (in the next version)
• Exploit Calendar Cache
 (Display/Recording all recorded entries, with secret information or containing a special keyword)
• Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
• Exploit RAM memory Dump
 (Searching Apple system/applications/Web Passwords)
• Exploit Keychains
 (Display content Keychain
, Crack Keychain files)
• Crack Hashes passwords

• Exploit iOS files
 (Accessing to iPhone without passcode, reading secrets through iTunes backups)
• Display Stickies Widgets

• Display Printed Documents
• Display prospective passwords 
(displaying all found passwords during dump and analysis phases)

Etc. 

Más Información: 




Código fuente: 




Y un pequeño regalo para los que hayáis llegado a leer todo el post, aqui teneis todos los TIPS que se han utilizado para extraer y analizar la información para esta herramienta: 


No hay comentarios:

Publicar un comentario