# MacOS ## Intro/links/basics * [A basic intro](http://www.macforbeginners.com/osx-guide/mac-os-x-introduction/) * [Security & Privacy Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide) * [Awesome commands](https://github.com/herrbischoff/awesome-osx-command-line) like default TextEdit to plain text * [launchd.info](http://www.launchd.info/) “A launchd Tutorial” ## Apple Documentation * [Security updates list](https://support.apple.com/en-gb/HT201222) * [WWDC Privacy and Security sessions](https://developer.apple.com/videos/frameworks/privacy-and-security) (Videos) ## General ### iCloud * Adding `.nosync` to the end of a folder in iCloud Drive stops it being synced (via [@jimconacher](https://twitter.com/jimconacher)). ### .zshprofile macOS Catalina and later ship with `zsh` as [the default shell](https://support.apple.com/en-us/HT208050). * [Moving to Zsh](https://scriptingosx.com/2019/06/moving-to-zsh/) - [Armin Briegel](https://twitter.com/titanonearth) ### .hushlogin Add a `.hushlogin` file to the directory you terminal starts in to suppress the `Last login:` message at the top of your terminal. ``` touch .hushlogin ``` ### Lock Screen #### Change Key Combo Go to `System Preferences` > `Keyboard` > `Shortcuts` > `App Shortcuts` Click `+` to add a new one called `Lock Screen` and set the key combo (eg. `⌥⌘+L`) #### Stop Wifi Dropping on Screen Lock ``` cd /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/ sudo ./airport en0 prefs DisconnectOnLogout=NO ``` ### Disk Images * [Understanding DMG Files](https://www.blackbagtech.com/blog/2011/04/15/understanding-dmg-files-part-1-of-3/) * [Sparse Bundles Defined](http://www.thexlab.com/faqs/sparsebundledefined.html) ### Random * [How to Fix Slow SMB File Transfers on OS X](https://dpron.com/os-x-10-11-5-slow-smb/) - [Dan Roncadin](https://twitter.com/dpron) ## Homebrew [Homebrew](https://brew.sh/) (`brew`) is a package manager for macOS akin to the [Advanced Package Tool](https://wiki.debian.org/Apt) (`apt`) on Debian and Ubuntu. ### Taps [Taps](https://docs.brew.sh/Taps) are third party repositories for homebrew. * [sidaf/homebrew-pentest](https://github.com/sidaf/homebrew-pentest) “penetration testing related tools” #### Example If you run `brew tap sidaf/homebrew-pentest` you'll be able to install any formulas from the `sidaf/homebrew-pentest` repository via `brew install`. `brew install panoptic` will search the default Homebrew repository then any tapped repositories for a formula with the name `panoptic`. ### Python As of Homebrew [1.5.0](https://brew.sh/2018/01/19/homebrew-1.5.0/) `brew install python` installs `python3.x` **not** `python2.7.x`. This was not [PEP 394](https://www.python.org/dev/peps/pep-0394/) compliant as running `python` would execute the `python3.x` binary which violates “all distributions should ensure that `python` refers to the same target as `python2`”. This was fixed in [1.6.0](https://brew.sh/2018/04/09/homebrew-1.6.0/). `brew install python` still installs `python3.x` but will not symlink `python` to the `python3.x` binary. Running `python` will execute the system `python2.7.x` binary and running `python3` will execute the brew `python3.x` binary. See [Homebrew and Python](https://docs.brew.sh/Homebrew-and-Python) for more info. ### Upgrading Packages By default Homebrew **does not** automatically update itself or installed packages. To manually update Homebrew and upgrade all installed packages run: 1. `brew update` (Update the formulae and Homebrew itself) 2. `brew upgrade` (Upgrade all packages installed by Homebrew) By default, Homebrew **does not** uninstall old versions of formula. From time to time you'll want to run `brew cleanup` to remove old version of formula. See [FAQ](https://docs.brew.sh/FAQ) for more info. ## Virtualisation ### VMWare Fusion We get [VMWare Fusion](https://www.vmware.com/products/fusion.html) free from [VMWare DreamSpark](https://vmapss.onthehub.com/WebStore/Welcome.aspx). Used by most mac wankers on the course. Would recommend over all other virtualisation programs for Mac. Currently [does not work with M1 Macs](https://blogs.vmware.com/teamfusion/2021/04/fusion-on-apple-silicon-progress-update.html). ### Parallels [Parallels](https://www.parallels.com/uk/products/desktop/) ## Apps ### General * [Amphetamine](https://github.com/x74353/Amphetamine) ([App Store](https://itunes.apple.com/gb/app/amphetamine/id937984704)) - This app keeps your Mac awake for a set period of time, whilst an app is running, and much more. * [The Unarchiver](https://theunarchiver.com/) ([App Store](https://itunes.apple.com/us/app/the-unarchiver/id425424353?mt=12)) Open any archive in seconds * [Rocket](https://matthewpalmer.net/rocket/) Slack-style emoji picker for your Mac * [Texpad](https://www.texpad.com/osx) Native Mac OS app with efficient LaTeX environment * [DiskMaker X](http://diskmakerx.com/) Build an OS X boot disk * [BitBar](https://getbitbar.com/) Put anything in your menu bar * [DiscreteScroll](https://github.com/emreyolcu/discrete-scroll/releases) Stop the annoying mouse acceleration when scrolling in macOS ### Programming For general information see [Programmming](https://wiki.hacksoc.co.uk/help-guides/programming-scripting/tools). This section list macOS specific tools. * [Xcode](https://developer.apple.com/xcode/) ([App Store](https://itunes.apple.com/us/app/xcode/id497799835)) Apple's own IDE. Best for [C](https://wiki.hacksoc.co.uk/help-guides/programming-scripting/c-coding), C++ and Objective-C. * [Quiver](http://happenapps.com/#quiver) ([App Store](https://itunes.apple.com/app/quiver-programmers-notebook/id866773894)) notebook built for programmers * [Dash](https://kapeli.com/dash) offline access to 200+ API documentation sets ### Security/ Privacy * [1Password](https://1password.com/) ([App Store](https://itunes.apple.com/us/app/1password/id443987910)) Apple device focused password manager * [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html) Application firewall * [GPGTools/ GPG Suite](https://gpgtools.org/) “Use GPG Suite to encrypt, decrypt, sign and verify files or messages” * [Privileges.app](https://github.com/SAP/macOS-enterprise-privileges) “providing a quick and easy way to get administrator rights when needed” #### Objective-See [Objective-See](https://objective-see.com/index.html) was created by [Patrick Wardle](https://twitter.com/patrickwardle) to provide simple, effective and free macOS security tools. Some of his most useful tools are listed below. * [BlockBlock](https://objective-see.com/products/blockblock.html) (*Beta*) Alerts when something is persistently installed * [OverSight](https://objective-see.com/products/oversight.html) Monitors and alerts on mic and webcam access * [LuLu](https://objective-see.com/products/lulu.html) Open-source application firewall * [What's Your Sign?](https://objective-see.com/products/whatsyoursign.html) Adds a menu item to Finder.app to view the cryptographic signature of files ### Touch Bar * [HapticKey](https://github.com/niw/HapticKey) “trigger haptic feedback when tapping Touch Bar” ## Research * [Papers, Slides and Thesis Archive](https://papers.put.as/macosx/macosx/) - [osxreverser](https://twitter.com/osxreverser) * [osx-security-awesome](https://github.com/kai5263499/osx-security-awesome) “collection of OSX and iOS security resources” * [mac-white-papers](https://github.com/0xmachos/mac-white-papers) "Every OS X/ macOS white paper" ### Blogs * [The Eclectic Light Company](https://eclecticlight.co/category/macs/) - [Howard Oakley](https://twitter.com/howardnoakley) (Security, General) * [mac4n6](https://www.mac4n6.com/) - [Sarah Edwards](https://twitter.com/iamevltwin) (Forensics) * [Objective-See](https://objective-see.com/blog.html) - [Patrick Wardle](https://twitter.com/patrickwardle) (Security) * [derflounder](https://derflounder.wordpress.com/) - [Rich Trouton](https://twitter.com/rtrouton) (General, Security) * [theevilbit](https://theevilbit.github.io/posts/) - [Csaba Fitzl](https://twitter.com/theevilbit)(Security) ### Talks #### Older * [Thunderstrike: EFI bootkits for Apple MacBooks](https://media.ccc.de/v/31c3_-_6128_-_en_-_saal_1_-_201412291830_-_thunderstrike_efi_bootkits_for_apple_macbooks_-_trammell_hudson) - [Trammell Hudson](https://twitter.com/qrs) [Annotated Slides](https://trmm.net/Thunderstrike_31c3) (31c3) * [De Mysteriis Dom Jobsivs: Mac EFI Rootkits](https://www.youtube.com/watch?v=W21ZIaKf5HA) - [snare](https://twitter.com/snare) [Slides](https://media.blackhat.com/bh-us-12/Briefings/Loukas_K/BH_US_12_LoukasK_De_Mysteriis_Dom_Jobsivs_Slides.pdf) (Black Hat 2012) #### 2015 * [Stick That In Your (root)Pipe & Smoke It](https://vimeo.com/147887652) - [Patrick Wardle](https://twitter.com/patrickwardle) (Ekoparty 2015) * [ThunderStrike 2: Sith Strike](https://www.youtube.com/watch?v=xxl5xOQxXOk) - [Xeno Kovah](https://twitter.com/XenoKovah) [Slides](http://www.legbacore.com/Research_files/TS2-HITB_GSEC.pdf) (HITBGSEC 2015) * [ThunderStrike 2: Sith Strike](https://www.youtube.com/watch?v=CtEdfMP6rJo) - [Trammell Hudson](https://twitter.com/qrs), [Xeno Kovah](https://twitter.com/XenoKovah) & [Corey Kallenberg](https://twitter.com/coreykal) [Annotated Slides](https://trmm.net/Thunderstrike2_details) (Black Hat 2015) * [DLL Hijacking on OS X](https://www.youtube.com/watch?v=PGVNja2MNws) - [Patrick Wardle](https://twitter.com/patrickwardle) [Slides](https://s3.amazonaws.com/s3.synack.com/canSecW.pdf) (DEFCON 23) #### 2016 * [The Apple Sandbox: Deeper Into The Quagmire](https://www.youtube.com/watch?v=mG715HcDgO8) - [Jonathan Levin](https://twitter.com/Morpheus______) [Slides](http://newosxbook.com/files/HITSB.pdf) (HITBGSEC 2016) * [I've got 99 Problems, but LittleSnitch ain't one](https://www.youtube.com/watch?v=sRcHt-sxcPI) - [Patrick Wardle](https://twitter.com/patrickwardle) [Slides](https://speakerd.s3.amazonaws.com/presentations/881b7cc511b34f73a6009d4c4e3ac2ad/DefCon_2016.pdf) (DEFCON 24) * [Thunderstrike 2](https://www.youtube.com/watch?v=B3vQCaak1EI) - [Trammell Hudson](https://twitter.com/qrs) (CITP Princeton) #### 2017 * [The Apple of your EFI](https://www.youtube.com/watch?v=VT7WwAyOCXI) - [Rich Smith](http://twitter.com/iodboi) and [Pepijn Bruienne](https://twitter.com/bruienne) (Ekoparty 2017) * [Oversight: Exposing Spies On MacOS](https://www.youtube.com/watch?v=xsDGozG5t9A) - [Patrick Wardle](https://twitter.com/patrickwardle) (HITBAMS 2017) #### 2018 * [A Deep Dive into macOS MDM](https://www.youtube.com/watch?v=ku8jZe-MHUU) - [Jesse Endahl](https://twitter.com/jesseendahl) & [Max Bélanger](https://twitter.com/maxbelanger) [Slides](https://www.dropbox.com/s/8gcuckiwfcmjsr5/us-18-Endahl-A-Deep-Dive-Into-macOS-MDM-And-How-It-Can-Be-Compromised.pdf) (Black Hat 2018) * [Fire & Ice: Making and Breaking macOS Firewalls](https://www.youtube.com/watch?v=UANF2FQctDg) - [Patrick Wardle](https://twitter.com/patrickwardle) [Slides](https://speakerdeck.com/patrickwardle/fire-and-ice-making-and-breaking-macos-firewalls) (Black Hat 2018) * [The Mouse is Mightier than the Sword](https://www.youtube.com/watch?v=gLrB7enpbiw) - [Patrick Wardle](https://twitter.com/patrickwardle) [Slides](https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Patrick%20Wardle/DEFCON-26-Patrick-Wardle-The-Mouse-Is-Mightier-Synthetic0Reality.pdf) (DEFCON 26) ### Slides * [The Apple Sandbox](https://media.blackhat.com/bh-dc-11/Blazakis/BlackHat_DC_2011_Blazakis_Apple%20Sandbox-Slides.pdf) - Dionysus Blazakis (No video) * [OS X El Capitan sinking the S\H/IP](https://papers.put.as/papers/macosx/2016/syscan360stefanesserosxelcapitansinkingtheship.pdf) - [Stefan Esser](https://twitter.com/i0n1c) (No video) * [Code Signing – Hashed Out](http://www.newosxbook.com/articles/CodeSigning.pdf) - [Jonathan Levin](https://twitter.com/Morpheus______) (No video) ### Articles * [The Evolution of Mac OS X Security and Privacy Features](https://www.intego.com/mac-security-blog/mac-os-x-security-features-timeline/) - Joshua Long (Intego Mac Security Blog) * [Booting Secure](https://michaellynn.github.io/2018/07/27/booting-secure/) - [Michael Lynn](https://twitter.com/mikeymikey) On Mac Secure Boot * [Apple iMac Pro and Secure Storage](https://duo.com/blog/apple-imac-pro-and-secure-storage) - Pepijn Bruienne (Duo Blog) * [Bypass macOS rootless by sandboxing](https://medium.com/0xcc/bypass-macos-rootless-by-sandboxing-5e24cca744be) - [CodeColorist](https://twitter.com/CodeColorist) * [Creating signed and customized backdoored macOS applications](https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187) - [Adam Toscher](https://twitter.com/W00Tock) * [Leveraging Emond on macOS For Persistence](https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124) - [Christopher Ross](https://twitter.com/xorrior) (SpecterOps) * [macOS 10.13.1 insecure cron system](https://m4.rkw.io/blog/macos-high-sierra-10131-insecure-cron-system.html) - Mark Wadham * [Load & Execute Bundles with migrationTool](https://posts.specterops.io/load-execute-bundles-with-migrationtool-f952e276e1a6?gi=8d4811ed1eb0) - [Christopher Ross](https://twitter.com/xorrior) (SpecterOps) * [MacOS monitoring the open source way](https://blogs.dropbox.com/tech/2018/04/4696/) - Michael George (Dropbox Blog) * [Little Snitch Detection in Malware](https://bitrot.sh/post/24-12-2017-little-snitch/) - [bitsrot](https://twitter.com/bitsrot) * [A useless analysis of macOS (OS X) release dates](https://robservatory.com/a-useless-analysis-of-os-x-release-dates/) - [Rob Griffiths](https://twitter.com/rgriff) * [Encrypting for Apple's Secure Enclave](https://darthnull.org/security/2018/05/31/secure-enclave-ecies/) - [David Schuetz](https://twitter.com/darthnull) * [The Empire Strikes Back Apple](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/) - [osxreverser](https://twitter.com/osxreverser) * [macOS FileVault2 Password Retrieval](http://blog.frizk.net/2016/12/filevault-password-retrieval.html) - [Ulf Frisk](https://twitter.com/UlfFrisk) * [Escaping the Sandbox – MS Office on MacOS](https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/) - MDSec * [task\_t considered harmful](https://googleprojectzero.blogspot.com/2016/10/taskt-considered-harmful.html) - [Ian Beer](https://twitter.com/i41nbeer) (Project Zero Blog) * [Reverse Engineering macOS High Sierra Supplemental Update](https://cocoaengineering.com/2017/10/08/reverse-engineering-macos-high-sierra-supplemental-update/) - [Daniel Martín](https://twitter.com/dmartincy/) * [Password Cracking AES-256 DMGs and Epic Self-Pwnage](https://www.whitehatsec.com/blog/cracking-aes-256-dmgs-and-epic-self-pwnage/) - [Jeremiah Grossman](https://twitter.com/jeremiahg) * [The Apple of Your EFI: Mac Firmware Security Research](https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research) - [Rich Smith](http://twitter.com/iodboi) and [Pepijn Bruienne](https://twitter.com/bruienne) (Duo Blog) ### Papers * [The Apple Sandbox](https://dl.packetstormsecurity.net/papers/general/apple-sandbox.pdf) - Dionysus Blazakis (2011) * [De Mysteriis Dom Jobsivs: Mac EFI Rootkits](http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf) - [snare](https://twitter.com/snare) (2012) * [Dylib hijacking on OS X](https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf) - [Patrick Wardle](https://twitter.com/patrickwardle) (2015) * [A Deep Dive into macOS MDM](https://www.dropbox.com/s/d5ikab99q7h3aga/us-18-Endahl-A-Deep-Dive-Into-macOS-MDM-And-How-It-Can-Be-Compromised-wp.pdf) - [Jesse Endahl](https://twitter.com/jesseendahl) & [Max Bélanger](https://twitter.com/maxbelanger) (2018) ### Forensics * [Detection of Backdating the System Clock in macOS](http://cyberforensicator.com/2018/01/21/detection-of-backdating-the-system-clock-in-macos/) - [Igor Mikhaylov](https://twitter.com/Weare4n6) * [How to mount Mac APFS images in Windows](https://az4n6.blogspot.com/2018/01/how-to-mount-mac-apfs-images-in-windows.html) - [Mari Degrazia](https://twitter.com/maridegrazia) * [Mounting an APFS image in Linux](https://az4n6.blogspot.com/2018/01/mounting-apfs-image-in-linux.html) - [Mari Degrazia](https://twitter.com/maridegrazia) * [I Know What You Did Last Month: A New Artifact of Execution on macOS 10.13](https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/) - Kshitij Kumar and Jai Musunuri (CrowdStrike Blog) * [Introducing Unified Logging](https://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logging) - [Sarah Edwards](https://twitter.com/iamevltwin) ### Exploits * [DYLD\_ROOT\_PATH vulnerability](https://github.com/luismiras/muymacho) (10.10.5) * [task\_t considered harmful](https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=256266) - [Ian Beer](https://twitter.com/i41nbeer) (10.11.5) (10.12) ## Books * [Mac OS X Internals: A Systems Approach](http://osxbook.com/) - Amit Singh (2006) * \[The Mac Hacker's Handbook]\() - [Charlie Miller](https://twitter.com/0xcharlie) and [Dino Dai Zovi](https://twitter.com/dinodaizovi) ([Amazon](https://www.amazon.co.uk/Mac-Hackers-Handbook-Charlie-Miller/dp/0470395362)) (2009) * [Mac OS X and iOS Internals](http://www.wrox.com/WileyCDA/WroxTitle/Mac-OS-X-and-iOS-Internals-To-the-Apple-s-Core.productCd-1118057651.html) - [Jonathan Levin](https://twitter.com/Morpheus______) ([Amazon](https://www.amazon.co.uk/Mac-OS-IOS-Internals-Programmer/dp/1118057651)) ([Legit PDF](http://newosxbook.com/MOXiI.pdf)) (2012) ### MacOS and iOS Internals (Levin) * [MacOS and iOS Internals, Volume I - User Mode](http://newosxbook.com/index.php) - [Jonathan Levin](https://twitter.com/Morpheus______) ([Amazon](https://www.amazon.com/MacOS-iOS-Internals-User-Mode/dp/099105556X)) (2017) * [MacOS and iOS Internals, Volume III: Security & Insecurity](http://newosxbook.com/index.php) - [Jonathan Levin](https://twitter.com/Morpheus______) ([Amazon](https://www.amazon.com/MacOS-iOS-Internals-III-Insecurity/dp/0991055535)) (2016) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.hacksoc.co.uk/help-guides/software/operating-systems/macos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.