MacOS

Intro/links/basics

• A basic intro

• Security & Privacy Guide

• Awesome commands like default TextEdit to plain text

• launchd.info “A launchd Tutorial”

Apple Documentation

• Security updates list

• WWDC Privacy and Security sessions (Videos)

General

iCloud

• Adding .nosync to the end of a folder in iCloud Drive stops it being synced (via @jimconacher).

.zshprofile

macOS Catalina and later ship with zsh as the default shell.

• Moving to Zsh - Armin Briegel

.hushlogin

Add a .hushlogin file to the directory you terminal starts in to suppress the Last login: message at the top of your terminal.

touch .hushlogin

Lock Screen

Change Key Combo

Go to System Preferences > Keyboard > Shortcuts > App Shortcuts

Click + to add a new one called Lock Screen and set the key combo (eg. ⌥⌘+L)

Stop Wifi Dropping on Screen Lock

cd /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/
sudo ./airport en0 prefs DisconnectOnLogout=NO

Disk Images

• Understanding DMG Files

• Sparse Bundles Defined

Random

• How to Fix Slow SMB File Transfers on OS X - Dan Roncadin

Homebrew

Homebrew (brew) is a package manager for macOS akin to the Advanced Package Tool (apt) on Debian and Ubuntu.

Taps

Taps are third party repositories for homebrew.

• sidaf/homebrew-pentest “penetration testing related tools”

Example

If you run brew tap sidaf/homebrew-pentest you'll be able to install any formulas from the sidaf/homebrew-pentest repository via brew install. brew install panoptic will search the default Homebrew repository then any tapped repositories for a formula with the name panoptic.

Python

As of Homebrew 1.5.0 brew install python installs python3.x not python2.7.x. This was not PEP 394 compliant as running python would execute the python3.x binary which violates “all distributions should ensure that python refers to the same target as python2”.

This was fixed in 1.6.0. brew install python still installs python3.x but will not symlink python to the python3.x binary. Running python will execute the system python2.7.x binary and running python3 will execute the brew python3.x binary.

See Homebrew and Python for more info.

Upgrading Packages

By default Homebrew does not automatically update itself or installed packages. To manually update Homebrew and upgrade all installed packages run:

1. brew update (Update the formulae and Homebrew itself)

2. brew upgrade (Upgrade all packages installed by Homebrew)

By default, Homebrew does not uninstall old versions of formula. From time to time you'll want to run brew cleanup to remove old version of formula.

See FAQ for more info.

Virtualisation

VMWare Fusion

We get VMWare Fusion free from VMWare DreamSpark. Used by most mac wankers on the course. Would recommend over all other virtualisation programs for Mac.

Currently does not work with M1 Macs.

Parallels

Parallels

Apps

General

• Amphetamine (App Store) - This app keeps your Mac awake for a set period of time, whilst an app is running, and much more.

• The Unarchiver (App Store) Open any archive in seconds

• Rocket Slack-style emoji picker for your Mac

• Texpad Native Mac OS app with efficient LaTeX environment

• DiskMaker X Build an OS X boot disk

• BitBar Put anything in your menu bar

• DiscreteScroll Stop the annoying mouse acceleration when scrolling in macOS

Programming

For general information see Programmming. This section list macOS specific tools.

• Xcode (App Store) Apple's own IDE. Best for C, C++ and Objective-C.

• Quiver (App Store) notebook built for programmers

• Dash offline access to 200+ API documentation sets

Security/ Privacy

• 1Password (App Store) Apple device focused password manager

• Little Snitch Application firewall

• GPGTools/ GPG Suite “Use GPG Suite to encrypt, decrypt, sign and verify files or messages”

• Privileges.app “providing a quick and easy way to get administrator rights when needed”

Objective-See

Objective-See was created by Patrick Wardle to provide simple, effective and free macOS security tools. Some of his most useful tools are listed below.

• BlockBlock (Beta) Alerts when something is persistently installed

• OverSight Monitors and alerts on mic and webcam access

• LuLu Open-source application firewall

• What's Your Sign? Adds a menu item to Finder.app to view the cryptographic signature of files

Touch Bar

• HapticKey “trigger haptic feedback when tapping Touch Bar”

Research

• Papers, Slides and Thesis Archive - osxreverser

• osx-security-awesome “collection of OSX and iOS security resources”

• mac-white-papers "Every OS X/ macOS white paper"

Blogs

• The Eclectic Light Company - Howard Oakley (Security, General)

• mac4n6 - Sarah Edwards (Forensics)

• Objective-See - Patrick Wardle (Security)

• derflounder - Rich Trouton (General, Security)

• theevilbit - Csaba Fitzl(Security)

Talks

Older

• Thunderstrike: EFI bootkits for Apple MacBooks - Trammell Hudson Annotated Slides (31c3)

• De Mysteriis Dom Jobsivs: Mac EFI Rootkits - snare Slides (Black Hat 2012)

2015

• Stick That In Your (root)Pipe & Smoke It - Patrick Wardle (Ekoparty 2015)

• ThunderStrike 2: Sith Strike - Xeno Kovah Slides (HITBGSEC 2015)

• ThunderStrike 2: Sith Strike - Trammell Hudson, Xeno Kovah & Corey Kallenberg Annotated Slides (Black Hat 2015)

• DLL Hijacking on OS X - Patrick Wardle Slides (DEFCON 23)

2016

• The Apple Sandbox: Deeper Into The Quagmire - Jonathan Levin Slides (HITBGSEC 2016)

• I've got 99 Problems, but LittleSnitch ain't one - Patrick Wardle Slides (DEFCON 24)

• Thunderstrike 2 - Trammell Hudson (CITP Princeton)

2017

• The Apple of your EFI - Rich Smith and Pepijn Bruienne (Ekoparty 2017)

• Oversight: Exposing Spies On MacOS - Patrick Wardle (HITBAMS 2017)

2018

• A Deep Dive into macOS MDM - Jesse Endahl & Max Bélanger Slides (Black Hat 2018)

• Fire & Ice: Making and Breaking macOS Firewalls - Patrick Wardle Slides (Black Hat 2018)

• The Mouse is Mightier than the Sword - Patrick Wardle Slides (DEFCON 26)

Slides

• The Apple Sandbox - Dionysus Blazakis (No video)

• OS X El Capitan sinking the S\H/IP - Stefan Esser (No video)

• Code Signing – Hashed Out - Jonathan Levin (No video)

Articles

• The Evolution of Mac OS X Security and Privacy Features - Joshua Long (Intego Mac Security Blog)

• Booting Secure - Michael Lynn On Mac Secure Boot

• Apple iMac Pro and Secure Storage - Pepijn Bruienne (Duo Blog)

• Bypass macOS rootless by sandboxing - CodeColorist

• Creating signed and customized backdoored macOS applications - Adam Toscher

• Leveraging Emond on macOS For Persistence - Christopher Ross (SpecterOps)

• macOS 10.13.1 insecure cron system - Mark Wadham

• Load & Execute Bundles with migrationTool - Christopher Ross (SpecterOps)

• MacOS monitoring the open source way - Michael George (Dropbox Blog)

• Little Snitch Detection in Malware - bitsrot

• A useless analysis of macOS (OS X) release dates - Rob Griffiths

• Encrypting for Apple's Secure Enclave - David Schuetz

• The Empire Strikes Back Apple - osxreverser

• macOS FileVault2 Password Retrieval - Ulf Frisk

• Escaping the Sandbox – MS Office on MacOS - MDSec

• task_t considered harmful - Ian Beer (Project Zero Blog)

• Reverse Engineering macOS High Sierra Supplemental Update - Daniel Martín

• Password Cracking AES-256 DMGs and Epic Self-Pwnage - Jeremiah Grossman

• The Apple of Your EFI: Mac Firmware Security Research - Rich Smith and Pepijn Bruienne (Duo Blog)

Papers

• The Apple Sandbox - Dionysus Blazakis (2011)

• De Mysteriis Dom Jobsivs: Mac EFI Rootkits - snare (2012)

• Dylib hijacking on OS X - Patrick Wardle (2015)

• A Deep Dive into macOS MDM - Jesse Endahl & Max Bélanger (2018)

Forensics

• Detection of Backdating the System Clock in macOS - Igor Mikhaylov

• How to mount Mac APFS images in Windows - Mari Degrazia

• Mounting an APFS image in Linux - Mari Degrazia

• I Know What You Did Last Month: A New Artifact of Execution on macOS 10.13 - Kshitij Kumar and Jai Musunuri (CrowdStrike Blog)

• Introducing Unified Logging - Sarah Edwards

Exploits

• DYLD_ROOT_PATH vulnerability (10.10.5)

• task_t considered harmful - Ian Beer (10.11.5) (10.12)

Books

• Mac OS X Internals: A Systems Approach - Amit Singh (2006)

• [The Mac Hacker's Handbook](https://www.wiley.com/en-us/The+Mac+Hacker's+Handbook-p-9780470395363) - Charlie Miller and Dino Dai Zovi (Amazon) (2009)

• Mac OS X and iOS Internals - Jonathan Levin (Amazon) (Legit PDF) (2012)

MacOS and iOS Internals (Levin)

• MacOS and iOS Internals, Volume I - User Mode - Jonathan Levin (Amazon) (2017)

• MacOS and iOS Internals, Volume III: Security & Insecurity - Jonathan Levin (Amazon) (2016)