Part II: System Hacking

CHAPTER LIST

I HAVE A MACI MUST BE SECURE!

If we had a nickel for every time we heard this statement, we wouldn't be writing this book. Well, we are gluttons for punishment , so we still would probably be writing this book. We are also huge Macintosh fans, since the Mac is now one of the most popular versions of UNIX!

That's right, if you have been under a rock for several years , you might not realize that with the introduction of OS X, the Mac is UNIX down to the core . Apple's underlying operating system is based on the MACH kernel (derived from Apple's acquisition of NeXT) and the venerable and ever popular FreeBSD. Why is this important? Well, security for Macintosh users has never been much of an issue. Old Mac diehards revel in the days of never worrying about a vulnerability, worm, or virus since versions prior to OS X were very difficult to compromise. Why, you ask? Well, there just wasn't that much functionality built into the underlying operating system; hence, part of the reason Apple spent so much time trying to figure out what its new OS platform would be. After many stops and starts, UNIX was chosen for a myriad of reasons, including functionality.

Like all good things in life, there are tradeoffs. All the new power, speed, elegance , and functionality of OS X are derived from its UNIX heritage. Yet with this newfound functionality comes the potential for additional exposure. Now, the creative artists and Photoshop aficionados who didn't have a care in the world about security must be cognizant of the fact that they are no longer impenetrable. Let's take a look at what network services are running on one of our Macs.

A quick nmap scan of a Mac indicates the following open ports:

 localhost:<126> gk$  sudo nmap 192.168.1.101  Starting nmap 3.48 (http:// www.insecure.org/nmap/) at 2004-12-08 08:51 PST Interesting ports on 192.168.1.101: (The 1648 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 21/tcp   open  ftp 22/tcp   open  ssh 80/tcp   open  http 139/tcp  open  netbios-ssn 427/tcp  open  svrloc 515/tcp  open  printer 548/tcp  open  afpovertcp 631/tcp  open  ipp 6000/tcp open  X11 Nmap run completed -- 1 IP address (1 host up) scanned in 12.287 seconds 

As you can see on this particular installation, a multitude of services have been enabled and are accessible via the network. If we connect to a few services, we can see the following:

 localhost:<126> gk$  nc 192.168.1.101 80  HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 08 Dec 2004 18:36:23 GMT Server: Apache/1.3.29 (Darwin) Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Wed, 18 Jul 2001 23:44:21 GMT ETag: "64e3-5b0-3b561f55;406512c4" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html Content-Language: en Expires: Wed, 08 Dec 2004 18:36:23 GMT 

Ah ha the Mac now runs Apache. In this particular case, it is a relatively current version; however, Apache has had its fair share of vulnerabilities in the past, so we will need to keep an eye on this service.

Next, we will take a look at port 22, which is ssh:

 localhost:<126> gk$  ssh -vv 192.168.1.101  OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.1.101 [192.168.1.101] port 22. 

Well, what do you know? The Mac is running OpenSSH. Hmm haven't we seen a few vulnerabilities related to SSH security recently? Of course. I guess we will have to keep our guard up on that service, as well.

We also notice from the nmap output that NetBIOS file sharing is enabled, which would allow connections from a Windows system to the Mac. This could be used legitimately to transfer files between systems or by attackers as a convenient way to gain access to all your sensitive files. Even scarier is the fact that many times when this service is enabled, people configure it without passwords or with very weak passwordsmaking it an excellent entry point into the system.

The Good and The Bad

While we won't go through all of the various open ports (and there are other juicy ones above), it is important to realize that "this ain't your grandma's Mac anymore." Mac users have to be keenly more aware about configuring their systems in a networked environment as well as keeping their software up to date. The good news for Mac users is that Apple has done a commendable job of shipping their systems with a "secure by default" configurationincluding a built-in, industrial-strength firewall (BSD's IPFW). The bad news for the security administrators is that many powerful services can be turned on by users, and oftentimes those users have no idea that they are even using a UNIX-based system. So, pay special attention to Chapter 5, "Hacking UNIX," because we are sure the bad guys are licking their chops, just itching to have some fun with your new, shiny, cool-looking Mac!