KEXT not loadable even System Integrity Protection is disable in 10.11 - macos

Currently I'm developing a small KEXT that can block access to the USB storage. However when I can't load my KEXT using kextutil
Code Signing Failure: not code signed
I did turn off the SIP in 10.11
System Integrity Protection status: disabled.
Please help. I don't know what to do!
Thanks.

It was long research I have did for these simple steps and documentation and I am listing it here for someone like me.
Before following the procedure please disable SIP
start your Mac in recovery mode by shutting it down and starting it by pressing command+R button until apple logo comes up.
open terminal application and enter below command
csrutil disable
reboot
These are the important command for coping kext using root access to the location, changing its ownership to wheel, checking its dependancies of osbundlelibraries and checking if the kext is loadable or not.
sudo cp -R
sudo chown -R root:wheel
sudo kextlibs -xml //checks the osbundlelibrary files to be present in info plist
sudo kextutil -n -t // check the kext and logs if the kext loadable or not
sudo kextutil -n // check the kext and logs if the kext loadable or not
sudo kextutil // check the kext and logs if the kext loadable or not
sudo kextload // loads your kext if kernel doesn’t generate panic
sudo kextunload // unloads your kext
Important urls
https://people.sissa.it/~inno/pubs/skb-reduced.pdf
https://github.com/objective-see/LuLu
https://objective-see.com/blog/blog_0x0B.html
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html#//apple_ref/doc/uid/10000191-SW1
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/boundaries/boundaries.html
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225-SW1
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html#//apple_ref/doc/uid/TP0000012-TPXREF101
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/AccessingHardware/AH_Intro/AH_Intro.html#//apple_ref/doc/uid/TP30000376
https://developer.apple.com/library/archive/documentation/Networking/Conceptual/CFNetwork/Introduction/Introduction.html#//apple_ref/doc/uid/TP30001132
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/Introduction/Intro.html#//apple_ref/doc/uid/TP30000694
https://developer.apple.com/library/archive/navigation/index.html#section=Technologies&topic=Kernel
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/NetworkDriver/2_IONetworkingFamily/IONetworkingFamily.html
http://dbmanagement.info/Books/MIX/OS_X_and_iOS_Kernel_Programming.pdf
https://www.fortinet.com/blog/threat-research/monitoring-macos--part-iii--monitoring-network-activities-using-.html
https://fortiguard.com/events/2270/learn-how-to-build-your-own-utility-to-monitor-malicious-behaviors-of-malware-on-macOS
https://github.com/slavaim/MacOSX-Network-Sockets-Filter
http://mirror.informatimago.com/next/developer.apple.com/documentation/Darwin/Conceptual/howto/kext_tutorials/hello_kext/hello_kext.html
https://www.blackhat.com/us-18/presenters/Yu-Wang.html
kernel control/event api usage
https://www.synack.com/2015/12/13/monitoring-process-creation-via-the-kernel-part-iii/
Best working model
https://github.com/LawlietRyuzakiCode/NKETest
http://hitcon.org/2013/download/[B1]%20Pedro_HiTCON%202013%20Presentation_v2.pdf
https://github.com/changpingc/kernet
IMP Packet Creation Source
enderunix Packet Creation Source
https://github.com/robbiehanson/CocoaAsyncSocket/tree/master/Examples/GCD
https://tools.ietf.org/html/rfc7230
https://developer.apple.com/documentation/security/certificate_key_and_trust_services?language=objc
http://openssl.cs.utah.edu/docs/apps/x509v3_config.html
https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
http://technologeeks.com/course.jl?course=OSXRE
https://www.fastcompany.com/3042030/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be
https://stackoverflow.com/questions/589622/how-does-a-root-ca-verify-a-signature
https://deliciousbrains.com/https-locally-without-browser-privacy-errors/
https://rednaga.io/2017/04/09/remote_kext_debugging/
http://www.robertopasini.com/index.php/2-uncategorised/628-osx-packaging-a-kernel-extension-for-distribution-and-installation
http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
https://objective-see.com/blog.html
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptDebugger/debug_tutorial.html
https://forums.macrumors.com/threads/turn-off-verbose-bootup.1247361/
https://adimitrov.net/main/code/code/raw_packet.c
http://www.enderunix.org/docs/en/rawipspoof/
https://www.eit.lth.se/ppplab/IPHeader.htm#TOS,%20Type%20of%20Service
https://www.tenouk.com/download/pdf/Module39.pdf
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/HandlingEvents/HandlingEvents.html#//apple_ref/doc/uid/TP0000018-BAJFFJAD
https://github.com/slavaim/MacOSX-Network-Sockets-Filter
https://www.blackhat.com/us-18/arsenal.html#learn-how-to-build-your-own-utility-to-monitor-malicious-behaviors-of-malware-on-macos
https://developer.apple.com/documentation/networkextension?language=objc
https://github.com/TrustRouter/TrustRouter/blob/master/client/kernelmode/MacOS/trustrouter/trustrouter.c
https://github.com/LawlietRyuzakiCode/NKETest/blob/master/TestFilter/TestFilter/TestFilter.c
https://objective-see.com/blog/blog_0x0B.html
http://www.ragingmenace.com/software/menumeters/
https://people.sissa.it/~inno/pubs/skb-reduced.pdf
http://haifux.org/lectures/122/FreeBSD_kernel_networking.pdf
http://www.zytrax.com/books/dns/ch15/
alternate packet forward and check
sudo lsof -iTCP -sTCP:LISTEN -n -P
netstat -a -n
sudo pfctl -s nat
sudo pfctl -F all -f /etc/pf.conf
echo "
rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443
" | sudo pfctl -ef -
nettop
sudo tcpdump -i en0 -p -vv -A ip and host 192.168.1.92
sudo tcpdump -i en0 -p -vv -A ip
sudo tcpdump -i en0 -p -vv -A ip and net 192.0.2.0/24

Related

SSH tunnelling in Catalina to use Screen Sharing (VNC)

I am using the following to try and ssh tunnel to a remote machine via a master one:
ssh -J username1#1.2.3.4 username2#5.6.7.8 -L 5900:localhost:5900
Password:
Password:
bind [::1]:5900: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 5900
Could not request local forwarding.
This works perfectly on Mojave (executing vnc://localhost afterwards in a new Terminal window). But in Catalina, no. I get: You cannot control your own screen.
About port 5900 already in use, I ran sudo lsof -i tcp:5900 and I can't see any process using that port.
I finally made tunnelling work in Catalina:
First ssh -J username1#1.2.3.4 username2#5.6.7.8 -L 5901:localhost:5900.
Then open 'vnc://localhost:5901' in a new Terminal window.

SNMPd opens "random" UDP port besides 161 and 162 to the outside

I would like to use snmp to monitor my localhost and have installed the corresponding package on Ubuntu 18.03 with apt install snmp. Without having changed the default configuration, I have launched the daemon with systemctl start snmpd. After launching the daemon the output of lsof -i -n | grep snmpd is as follows:
snmpd 14668 Debian-snmp 12u IPv4 13252990 0t0 UDP 127.0.0.1:snmp
snmpd 14668 Debian-snmp 13u IPv4 13252988 0t0 UDP *:41898
I am wondering about the second line of the output as the port has been opened to the outside. Restarting the daemon changes the open port to another (randomized?) high port number. I have been looking up this behaviour a couple of hours and wasn´t able to find any explanation.
Can anybody explain to me whats going on here or how to disable/remove the open port?
Configuration
AgentAdress is configured as follows:
# /etc/snmp/snmpd.conf
# Listen for connections from the local system only
agentAddress udp:127.0.0.1:161
The daemon has been launched with following options:
# /etc/default/snmp
# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
Output of ps aux | grep snmpd
/usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
So, if anybody comes across the same question: The UDP port has been opened by snmp-traps. In order to avoid this behavior, I had to comment out following line in the snmpd.conf:
/etc/snmp/snmpd.conf
# ACTIVE MONITORING
# send SNMPv1 traps
# !comment this line out!
# trapsink localhost public
Read this link for further information: https://sourceforge.net/p/net-snmp/mailman/message/29219475/

Docker Desktop Windows and VPN - no network connection inside container

I'm trying to use Docker on Windows while being connected to VPN.
When VPN is not connected, everything works OK.
But when I connect to our corporate VPN using Cisco AnyConnect client, network inside docker container is not working anymore:
docker run alpine ping www.google.com
ping: bad address 'www.google.com'
docker run alpine ping -c 5 216.58.204.36
PING 216.58.204.36 (216.58.204.36): 56 data bytes
--- 216.58.204.36 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
How to fix this issue and make it work?
My setup is:
Windows 10 Version 1809 (OS Build 17763.1098)
Docker Desktop Community 2.2.0.4 (43472): Engine 19.03.8, Compose 1.25.4, Kubernetes 1.15.5, Notary 0.6.1, Credential Helper 0.6.3
Docker is in Windows containers mode with experimental features enabled (needed to run windows and linux images at the same time)
While my VPN (AnyConnect) was running, I had to run the following from PowerShell (admin mode):
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
Actually i did it using Docker Desktop and Hyper-V virtual machines. Using OpenConnect but i think it can be done for most VPN client with minor adaptations.
The fully explained instructions are here Docker Desktop, Hyper-V and VPN with the settings for Docker containers, Windows VMs and Linux VMs
I created a new internal Virtual Switch (let's call it "Internal") and assigned to it a static IP address (let's say 192.168.4.2)
I created a new VM with Ubuntu server and OpenConnect, connected to both the default Virtual Switch and the "Internal"
On the OpenConnect VM
Assigned to "Internal" a fixed ip (192.168.4.3)
Added a new tun interface "persistent" telling openconnect to use that tun (adding the "-i tun0" parameter as openconnect start parameter)
sudo ip tuntap add name tun0 mode tun
Installed the persist-iptables
Forced the ip forwarding
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p
Setup the routing
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
After connecting the vpn i added permanently the dns servers to the resolve.conf
And retrieve the class of addresses of the VPN (like 10...* )
On the Docker containers
Added on Dockerfile the basic route
RUN route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.4.3
Then running the docker file i added the dns giving net admin and sys module permissions
--dns 8.8.8.8 --dns 10.1.77.21 --dns 10.4.52.21 --dns-search test.dns.it
--cap-add=NET_ADMIN --cap-add=SYS_MODULE

Netcat command: Unknown IP address

I have two laptops that each has connected to the Internet by landline (two different lines/modem). One is Mac and the other is Windows. I want to send a message from Windows to the Mac.
I installed NetCat on Mac using, brew install netcat, based on this page.
I installed NetCat on Windows based on this page.
I ran following command in Mac terminal in order to see what is my IP address: $ ipconfig getifaddr en0 it printed: 169.254.136.39
In Mac terminal: $ nc -u -l -p 4444. Seems it is ready for incomming messages.
In Windows terminal: $ nc -u 169.254.136.39 4444. I get a new line and I assume connection has established. However, when I enter a message and hit Enter, nothing happens :(
When I replace above command with nc -u -v -n 169.254.136.39 4444 in Windows and nc -u -l -n -p 4444 in Mac, then I get: (UNKNOWN) [169.254.136.39] 4444 (?) open
I have no idea what is wrong? I confirm Firewal is off on my Mac.

How to map ip:port to a new ip or a domain in mac

I am using macOS 10.12 and I want to do ip:port mapping
ex. 127.0.0.1:32769 to 10.0.0.1
then I can add 10.0.0.1 somedomain.com to my /etc/hosts
I did some search, and got solutions to this question on this post:
https://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x/673551#673551
but the command in this post works for only the newest one.
every time I use this command the system replies me:
$ sudo ifconfig lo0 10.0.0.2 alias
$ echo "rdr pass on lo0 inet proto tcp from any to 10.0.0.2 port 80 -> 127.0.0.1 port 32771" | sudo pfctl -ef -
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
how can I prevent flushing rules?
or is there any ways to get this work easier?
Thanks a lot

Resources