osx-security-awesome [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)[![Travis](https://api.travis-ci.org/kai5263499/osx-security-awesome.svg?branch=master)](https://travis-ci.org/kai5263499/osx-security-awesome) ------------------------------------------------------------------------------------------ A collection of OSX/iOS security related resources * [**News**](#news) * [**Hardening**](#hardening) * [**Malware sample sources**](#malware-sample-sources) * [**DFIR**](#digital-forensics--incident-response-dfir) * [**Reverse engineering**](#reverse-engineering) * [**Presentations and Papers**](#presentations-and-papers) * [**Virus and exploit writeups**](#virus-and-exploit-writeups) * [**Useful tools and guides**](#useful-tools-and-guides) * [**Remote Access Toolkits**](#remote-access-toolkits) * [**Worth following on Twitter**](#worth-following-on-twitter) ------------------------------------------------------------------------------------------ ## News --------------------------------------------------------------------- ### [Linking a microphone](https://ubrigens.com/posts/linking_a_microphone.html) * The Story of CVE-2018-4184 or how a vulnearbility in OSX's Speech system allowed apps with access to the microphone to escape sandbox restrictions ### [iOS vulnerability write-up](https://github.com/writeups/iOS) * A repository of iOS vulnerability write-ups as they are released * Also includes conference papers ### [iOS display bugs](https://docs.google.com/document/d/1TDCVavaqDJCFjcQxZsL6InzHxPEYWwMMMh9QtfRGjbY/edit) * Regularly updated list of iOS display bugs ### [Mac Virus](https://macviruscom.wordpress.com) * Frequently updated blog that provides a good summary of the latest unique mac malware. ### [Intego Mac Security Blog](https://www.intego.com/mac-security-blog/) * Intego's corporate Mac security blog often contains recent and in-depth analysis of mac malware and other security issues ### [Objective-See](https://objective-see.com/blog.html) * Objective-See's blog often contains in-depth breakdowns of malware they've reverse engineered and vulnarabilities they've discovered. ### [The Safe Mac](https://www.thesafemac.com/) * Resource to help educate Mac users about security issues. Contains historical as well as timely security updates. ### [Mac Security](https://macsecurity.net/news) * Another Mac security blog. This often includes more in-depth analysis of specific threats. ### [OSX Daily](https://osxdaily.com/) * Not strictly security-specific but it contains jailbreaking information which has security implications ## Hardening ### [macops](https://github.com/google/macops) * Utilities, tools, and scripts for managing and tracking a fleet of Macintoshes in a corporate environment collected by Google ### [SUpraudit](http://newosxbook.com/tools/supraudit.html) * System monitoring tool ### [EFIgy](https://github.com/duo-labs/EFIgy) * A RESTful API and client that helps Apple Mac users determine if they are running the expected EFI firmware version given their Mac hardware and OS build version ### [Launchd](https://www.launchd.info/) * Everything you need to know about the launchd service ### [OSX startup sequence](http://osxbook.com/book/bonus/ancient/whatismacosx/arch_startup.html) * Step-by-step guide to the startup process ### [Google OSX hardening](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) * Google's system hardening guide ### [Run any command in a sandbox](https://www.davd.io/os-x-run-any-command-in-a-sandbox/) * How to for using OSX's sandbox system ### [Sandblaster](https://github.com/malus-security/sandblaster) * Reversing the Apple sandbox * [Paper](https://arxiv.org/pdf/1608.04303.pdf) ### [OSX El Capitan Hardening Guide](https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md) * Hardening guide for El Capitan ### [Hardening hardware and choosing a good BIOS](https://media.ccc.de/v/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge) * Protecting your hardware from "evil maid" attacks ## Malware sample sources ### [Objective-See](https://objective-see.com/malware.html) * Curated list of malware samples. Use this list if you're looking for interesting samples to reverse engineer ### [Alien Vault](https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed) ### [Contagio malware dump](http://contagiodump.blogspot.com/2013/11/osx-malware-and-exploit-collection-100.html) ## Digital Forensics / Incident Response (DFIR) ### APOLLO tool * Python tool for advanced forensics analysis * [Presentation slides](https://github.com/mac4n6/Presentations/blob/master/LaunchingAPOLLO/LaunchingAPOLLO.pdf) * [Source code](https://github.com/mac4n6/APOLLO) ### [venator](https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56) * Python tool for proactive detection tool for malware and trojans * [Source](https://github.com/richiercyrus/Venator) ### [lynis](https://github.com/CISOfy/lynis/) * Security auditing tool for UNIX-based systems, including macOS ### [AutoMacTC](https://github.com/CrowdStrike/automactc) * [Modular forensic triage collection framework](https://www.crowdstrike.com/blog/automating-mac-forensic-triage/) from CrowdStrike ### [Legacy Exec History](https://github.com/knightsc/system_policy) * OSQuery module to give you a report of 32bit processes running on a 10.14 machine ### [Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage](https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage) ### [Artefacts for Mac OSX](http://sud0man.blogspot.com/2015/05/artefacts-for-mac-os-x.html?m=1) * Locations of sensitive files ### [Pac4Mac](https://github.com/sud0man/pac4mac) * Forensics framework ### [Inception](https://github.com/carmaa/inception) * Physical memory manipulation ### [Volafox](https://github.com/n0fate/volafox) * Memory analysis toolkit ### [Mac4n6](https://github.com/pstirparo/mac4n6) * Collection of OSX and iOS artifacts ### [Keychain analysis with Mac OSX Forensics](https://repo.zenk-security.com/Forensic/Keychain%20Analysis%20with%20Mac%20OS%20X%20Memory%20Forensics.pdf) ### [OSX Collector](https://github.com/Yelp/osxcollector) * Forensics utility developed by Yelp ### [OSX incident response](https://www.youtube.com/watch?v=gNJ10Kt4I9E) * OSX incident response at GitHub [Slides](https://speakerdeck.com/sroberts/hipster-dfir-on-osx-bsidescincy) ### [iOS Instrumentation without jailbreaking](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/) * How to debug an iOS application that you didn't create ### [Certo](https://www.certosoftware.com/) * Paid service for analyzing the iTunes backup of your iOS device ### [Blackbag Tech free tools](https://www.blackbagtech.com/resources/free-tools/) ### [OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility](https://ponderthebits.com/2017/02/osx-mac-memory-acquisition-and-analysis-using-osxpmem-and-volatility/) ### [mac-apt](https://github.com/ydkhatri/mac_apt) * Mac Artifact Parsing Tool for processing full disk images and extracting useful information * The author also has a collection of [DFIR scripts](https://github.com/ydkhatri/MacForensics) ## Reverse engineering ### [New OS X Book](http://www.newosxbook.com/) * Frequently updated book on OSX internals ### [Collection of OSX reverse engineering resources](https://github.com/michalmalik/osx-re-101) * Another Awesome-style list dedicated to OSX reverse engineering resources ### [The iPhone Wiki](https://www.theiphonewiki.com/wiki/Main_Page) ### [Reverse engineering OSX](https://reverse.put.as/) ### [OSX crackmes](https://reverse.put.as/crackmes/) * A collection of puzzles to test your reverse engineering skills ### [Introduction to Reverse Engineering Cocoa Applications](https://www.fireeye.com/blog/threat-research/2017/03/introduction_to_reve.html) * Walkthrough for Coca applications ### [iOS Kernel source](https://github.com/apple/darwin-xnu) * Source code for iOS kernel ### [Reverse Engineering Challenges](https://challenges.re/) * Very good list of various crackme challenges that is categorized by level and OS ### [Awesome Reversing](https://github.com/tylerha97/awesome-reversing) * Awesome list dedicated to reversing ## Presentations and Papers ### [Area41 2018: Daniel Roethlisberger: Monitoring MacOS For Malware And Intrusions](https://www.youtube.com/watch?v=OSSkBgn_xJs&feature=youtu.be) ### [Windshift APT](https://www.youtube.com/watch?v=Mza6qv4mY9I&feature=youtu.be&t=6h12m24s) * [Deep-dive write-up by Objective See](https://objective-see.com/blog/blog_0x38.html) ### [Automated Binary Analysis on iOS – A Case Study on Cryptographic Misuse in iOS Applications](https://pure.tugraz.at/ws/portalfiles/portal/17749575) * Examining iOS applications for poorly guarded secrets ### [Writing Bad @$$ Malware for OSX](https://www.youtube.com/watch?v=fv4l9yAL2sU) * [Slides](https://www.slideshare.net/Synack/writing-bad-malware-for-os-x) and [another related video](https://www.youtube.com/watch?v=oT8BKt_0cJw). ### [Methods of Malware Persistence on OSX](https://www.youtube.com/watch?v=rhhvZnA4VNY) ### [Advanced Mac OSX Rootkits](https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf) ### [The Python Bytes Your Apple](https://speakerdeck.com/flankerhqd/the-python-bites-your-apple-fuzzing-and-exploiting-osx-kernel-bugs) * Fuzzing and exploiting OSX kernel bugs ### [Breaking iOS Code Signing](https://papers.put.as/papers/ios/2011/syscan11_breaking_ios_code_signing.pdf) ### [The Apple Sandbox - 5 years later](http://newosxbook.com/files/HITSB.pdf) ### [Practical iOS App Hacking](https://papers.put.as/papers/ios/2012/Mathieu-RENARD-GreHACK-Practical-iOS-App-Hacking.pdf) ### [Behavioral Detection and Prevention of Malware on OS X](https://www.virusbulletin.com/blog/2016/september/paper-behavioural-detection-and-prevention-malware-os-x/) ### [Security on OSX and iOS](https://www.youtube.com/watch?v=fdxxPRbXPsI) * [Slides](https://www.slideshare.net/nosillacast/security-on-the-mac) ### [Thunderstrike](https://trmm.net/Thunderstrike_31c3) * [Video](https://www.youtube.com/watch?v=5BrdX7VdOr0), hacking Mac's extensible firmware interface (EFI) ### [Direct Memory Attack the Kernel](https://github.com/ufrisk/presentations/blob/master/DEFCON-24-Ulf-Frisk-Direct-Memory-Attack-the-Kernel-Final.pdf) ### [Don't trust your eye, Apple graphics is compromised](https://speakerdeck.com/marcograss/dont-trust-your-eye-apple-graphics-is-compromised) * security flaws in IOKit's graphics acceleration that lead to exploitation from the browser ### [Fuzzing and Exploiting OSX Vulnerabilities for Fun and Profit Complementary Active & Passive Fuzzing](https://www.slideshare.net/PacSecJP/moony-li-pacsec18?qid=15552f01-6655-4555-9894-597d62fd803c) ### [Strolling into Ring-0 via I/O Kit Drivers](https://speakerdeck.com/patrickwardle/o-kit-drivers) ### [Juice Jacking](https://www.youtube.com/watch?v=TKAgemHyq8w) ### [Attacking OSX for fun and profit tool set limiations frustration and table flipping Dan Tentler](https://www.youtube.com/watch?v=9T_2KYox9Us) * [Follow-up from target](https://www.youtube.com/watch?v=bjYhmX_OUQQ) ### [Building an EmPyre with Python](https://www.youtube.com/watch?v=79qzgVTP3Yc) ### [PoisonTap](https://www.youtube.com/watch?v=Aatp5gCskvk) ### [Storing our Digital Lives - Mac Filesystems from MFS to APFS](https://www.youtube.com/watch?v=uMfmgcnrn24) * [slides](http://macadmins.psu.edu/files/2017/07/psumac2017-174-Storing-our-digital-lives-Mac-filesystems-from-MFS-to-APFS.key-254bf2y.pdf) ### [Collection of mac4en6 papers/presentations](https://drive.google.com/drive/folders/0B37-sa0Wh9_TdjVSbzRvMEVGQ2c) ### [The Underground Economy of Apple ID](https://www.youtube.com/watch?v=4acVKs9WPts) ### [iOS of Sauron: How iOS Tracks Everything You Do](https://www.youtube.com/watch?v=D6cSiHpvboI) ### [macOS/iOS Kernel Debugging and Heap Feng Shui](https://github.com/zhengmin1989/MyArticles/blob/master/PPT/DEFCON-25-Min-Spark-Zheng-macOS-iOS-Kernel-Debugging.pdf) ### [Billy Ellis iOS/OSX hacking YouTube channel](https://www.youtube.com/channel/UCk2sx_3FUkKvDGlIhdUQa8A) ### [A Technical Autopsy of the Apple - FBI Debate using iPhone forensics | SANS DFIR Webcast](https://www.youtube.com/watch?v=_q_2mN8U91o) ### [Jailbreaking Apple Watch at DEFCON-25](https://www.youtube.com/watch?v=eJpbi-Qz6Jc) ### [SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles](http://www.icri-sc.org/fileadmin/user_upload/Group_TRUST/PubsPDF/sandscout-final-ccs-2016.pdf) * An exploration of the sandbox protections policies * [Presentation](https://www.youtube.com/watch?v=TnwXEDCIowQ) ## Virus and exploit writeups ### [Detailed Analysis of macOS/iOS Vulnerability CVE-2019-6231](https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231.html) * Exploration of QuartzCore/CoreAnimation flaw leading to a malicious application being able to read restricted memory. ### [kernelcache laundering](https://github.com/Synacktiv-contrib/kernelcache-laundering) * Load iOS12 kernelcaches and PAC code in IDA ### [blanket](https://github.com/bazad/blanket) * Proof of concept for CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 ### [Proof of Concept for Remote Code Execution in WebContent](https://github.com/externalist/exploit_playground/blob/master/CVE-2018-4233/pwn_i8.js) * [MachO tricks](https://iokit.racing/machotricks.pdf) - Appears to be slides from a presentation that ends with the CVE listed above ### [There's Life in the Old Dog Yet: Tearing New Holes into Intel/iPhone Cellular Modems](https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/) * How the public warning system can be used as an attack vector ### [I can be Apple, and so can you](https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/) * An exploration of a code signing vulnerability in macOS that has persisted for 11 years * [Creating signed and customized backdoored macos apps](https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187) ### [Leveraging emond on macOS for persistence](https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124) ### [APFS credential leak vulnerability](https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp) * A flaw in Unified Logs leaks the password for encrypted APFS volumes ### [A fun XNU infoleak](https://bazad.github.io/2018/03/a-fun-xnu-infoleak/) ### Meltdown * CPU flaw allowing kernel memory to be accessed by hijacking speculative execution * [Proof of concept](https://github.com/gkaindl/meltdown-poc) * [Apple's statement](https://support.apple.com/en-us/HT208394) * [Measuring OSX meltdown patches performance](https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/) * [iPhone performance after Spectre patch](https://www.gsmarena.com/spectre_and_meltdown_testing_performance_impact_on_iphone_8_plus-news-29132.php) ### [Flashback](https://www.cnet.com/news/more-than-600000-macs-infected-with-flashback-botnet/) * [Detailed analysis](https://www.intego.com/mac-security-blog/more-about-the-flashback-trojan-horse/) ### [Flashback pt 2](https://www.intego.com/mac-security-blog/flashback-botnet-is-adrift/) ### [iWorm](https://www.thesafemac.com/iworm-method-of-infection-found/) * [Detailed analysis](https://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/) ### [Thunderbolt](https://www.theregister.co.uk/2015/01/08/thunderstrike_shocks_os_x_with_first_firmware_bootkit/) * Firmware bootkit ### [Malware in firmware: how to exploit a false sense of security](https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/) * A post on the resurgence of bootkits and how to defend against them ### [Proton RAT](https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does) * Exploration of a Remote Access Toolkit ### [Mokes](https://thehackernews.com/2016/09/cross-platform-malware.html) ### [MacKeeper](https://www.cultofmac.com/170522/is-mackeeper-really-a-scam/) ### [OpinionSpy](https://www.thesafemac.com/opinionspy-is-back/) ### [Elanor](https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/) ### [Mac Defender](https://macsecurity.net/view/79-remove-mac-defender-virus-from-mac-os-x) ### [Wire Lurker](https://www.paloaltonetworks.com/resources/research/unit42-wirelurker-a-new-era-in-ios-and-os-x-malware.html) ### [KeRanger](https://techcrunch.com/2016/03/07/apple-has-shut-down-the-first-fully-functional-mac-os-x-ransomware/) * First OSX ransomware ### [Proof-of-concept USB attack](https://www.ehackingnews.com/2016/09/a-usb-device-can-steal-credentials-from.html) ### [Dark Jedi](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/) ### EFI attack that exploits a vulnerability in suspend-resume cycle [Sentinel One write-up](https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/) ### [XAgent Mac Malware Used In APT-28](https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/) * [Samples](http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html) ### [Juice Jacking](https://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/) ### [Local Privilege Escalation for macOS 10.12.2 and XNU port Feng Shui](https://github.com/zhengmin1989/macOS-10.12.2-Exp-via-mach_voucher) ### [Ian Beer, Google Project Zero: "A deep-dive into the many flavors of IPC available on OS X."](https://www.youtube.com/watch?v=D1jNCy7-g9k) * Deep dive into the interprocess communication and its design flaws ### [PEGASUS iOS Kernel Vulnerability Explained](https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html) ### [Analysis of iOS.GuiInject Adware Library](https://www.sentinelone.com/blog/analysis-ios-guiinject-adware-library/) ### [Broadpwn](https://blog.exodusintel.com/2017/07/26/broadpwn/) * Gaining access through the wireless subsystem ### [Reverse Engineering and Abusing Apple Call Relay Protocol](https://www.martinvigo.com/diy-spy-program-abusing-apple-call-relay-protocol/) * Details the discovery of a vulnerability in Apple's Call handoff between mobile and desktop through analyzing network traffic. ### Exploiting the Wifi Stack on Apple Devices Google's Project Zero series of articles that detail vulnerabilities in the wireless stack used by Apple Devices * [Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html) * [Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) * [Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html) * [Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html) * [Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html) ### [ChaiOS bug](https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/) * A message that crashes iMessage * Looks similar to [previous](https://arstechnica.com/gadgets/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/) [bugs](https://www.intego.com/mac-security-blog/crash-text-message-iphone/) rendering Arabic characters ## Useful tools and guides ### [Mac@IBM](https://github.com/IBM/mac-ibm-enrollment-app) * Mac enrollment helper provided by IBM ### [mOSL](https://github.com/0xmachos/mOSL) * Audit and fix macOS High Sierra (10.13.x) security settings ### [Darling](https://github.com/darlinghq/darling) * Darwin/macOS emulation layer for Linux ### [Kemon](https://github.com/didi/kemon) * Open source kernel monitoring ### [jelbrektime](https://github.com/kai5263499/jelbrekTime) * Developer jailbreak for Apple Watch ### [Booting Secure](http://michaellynn.github.io/2018/07/27/booting-secure/) * Deep dive into Secure Boot on 2018 MacBook Pro ### [Tutorial - emulate an iOS kernel in QEMU up to launchd and userspace](https://worthdoingbadly.com/xnuqemu2/) * Tutorial on getting an iOS kernel to run in QEMU ### [xnumon](https://www.roe.ch/xnumon) * Monitor macOS for malicious activity * [source](https://github.com/droe/xnumon) ### [DetectX](https://sqwarq.com/detectx/) * Audits system artifacts to help you identify unknown and novel threats ### [Are you really signed?](https://github.com/Sentinel-One/macos-are-you-really-signed) * Utility to test for code-sign bypass vulnerability ### [osx security growler](https://github.com/pirate/security-growler) * Mac menubar item that lets you know about security events on your system ### [mac-a-mal](https://github.com/phdphuc/mac-a-mal) * Automated malware analysis on macOS ### [jrswizzle](https://github.com/rentzsch/jrswizzle) * method interface exchange ### [MacDBG](https://github.com/blankwall/MacDBG) * C and Python debugging framework for OSX ### [bitcode_retriever](https://github.com/AlexDenisov/bitcode_retriever) * store and retrieve bitcode from Mach-O binary ### [machotools](https://github.com/enthought/machotools) * retrieve and change information about mach-o files ### [onyx-the-black-cat](https://github.com/acidanthera/onyx-the-black-cat) ([outdated original](https://github.com/gdbinit/onyx-the-black-cat)) * kernel module for OSX to defeat anti-debugging protection ### [create-dmg](https://github.com/andreyvit/create-dmg) * CLI utility for creating and modifying DMG files ### [dmg2iso](https://sourceforge.net/projects/dmg2iso/?source=typ_redirect) * convert dmg to iso ### [Infosec Homebrew](https://github.com/kai5263499/homebrew-infosec) * Homebrew tap for security-related utilities ### [Awesome OSX Command Line](https://github.com/herrbischoff/awesome-macos-command-line) * Collection of really useful shell commands ### [Keychain dump](https://github.com/juuso/keychaindump) * Dump keychain credentials ### [KnockKnock](https://objective-see.com/products/knockknock.html) * Listing startup items. Also includes VirusTotal information ### [Lingon-X](https://www.peterborgapps.com/lingon/) * GUI for launchd ### [Hopper](https://www.hopperapp.com/) * Excellent OSX debugger (requires license) ### [Symhash](https://github.com/threatstream/symhash) * Python utility for generating imphash fingerprints for OSX binaries ### [KisMac2](https://github.com/IGRSoft/KisMac2) * Wireless scanning and packet capturing ### [Passive fuzz framework](https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX) * Framework is for fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode ### [Platypus](https://sveinbjorn.org/platypus) * GUI for generating .app bundles ### [createOSXinstallPkg](https://github.com/munki/createOSXinstallPkg) * CLI for generating .pkg installers ### [PoisonTap](https://github.com/samyk/poisontap) ### [Chipsec](https://github.com/chipsec/chipsec) * System firmware checker by Intel ### [Revisiting Mac OS X Kernel Rootkits by Phrack Magazine](http://phrack.org/issues/69/7.html) * A collection of OSX rootkit ideas ### [iPhone Data Protection in Depth](http://conference.hackinthebox.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%CC%81drune%20&%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf) ### [Cycript](http://www.cycript.org/) * Remote control library for fuzz testing iOS apps ### [ChaoticMarch](https://github.com/synack/chaoticmarch) * Blackbox fuzz testing for iOS apps (requires jailbreak) ### [iOS backup decrypt script](https://stackoverflow.com/questions/1498342/how-to-decrypt-an-encrypted-apple-itunes-iphone-backup) * Contains a script for decrypting an encrypted iOS backup archive ### [Remote Packet Capture for iOS Devices](https://useyourloaf.com/blog/remote-packet-capture-for-ios-devices/) * Use a remote virtual interface to capture packets from a tethered iOS device * [Python utility](https://thrysoee.dk/iospcap/) * [Another python utility](https://github.com/gh2o/rvi_capture) ### [Pareto Security](https://paretosecurity.app/) * A MenuBar app to automatically audit your Mac for basic security hygiene. ### [Mana Security](https://manasecurity.com/) * Vulnerability Management app for individuals. It helps to keep macOS and installed applications updated. ### [cnspec](https://cnspec.io/) * Open source vulnerability and misconfiguration scanning for macOS hosts + much more. ### [Intro To IOS Malware Detection](https://8ksec.io/mobile-malware-analysis-part-4-intro-to-ios-malware-detection/) * iOS malware, its types, methods of gathering forensics information ### [Ipsw Walkthrough](https://8ksec.io/ipsw-walkthrough-part-1-the-swiss-army-knife-for-ios-macos-security-research/) * Part one that covers basic uses ## Remote Access Toolkits ### [Empyre](https://github.com/EmpireProject/EmPyre) ### [Bella](https://github.com/kai5263499/Bella) ### [Stitch](https://nathanlopez.github.io/Stitch/) ### [Pupy](https://github.com/n1nj4sec/pupy) ### [EggShell surveillance tool](https://github.com/neoneggplant/EggShell) - Works on OSX and jailbroken iOS ### [EvilOSX](https://github.com/Marten4n6/EvilOSX) - Pure python post-exploitation toolkit ## Worth following on Twitter * [@patrickwardle](https://twitter.com/patrickwardle) * [@objective_see](https://twitter.com/objective_see) * [@0xAmit](https://twitter.com/0xAmit) * [@osxreverser](https://twitter.com/osxreverser) * [@liucoj](https://twitter.com/liucoj) * [@osxdaily](https://twitter.com/osxdaily) * [@iamevltwin](https://twitter.com/iamevltwin) * [@claud_xiao](https://twitter.com/claud_xiao) * [@JPoForenso](https://twitter.com/JPoForenso) * [@patrickolsen](https://twitter.com/patrickolsen) ## Other OSX Awesome lists * [ashishb/osx-and-ios-security-awesome](https://github.com/ashishb/osx-and-ios-security-awesome) [osxsecurity.md Github](https://github.com/kai5263499/osx-security-awesome )