Dominic White singe

macOS Seatbelt/Sandbox Trace Script

macOS sandbox profiles used to be able to include a trace command that would write all the denied operations to a sandbox profile, allowing a profile to be iterativley built up. Apple removed that functionality for reasons explained below.

trace.sh examines the kernel log for the denied operations and creates the relevant allow rules in a sandbox profile, just like the sandbox profile trace command used to.

shrink.sh tries to reduce a sandbox profile to the minimum lines necessary.

It's very rough and ready at the moment (check the sed regex'es in the script to see what I mean) and needs more testing with a wider set of use cases.

Using OSC7 to trigger a canary token in text files

macOS' Terminal.app supports the OSC7 escape code for notifying the terminal of the current working directory. It also supports the file:// URL scheme. This means you can embed a hostname in the instruction, and the host will perform a DNS lookup against it. It also won't visibly render in the terminal.

You can create the escape code like this: printf '\033]7;file://<hostname>\033\\'

I tested Terminal.app, Microsoft command shell, Windows Terminal and Alacritty and it only worked on Terminal.app. OSC7 support is contentious across other terminals according to various pull request discussions.

This was discussed in @stokfredrik's BlackHat/Defcon 2023 talk https://i.blackhat.com/BH-US-23/Presentations/US-23-stok-weponizing-plain-text-ansi-escape-sequences-as-a-forensic-nightmare-appendix.pdf

	services:
	socat:
	image: alpine/socat
	# Connects to a service running on port 1337 on the host machine and creates a unix socket listener
	command: UNIX-LISTEN:/sockets/shared.sock,unlink-early,unlink-close,fork TCP-CONNECT:host.docker.internal:1337,reuseaddr
	# unlink-* deletes the socket file before start up and when the connection is closed
	restart: unless-stopped
	volumes:
	- sockets:/sockets
	# It needs access to the host, hence the default network

	# By Dominic White ( @[email protected] / @[email protected] )
	#
	# I've been rolling this font for nearly two decades. I can't remember who wrote
	# it originally, but I stole enough of it to not take any credit. I've just
	# updated it here and there. The latest for Oh-My-Zsh

	prompt_setup_singe() {
	colour1="%{$fg[blue]%}" #line
	colour2="%{$fg[green]%}" #directory
	colour3="%{$fg[magenta]%}" #time, user, host

	#!/bin/sh

	# A quick 'n dirty website mirror script
	# by @singe
	# Ideally, wget -r should mirror a site, but modern websites are complex, this
	# tries to fix the gaps of what is typically mixed.
	# It's been tested on 3 or 4 sites, and likely needs more tricks added.

	sourcedomain="$1"
	depth="$2"

	import datetime
	import ui

	v = ui.load_view()
	width, height = ui.get_screen_size()
	v.frame = (0, 0, width, height)
	v.present('sheet')

	first = datetime.datetime(2023, 1, 1, 0, 0, 0, 0)

	#!/bin/bash

	# hashcat mask generator
	# by @singe

	infile="$1"
	outfile="$1.freq.masks"
	outfile2="$1.length.masks"
	tmp=$(mktemp)

	#!/bin/sh
	file="$1"
	tmp=$(mktemp)

	# change specials & digits to hashcat format
	sed -e "s/[[:punct:]]/?s/g" \
	-e "s/[[:digit:]]/?d/g" \
	$file \
	> $tmp \
	&& \

	#!/bin/bash
	# Convert hashcat.pot to john.pot and merge them
	# Usage: hc-to-john.sh <hashcat pot> <john pot>
	# NB: Make sure the hashcat pot only contains 16
	# and 32 character hashes that are LM and NT hashes

	tmp1=$(mktemp -t pot-port)
	tmp2=$(mktemp -t pot-port)
	hashpot=$1
	LC_ALL=UTF-8 sed 's/^\([a-f0-9]\{32\}:[^:]*\)$/$NT$\1/' $hashpot \| grep '^\$NT\$' > $tmp1