Matthew Warren haircut

## defang.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              5 stars
            
          
                macshome
                / defang.md
            
            
              Last active
              February 1, 2023 02:23
            
              
                How to defang system protections on macOS
              
          
      View defang.md
  
      
    How to Defang macOS System Protections
If you want to change things on the root drive of a Mac you will need to take some steps to disable the built in security of the system. Most of these steps are the same regardless if you are on Intel or Apple Silicon. If there is a difference it is noted.
Note that all of these things put a Mac into an unsupported and less secure state.
Make sure you either perform these steps in a VM or that you reset the protections after you are done poking around
Protections and Terms
(This list is not exahustive on the details of each. Check the links at the end for more info.)

  
## Speed Dating for Mac Admins.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              9 stars
            
          
                talkingmoose
                / Speed Dating for Mac Admins.md
            
            
              Last active
              July 13, 2022 20:00
            
              
                Resources for my Penn State 2022 MacAdmins Campfire presentation on June 2
              
          
      View Speed Dating for Mac Admins.md
  
      
    Speed Dating for Mac Admins
Terminal Login Banner
Last login: Wed Jun  1 23:03:39 on ttys000


                        'c.            Logged in as: bill.smith
                     ,xNMM.            ---------------------------------


## log4j_rce_check.py
#! /usr/bin/env python3

'''
    Needs Requests (pip3 install requests)

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)


    This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

## get-focus-mode.js
const app = Application.currentApplication()
app.includeStandardAdditions = true

function getJSON(path) {
	const fullPath = path.replace(/^~/, app.pathTo('home folder'))
	const contents = app.read(fullPath)
	return JSON.parse(contents)
}

function run() {

## ikbc-td108-manual.txt
# ⌨️ TD 108 Functions Description

***Light Mode:***

PRESS FN + F4
+ Light up
+ Wave
+ Rain drop
+ Aurora
+ Breathing

## kextidentifiers.py
#!/usr/bin/python

# For mojave only
# In order for this to work, you will need to go to System Preferences in Mojave -> Security & Privacy -> Privacy -> Full Disk Access and grant Terminal.app permissions

import sqlite3
conn = sqlite3.connect('/var/db/SystemPolicyConfiguration/KextPolicy')
c = conn.cursor()
query = 'SELECT * FROM kext_policy'
c.execute(query)

## forcefully_remove_mdm_1015.sh
#!/bin/bash
# Seriously there still apparently aren't enough warning labels
# If you don't understand the consequences don't do it

REMOVE_PATHS=( # "/var/db/ConfigurationProfiles/.passcodePolicesAreInstalled"
               # "/var/db/ConfigurationProfiles/.cloudConfigHasActivationRecord"
               # "/var/db/ConfigurationProfiles/.cloudConfigNoActivationRecord"
               # "/var/db/ConfigurationProfiles/.cloudConfigProfileObtained"
               # "/var/db/ConfigurationProfiles/.cloudConfigRecordFound"
               # "/var/db/ConfigurationProfiles/.profilesAreInstalled"

## fancy_defaults_read.py
#!/usr/bin/python

import os
import sys

from CoreFoundation import (CFPreferencesAppValueIsForced,
                            CFPreferencesCopyAppValue,
                            CFPreferencesCopyValue,
                            kCFPreferencesAnyUser,
                            kCFPreferencesAnyHost,

## MSOL-BulkRemoveDirectAssignedLicense.ps1
<#
  Modified version of the script from Microsoft Documentation.
  Removed the part that checks if the users is assigned more products than the group assigned license.
  Added connection part and help to find Sku and Group Object ID.
  This script requires Azure AD (aks MSOL) PowerShell v1. It doesn't seem possible to do so with v2.
  Ref: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples
#>

Import-Module MSOnline
$UserCredential = Get-Credential

## bash array parser
parse_array() {
  FS=':'
  key=(); val=()
  for (( i=0 ; i < $(eval echo \${#$1[@]}) ; i++ )); do
  key+=( "$(eval echo \${$1[$i]} | awk -F${FS} '{print $1}')" )
  val+=( "$(eval echo \${$1[$i]} | awk -F${FS} '{print $2}')" )
  done
}
# Assuming script contains myarray=( "key1:value1" "key2:value2" )
parse_array myarray
	#! /usr/bin/env python3

	'''
	Needs Requests (pip3 install requests)

	Author: Marcello Salvati, Twitter: @byt3bl33d3r
	License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)


	This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
	const app = Application.currentApplication()
	app.includeStandardAdditions = true

	function getJSON(path) {
	const fullPath = path.replace(/^~/, app.pathTo('home folder'))
	const contents = app.read(fullPath)
	return JSON.parse(contents)
	}

	function run() {
	# ⌨️ TD 108 Functions Description

	*Light Mode:*

	PRESS FN + F4
	+ Light up
	+ Wave
	+ Rain drop
	+ Aurora
	+ Breathing
	#!/usr/bin/python

	# For mojave only
	# In order for this to work, you will need to go to System Preferences in Mojave -> Security & Privacy -> Privacy -> Full Disk Access and grant Terminal.app permissions

	import sqlite3
	conn = sqlite3.connect('/var/db/SystemPolicyConfiguration/KextPolicy')
	c = conn.cursor()
	query = 'SELECT * FROM kext_policy'
	c.execute(query)
	#!/bin/bash
	# Seriously there still apparently aren't enough warning labels
	# If you don't understand the consequences don't do it

	REMOVE_PATHS=( # "/var/db/ConfigurationProfiles/.passcodePolicesAreInstalled"
	# "/var/db/ConfigurationProfiles/.cloudConfigHasActivationRecord"
	# "/var/db/ConfigurationProfiles/.cloudConfigNoActivationRecord"
	# "/var/db/ConfigurationProfiles/.cloudConfigProfileObtained"
	# "/var/db/ConfigurationProfiles/.cloudConfigRecordFound"
	# "/var/db/ConfigurationProfiles/.profilesAreInstalled"
	#!/usr/bin/python

	import os
	import sys

	from CoreFoundation import (CFPreferencesAppValueIsForced,
	CFPreferencesCopyAppValue,
	CFPreferencesCopyValue,
	kCFPreferencesAnyUser,
	kCFPreferencesAnyHost,
	<#
	Modified version of the script from Microsoft Documentation.
	Removed the part that checks if the users is assigned more products than the group assigned license.
	Added connection part and help to find Sku and Group Object ID.
	This script requires Azure AD (aks MSOL) PowerShell v1. It doesn't seem possible to do so with v2.
	Ref: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples
	#>

	Import-Module MSOnline
	$UserCredential = Get-Credential
	parse_array() {
	FS=':'
	key=(); val=()
	for (( i=0 ; i < $(eval echo \${#$1[@]}) ; i++ )); do
	key+=( "$(eval echo \${$1[$i]} \| awk -F${FS} '{print $1}')" )
	val+=( "$(eval echo \${$1[$i]} \| awk -F${FS} '{print $2}')" )
	done
	}
	# Assuming script contains myarray=( "key1:value1" "key2:value2" )
	parse_array myarray