6 replies to this topic

[flarn2006]

I recently took my MacBook Pro to the Apple store for repair, but I had a script running in the background that took screenshots to monitor what they were doing. This screenshot was among them, and it shows System Preferences open with a list of netboot volumes. I'm interested in obtaining the Apple Service Toolkit. I know it is tightly controlled by Apple, and I would like advice with how exactly to go about downloading all the related files (TFTP files, boot image, etc.) to be able to leak this. I know for a fact this server is accessible on their unsecured "Apple Demo" wireless network, as another screenshot shows my laptop connected to it, so this means I will be able to connect without necessarily even entering the Apple store (where employees can see what I'm doing), let alone SE-ing an employee to plug the Ethernet cable into my computer. But when I'm connected, I'm unsure exactly how to actually download the files used by this. I assume it involves using TFTP to connect to 10.26.32.7, but since TFTP doesn't support directory listings, I don't know the names of the files I would need to download. Can anyone please help me out? If I get it, I'll post it here.

[tekio]

Clever.....

[serrath]

Let me know if you manage to get your hands on it, it'd be cool to have people fuzz this and develop some exploits. Chances are Apple's hoping for security-by-obscurity here, they're not exactly notorious for making their stuff bulletproof.

[flarn2006]

Let me know if you manage to get your hands on it, it'd be cool to have people fuzz this and develop some exploits. Chances are Apple's hoping for security-by-obscurity here, they're not exactly notorious for making their stuff bulletproof.

It is always possible that they had it connected to Ethernet but still had the Wi-Fi connected, and the netboot server isn't accessible over Wi-Fi. This is unlikely however, as why would they connect it to their Wi-Fi if it was already connected to Ethernet? Also, I know it wasn't already set up to connect to their Wi-Fi from another time I had my laptop there, as it's at the end of the list of known networks.

In case it'll be helpful, you can find all of the screenshots at http://imgur.com/a/o2AuZ.

In case you're concerned about it, this "apple" user who's logged in is just a temporary account I had set up for them, not some kind of backdoor they have. The reason they went into the Users & Groups preference pane was to remove my script from the login items, but they hadn't actually terminated the process. They hadn't booted it again either, as /var/log/secure.log says that user only logged in three times, two of which had actually been me logging in.

Also, I'm just curious: how would someone develop exploits from this?

Edited by flarn2006, 12 October 2011 - 10:20 PM.

[serrath]

Not that I'd do anything illegal as far as hacking or social engineering goes, but please remind me about this via PM around Thanksgiving if you haven't acquired this by then.

[Afterm4th]

While I am not an apple certified repair tech I do have repair access to their GSX website.


In order to run the toolkit you need to have an apple server. Once you have the server set up you can install their tool kit. The way it works is you have the server running, then you plug the problem computer into your ethernet port which is plugged into a router where the apple server is connected.

You can then reboot the mac and have it boot over the network and it will boot into a diag screen where you can run all sorts of tests.


Ill post more info later when im not at work...

[Afterm4th]

I dont know if the op is still interested, but You can find copies of the toolkit on the internet...

The other way to diagnose mac computers is to download their asd tools. With the older macs you can burn a disk and all the diags are done from booting to the asd disk.

Most of the newer macs require a USB flash drive to be partitioned and the images of the asd tools loaded onto the flash drive.

Heres a bunch of older ASD tools: http://isohunt.com/t...asd?tab=summary