The first few minutes after accessing a MacBook are critical – but where do we start? With tools built into macOS, we can develop a deep understanding of running background processes, detect antivirus software, pinpoint sensitive files, and scan other devices on the network. All this is possible without installing additional software or modifying files.
What is situational awareness?
For most red team missions, after compromising a target, the tester often has to learn as much about the device and its network environment as possible. This is commonly referred to as "situational awareness." This is gathering hardware, software and network information about the destination. This information can be used to further the goal of further manipulating their online accounts and other devices and services on the network.
Our goal as a Penetration Tester is to learn as much as we can about our newly compromised macOS device without alerting you to our presence. In general, using tools built into the operating system to gather information helps us avoid detection. There are many tools in macOS that allow us to scan the device, the network, and the Wi-Fi networks it's connected to. The first (and possibly most important) tool we will talk about is system_profiler.
. 1 Detecting Hardware and Software Details
The system_profiler tool was designed to print system hardware and software configurations. It provides the ability to export information in XML format and supports multiple levels of verbosity output.
In most cases, system_profiler creates more than 55,000 rows of data about the macOS target device. This data includes very specific hardware data, firewall settings, wireless adapter details, boot objects, and detailed application information, just to name a few.
System_profiler can be used without root privileges and is therefore the greatest tool for an attacker to quickly recognize hardware and software specifications.
The following system_profiler commands can be executed with a terminal or from a Netcat backdoor. Use the argument – help to display the available options.
system_profiler --help Usage: system_profiler [-listDataTypes] system_profiler [-xml] [-timeout n] [-detailLevel n] system_profiler [-xml] [-timeout n] [dataType1 ... dataTypeN] -detailLevel n specifies the level of detail for the report mini = short report (contains no identifying or personal information) Base = basic hardware and network information full = all available information -listDataTypes lists all available data types -xml generates XML output instead of plain text when redirected to a file with the extension ".spx" The file can be opened in System Profiler.app -timeout specifies the maximum time for gathering information The default value is 180 seconds, 0 means no timeout Forward stderr to / dev / null to suppress progress and error messages.
The system_profiler "Datatypes" represents various components of the macOS system. For example, if you use the argument SPFirewallDataType the firewall configuration of the device is printed.
system_profiler SPFirewallDataType firewall: Firewall settings: Mode: Block all incoming connections Firewall Logging: Yes Stealth Mode: No
We have now learned that the device has enabled the firewall and blocked all incoming connections. This little piece of information is critical to an attacker planning his next move and trying to create persistence.
There is a -listDataTypes argument that can be used to display all available data types.
system_profiler -listDataTypes Available data types: SPParallelATADataType SPUniversalAccessDataType SPApplicationsDataType SPAudioDatenTyp SPBluetoothDatenTyp SPCameraDataType SPCardReaderDataType SPComponentDataType SPiBridgeDatenTyp SPDeveloperToolsDataType SPDiagnosticsDataType SPDisabledSoftwareDataType SPDiscBurningDataType SPEthernetDatentyp SPExtensionsDataType SPFibreChannelDataType SPFireWireDataType SPFirewallDataType SPFontsDataType SPFrameworksDataType SPDisplaysDataType SPHardwareDatenTyp SPHardwareRAIDDataType Spin stall History Data Type SPNetworkLocationDataType SPLogsDataType SPManagedClientDataType SPMemoryDataType SPNVMeDataType SPNetworkDataType SPPCIDataTyp SPParallelSCSIDataType SPPowerDataType SPPrefPaneDataType SPPrintersSoftwareDataType SPPrintersDataType SPConfigurationProfileDataType SPRawCameraDataType SPSASDataType SPSerialATADataType SPSPIDataTyp SPSmartCardsDatenTyp SPSoftwareDataType SPStartupItemDataType SPStorageDataType SPSyncServicesDataType SPThunderboltDataType SPUSBDatenTyp SPNetworkVolumeDataType SPWWANDataTyp SPAirPortDataType
Multiple data types can be used simultaneously. Below I print the operating system version and network information of the MacBook.
system_profiler SPSoftwareDataType SPNetworkDataType Software: System Software Overview: System version: macOS 10.13.6 (17G65) Kernel version: Darwin 17.7.0 Start volume: macOS Boot Mode: Normal Computer name: tokyoneons MacBook Air Username: tokyoneon (tokyoneon) Secure Virtual Memory: Enabled System Integrity Protection: Enabled Time since the start: 1:27 Network: Wireless Internet access: Type: AirPort Hardware: AirPort BSD device name: en0 IPv4 addresses: 192.168.1.98 IPv4: Additional routes: Destination Address: 192.168.1.98 Subnet mask: 255.255.255.255 Destination address: 169.254.0.0 Subnet mask: 255.255.0.0 Addresses: 192.168.1.98 ARPResolvedHardwareAddress: xx: xx: xx: xx: xx: xx ARPResolvedIPAddress: 192.168.1.1 Configuration method: DHCP Confirmed interface name: en0 Interface name: en0 Network Signature: IPv4.Router = 192.168.1.1; IPv4.RouterHardwareAddress = xx: xx: xx: xx: xx: xx Router: 192.168.1.1 Subnet Masks: 255.255.255.0 IPv6: Configuration method: Automatic DNS: Server addresses: 192.168.1.1 DHCP server responses: Domain Name Server: 192.168.1.1 Rental period (seconds): 0 DHCP message type: 0x05 Router: 192.168.1.1 Server ID: 192.168.1.1 Subnet mask: 255.255.255.0 Ethernet: MAC address: xx: xx: xx: xx: xx: xx Media Options: Media subtype: Automatic selection proxies: Exception list: * .local, 169.254 / 16 Passive FTP mode: Yes Service order: 0 Bluetooth PAN: Type: Ethernet Hardware: Ethernet BSD device name: en2 IPv4: Configuration method: DHCP IPv6: Configuration method: Automatic proxies: Exception list: * .local, 169.254 / 16 Passive FTP mode: Yes Service order: 1 Thunderbolt Bridge: Type: Ethernet Hardware: Ethernet BSD device name: bridge0 IPv4: Configuration method: DHCP IPv6: Configuration method: Automatic proxies: Exception list: * .local, 169.254 / 16 Passive FTP mode: Yes Service Order: 2
If the system_profiler is used without arguments, it uses all available data types. This leads to a huge amount of data and can take several minutes.
. 2 Identifying Devices on the Network
The address resolution protocol commonly known as ARP translates physical (MAC) addresses into IP addresses. Computers store ARP information in "ARP tables" that help network routers and devices find each other quickly.
The arp command can be used to print the MacOS device's ARP table and detect devices without performing a single Nmap scan.
arp -i en0 -l -a Neighbor Linklayer Address Procedure (O) Procedure (I) Netif Refs Prbs 192.168.1.1 xx: xx: xx: xx: xx: xx 1m36s 1m36s en0 1 192.168.1.79 xx: xx: xx: xx: xx: xx expired 1m18s de0 1 192.168.1.102 xx: xx: xx: xx: xx: xx expired 1m20s en0 1
The argument -i is used to specify the Wi-Fi interface while -l prints the output data in a more readable format. Use the argument -a to print all ARP table entries.
We found several devices on the network. The MAC addresses have been deleted, but this information can be used to identify operating systems and hardware details.
Stay tuned, read more …
So much can still be done to become aware of the compromised device and other devices on the network. Stay tuned to extract sensitive information from a destination's terminal history, find interesting and recently edited documents on the device, list external hard drives and USB drives, and more.