قالب وردپرس درنا توس
Home / Tips and Tricks / How to Perform Situational Awareness Attacks, Part 1 (with System_Profiler & ARP) «Null Byte :: WonderHowTo

How to Perform Situational Awareness Attacks, Part 1 (with System_Profiler & ARP) «Null Byte :: WonderHowTo



The first few minutes after accessing a MacBook are critical – but where do we start? With tools built into macOS, we can develop a deep understanding of running background processes, detect antivirus software, pinpoint sensitive files, and scan other devices on the network. All this is possible without installing additional software or modifying files.

What is situational awareness?

For most red team missions, after compromising a target, the tester often has to learn as much about the device and its network environment as possible. This is commonly referred to as "situational awareness." This is gathering hardware, software and network information about the destination. This information can be used to further the goal of further manipulating their online accounts and other devices and services on the network.

Our goal as a Penetration Tester is to learn as much as we can about our newly compromised macOS device without alerting you to our presence. In general, using tools built into the operating system to gather information helps us avoid detection. There are many tools in macOS that allow us to scan the device, the network, and the Wi-Fi networks it's connected to. The first (and possibly most important) tool we will talk about is system_profiler.

. 1 Detecting Hardware and Software Details

The system_profiler tool was designed to print system hardware and software configurations. It provides the ability to export information in XML format and supports multiple levels of verbosity output.

In most cases, system_profiler creates more than 55,000 rows of data about the macOS target device. This data includes very specific hardware data, firewall settings, wireless adapter details, boot objects, and detailed application information, just to name a few.

System_profiler can be used without root privileges and is therefore the greatest tool for an attacker to quickly recognize hardware and software specifications.

The following system_profiler commands can be executed with a terminal or from a Netcat backdoor. Use the argument – help to display the available options.

  system_profiler --help

Usage: system_profiler [-listDataTypes]
system_profiler [-xml] [-timeout n] [-detailLevel n]
         system_profiler [-xml] [-timeout n] [dataType1 ... dataTypeN]

    -detailLevel n specifies the level of detail for the report
mini = short report (contains no identifying or personal information)
Base = basic hardware and network information
full = all available information

-listDataTypes lists all available data types

-xml generates XML output instead of plain text
when redirected to a file with the extension ".spx"
The file can be opened in System Profiler.app

-timeout specifies the maximum time for gathering information
The default value is 180 seconds, 0 means no timeout

Forward stderr to / dev / null to suppress progress and error messages. 

The system_profiler "Datatypes" represents various components of the macOS system. For example, if you use the argument SPFirewallDataType the firewall configuration of the device is printed.

  system_profiler SPFirewallDataType

firewall:

Firewall settings:

Mode: Block all incoming connections
Firewall Logging: Yes
Stealth Mode: No 

We have now learned that the device has enabled the firewall and blocked all incoming connections. This little piece of information is critical to an attacker planning his next move and trying to create persistence.

There is a -listDataTypes argument that can be used to display all available data types.

  system_profiler -listDataTypes

Available data types:
SPParallelATADataType
SPUniversalAccessDataType
SPApplicationsDataType
SPAudioDatenTyp
SPBluetoothDatenTyp
SPCameraDataType
SPCardReaderDataType
SPComponentDataType
SPiBridgeDatenTyp
SPDeveloperToolsDataType
SPDiagnosticsDataType
SPDisabledSoftwareDataType
SPDiscBurningDataType
SPEthernetDatentyp
SPExtensionsDataType
SPFibreChannelDataType
SPFireWireDataType
SPFirewallDataType
SPFontsDataType
SPFrameworksDataType
SPDisplaysDataType
SPHardwareDatenTyp
SPHardwareRAIDDataType
Spin stall History Data Type
SPNetworkLocationDataType
SPLogsDataType
SPManagedClientDataType
SPMemoryDataType
SPNVMeDataType
SPNetworkDataType
SPPCIDataTyp
SPParallelSCSIDataType
SPPowerDataType
SPPrefPaneDataType
SPPrintersSoftwareDataType
SPPrintersDataType
SPConfigurationProfileDataType
SPRawCameraDataType
SPSASDataType
SPSerialATADataType
SPSPIDataTyp
SPSmartCardsDatenTyp
SPSoftwareDataType
SPStartupItemDataType
SPStorageDataType
SPSyncServicesDataType
SPThunderboltDataType
SPUSBDatenTyp
SPNetworkVolumeDataType
SPWWANDataTyp
SPAirPortDataType 

Multiple data types can be used simultaneously. Below I print the operating system version and network information of the MacBook.

  system_profiler SPSoftwareDataType SPNetworkDataType

Software:

System Software Overview:

System version: macOS 10.13.6 (17G65)
Kernel version: Darwin 17.7.0
Start volume: macOS
Boot Mode: Normal
Computer name: tokyoneons MacBook Air
Username: tokyoneon (tokyoneon)
Secure Virtual Memory: Enabled
System Integrity Protection: Enabled
Time since the start: 1:27

Network:

Wireless Internet access:

Type: AirPort
Hardware: AirPort
BSD device name: en0
IPv4 addresses: 192.168.1.98
IPv4:
Additional routes:
Destination Address: 192.168.1.98
Subnet mask: 255.255.255.255
Destination address: 169.254.0.0
Subnet mask: 255.255.0.0
Addresses: 192.168.1.98
ARPResolvedHardwareAddress: xx: xx: xx: xx: xx: xx
ARPResolvedIPAddress: 192.168.1.1
Configuration method: DHCP
Confirmed interface name: en0
Interface name: en0
Network Signature: IPv4.Router = 192.168.1.1; IPv4.RouterHardwareAddress = xx: xx: xx: xx: xx: xx
Router: 192.168.1.1
Subnet Masks: 255.255.255.0
IPv6:
Configuration method: Automatic
DNS:
Server addresses: 192.168.1.1
DHCP server responses:
Domain Name Server: 192.168.1.1
Rental period (seconds): 0
DHCP message type: 0x05
Router: 192.168.1.1
Server ID: 192.168.1.1
Subnet mask: 255.255.255.0
Ethernet:
MAC address: xx: xx: xx: xx: xx: xx
Media Options:
Media subtype: Automatic selection
proxies:
Exception list: * .local, 169.254 / 16
Passive FTP mode: Yes
Service order: 0

Bluetooth PAN:

Type: Ethernet
Hardware: Ethernet
BSD device name: en2
IPv4:
Configuration method: DHCP
IPv6:
Configuration method: Automatic
proxies:
Exception list: * .local, 169.254 / 16
Passive FTP mode: Yes
Service order: 1

Thunderbolt Bridge:

Type: Ethernet
Hardware: Ethernet
BSD device name: bridge0
IPv4:
Configuration method: DHCP
IPv6:
Configuration method: Automatic
proxies:
Exception list: * .local, 169.254 / 16
Passive FTP mode: Yes
Service Order: 2 

If the system_profiler is used without arguments, it uses all available data types. This leads to a huge amount of data and can take several minutes.

. 2 Identifying Devices on the Network

The address resolution protocol commonly known as ARP translates physical (MAC) addresses into IP addresses. Computers store ARP information in "ARP tables" that help network routers and devices find each other quickly.

The arp command can be used to print the MacOS device's ARP table and detect devices without performing a single Nmap scan.

  arp -i en0 -l -a

Neighbor Linklayer Address Procedure (O) Procedure (I) Netif Refs Prbs
192.168.1.1 xx: xx: xx: xx: xx: xx 1m36s 1m36s en0 1
192.168.1.79 xx: xx: xx: xx: xx: xx expired 1m18s de0 1
192.168.1.102 xx: xx: xx: xx: xx: xx expired 1m20s en0 1 

The argument -i is used to specify the Wi-Fi interface while -l prints the output data in a more readable format. Use the argument -a to print all ARP table entries.

We found several devices on the network. The MAC addresses have been deleted, but this information can be used to identify operating systems and hardware details.

Stay tuned, read more …

So much can still be done to become aware of the compromised device and other devices on the network. Stay tuned to extract sensitive information from a destination's terminal history, find interesting and recently edited documents on the device, list external hard drives and USB drives, and more.

Cover Picture by Oluwaseun Duncan / PEXELS

Source link