HackTricks
Search…
Pentesting
Powered By GitBook
MacOS Red Teaming

Common management methods

    JAMF Pro: jamf checkJSSConnection
    Kandji
If you manage to compromise admin credentials to access the management platform, you can potentially compromise all the computers by distributing your malware in the machines.
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
And also about MacOS "special" network protocols:

Active Directory

In some occasions you will find that the MacOS computer is connected to an AD. In this scenario you should try to enumerate the active directory as you are use to it. Find some help in the following pages:
Some local MacOS tool that may also help you is dscl:
1
dscl "/Active Directory/[Domain]/All Domains" ls /
Copied!
Also there are some tools prepared for MacOS to automatically enumerate the AD and play with kerberos:
    Machound: MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts.
    Bifrost: Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target.
    Orchard: JavaScript for Automation (JXA) tool to do Active Directory enumeration.

Domain Information

1
echo show com.apple.opendirectoryd.ActiveDirectory | scutil
Copied!

Users

The three types of MacOS users are:
    Local Users — Managed by the local OpenDirectory service, they aren’t connected in any way to the Active Directory.
    Network Users — Volatile Active Directory users who require a connection to the DC server to authenticate.
    Mobile Users — Active Directory users with a local backup for their credentials and files.
The local information about users and groups is stored in in the folder /var/db/dslocal/nodes/Default. For example, the info about user called mark is stored in /var/db/dslocal/nodes/Default/users/mark.plist and the info about the group admin is in /var/db/dslocal/nodes/Default/groups/admin.plist.
In addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database:
    CanSSH - entity allowed to SSH to host
    CanVNC - entity allowed to VNC to host
    CanAE - entity allowed to execute AppleEvent scripts on host
1
#User enumeration
2
dscl . ls /Users
3
dscl . read /Users/[username]
4
dscl "/Active Directory/TEST/All Domains" ls /Users
5
dscl "/Active Directory/TEST/All Domains" read /Users/[username]
6
dscacheutil -q user
7
8
#Computer enumeration
9
dscl "/Active Directory/TEST/All Domains" ls /Computers
10
dscl "/Active Directory/TEST/All Domains" read "/Computers/[compname]quot;
11
12
#Group enumeration
13
dscl . ls /Groups
14
dscl . read "/Groups/[groupname]"
15
dscl "/Active Directory/TEST/All Domains" ls /Groups
16
dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]"
17
18
#Domain Information
19
dsconfigad -show
Copied!

External Services

MacOS Red Teaming is different from a regular Windows Red Teaming as usually MacOS is integrated with several external platforms directly. A common configuration of MacOS is to access to the computer using OneLogin synchronised credentials, and accessing several external services (like github, aws...) via OneLogin:

References

Last modified 2mo ago