Hacking macOS: How to Perform Situational Awareness Attacks, Part 1 (Using System Profiler & ARP)

The first few minutes after gaining access to a MacBook are critical — but where do we begin? Using tools built into macOS, we can develop an in-depth understanding of running background processes, detect antivirus software, locate sensitive files, and fingerprint other devices on the network. All of this can be done without installing additional software or modifying any files.

What Is Situational Awareness?

During most red team engagements, after compromising a target, pentester's will often find they need to learn as much about the device and its network surroundings as possible. This is commonly referred to as "situational awareness." This is the act of gathering hardware, software, and network information about the target. This information can be used to further compromise the target, their online accounts, and pivot to other devices and services within the network.

Our goal as penetration testers is to learn as much about our newly compromised macOS device as possible without alerting the target to our presence. Generally, using tools built into the operating system to perform information gathering will help us evade detection. There are many tools in macOS that we can use to fingerprint the device, the network, and Wi-Fi networks it's connected to. The first (and possibly the most important) tool we'll be talking about is system_profiler.

• Don't Miss: How to Configure a Backdoor on Anyone's MacBook

1. Discover Hardware & Software Details

The system_profiler tool was designed to print system hardware and software configurations from Apple's built-in System Information app, previously called System Profiler on Mac OS X. System_profiler features the ability to export information in XML format and supports several degrees of output verbosity.

In most cases, system_profiler will produce over 55,000 lines of data pertaining to the target macOS device. This data includes very specific hardware details, firewall settings, Wi-Fi adapter details, startup items, and detailed application info, to name just a few.

System_profiler can be used without root privileges and is, therefore, an attacker's greatest tool for quickly discovering hardware and software specifications.

The following system_profiler commands can be executed using a Terminal or from a Netcat backdoor. Use the --help argument to view the available options.

~$ system_profiler --help

Usage: system_profiler [-listDataTypes]
       system_profiler [-xml] [-timeout n] [-detailLevel n]
       system_profiler [-xml] [-timeout n] [dataType1 ... dataTypeN]

  -detailLevel n    specifies the level of detail for the report
                      mini = short report (contains no identifying or personal information)
                      basic = basic hardware and network information
                      full = all available information

  -listDataTypes    lists all the available datatypes

  -xml              generates xml output instead of plain text
                    if redirected to a file with the extension ".spx"
                    the file can be opened in System Profiler.app

  -timeout          specifies the maximum time to spend gathering information
                    the default is 180 seconds, 0 means no timeout

  Redirect stderr to /dev/null to suppress progress and error messages.

The system_profiler "Datatypes" represent different components of the macOS system. For example, using the SPFirewallDataType argument will print the device's firewall configuration.

~$ system_profiler SPFirewallDataType

Firewall:

    Firewall Settings:

      Mode: Block all incoming connections
      Firewall Logging: Yes
      Stealth Mode: No

We've now learned the device has the firewall enabled and is blocking all incoming connections. This small bit of information is critical to an attacker planning their next move and trying to establish persistence.

There's a -listDataTypes argument that can be used to view all of the available Datatypes.

~$ system_profiler -listDataTypes

Available Datatypes:
SPParallelATADataType
SPUniversalAccessDataType
SPApplicationsDataType
SPAudioDataType
SPBluetoothDataType
SPCameraDataType
SPCardReaderDataType
SPComponentDataType
SPiBridgeDataType
SPDeveloperToolsDataType
SPDiagnosticsDataType
SPDisabledSoftwareDataType
SPDiscBurningDataType
SPEthernetDataType
SPExtensionsDataType
SPFibreChannelDataType
SPFireWireDataType
SPFirewallDataType
SPFontsDataType
SPFrameworksDataType
SPDisplaysDataType
SPHardwareDataType
SPHardwareRAIDDataType
SPInstallHistoryDataType
SPNetworkLocationDataType
SPLogsDataType
SPManagedClientDataType
SPMemoryDataType
SPNVMeDataType
SPNetworkDataType
SPPCIDataType
SPParallelSCSIDataType
SPPowerDataType
SPPrefPaneDataType
SPPrintersSoftwareDataType
SPPrintersDataType
SPConfigurationProfileDataType
SPRawCameraDataType
SPSASDataType
SPSerialATADataType
SPSPIDataType
SPSmartCardsDataType
SPSoftwareDataType
SPStartupItemDataType
SPStorageDataType
SPSyncServicesDataType
SPThunderboltDataType
SPUSBDataType
SPNetworkVolumeDataType
SPWWANDataType
SPAirPortDataType

Multiple Datatypes can be used simultaneously. Below, I'm printing the MacBook's OS version and network info.

~$ system_profiler SPSoftwareDataType SPNetworkDataType

Software:

    System Software Overview:

      System Version: macOS 10.13.6 (17G65)
      Kernel Version: Darwin 17.7.0
      Boot Volume: macOS
      Boot Mode: Normal
      Computer Name: tokyoneon’s MacBook Air
      User Name: tokyoneon (tokyoneon)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 1:27

Network:

    Wi-Fi:

      Type: AirPort
      Hardware: AirPort
      BSD Device Name: en0
      IPv4 Addresses: 192.168.1.98
      IPv4:
          AdditionalRoutes:
              DestinationAddress: 192.168.1.98
              SubnetMask: 255.255.255.255
              DestinationAddress: 169.254.0.0
              SubnetMask: 255.255.0.0
          Addresses: 192.168.1.98
          ARPResolvedHardwareAddress: xx:xx:xx:xx:xx:xx
          ARPResolvedIPAddress: 192.168.1.1
          Configuration Method: DHCP
          ConfirmedInterfaceName: en0
          Interface Name: en0
          Network Signature: IPv4.Router=192.168.1.1;IPv4.RouterHardwareAddress=xx:xx:xx:xx:xx:xx
          Router: 192.168.1.1
          Subnet Masks: 255.255.255.0
      IPv6:
          Configuration Method: Automatic
      DNS:
          Server Addresses: 192.168.1.1
      DHCP Server Responses:
          Domain Name Servers: 192.168.1.1
          Lease Duration (seconds): 0
          DHCP Message Type: 0x05
          Routers: 192.168.1.1
          Server Identifier: 192.168.1.1
          Subnet Mask: 255.255.255.0
      Ethernet:
          MAC Address: xx:xx:xx:xx:xx:xx
          Media Options:
          Media Subtype: Auto Select
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 0

    Bluetooth PAN:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: en2
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 1

    Thunderbolt Bridge:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: bridge0
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 2

When using the system_profiler without any arguments, it will use all of the available Datatypes. This will produce an enormous amount of data and can take several minutes to complete.

2. Identify Devices on the Network

The Address Resolution Protocol, known commonly as ARP, translates physical (MAC) addresses into IP addresses. Computers cache ARP information in "ARP tables," which aid routers and devices on the network in quickly locating each other.

The arp command can be used to print the macOS device's ARP table and discover devices on the network without performing a single Nmap scan.

~$ arp -i en0 -l -a

Neighbor                  Linklayer Address  Expire(O) Expire(I)      Netif  Refs Prbs
192.168.1.1               xx:xx:xx:xx:xx:xx  1m36s     1m36s          en0    1
192.168.1.79              xx:xx:xx:xx:xx:xx  expired   1m18s          en0    1
192.168.1.102             xx:xx:xx:xx:xx:xx  expired   1m20s          en0    1

The -i argument is used to specifies the Wi-Fi interface while -l prints the output data in a more human-readable format. To print all of the ARP table entries, use the -a argument.

We've discovered several devices on the network. The MAC addresses have been redacted but this information can be used to identify operating systems and hardware details.

Stay Tuned, More to Come ...

There's still so much that can be done to gain awareness of the compromised device and other devices on the network. Stay tuned for more on extracting sensitive information from a target's Terminal history, locating interesting and recently edited documents on the device, enumerating external hard drives and USB-connected drives, and much more.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard