Oct 8, 2018
105 Views
0 0

How to Perform Situational Awareness Attacks, Part 1 (Using System_Profiler & ARP) – Special Methode By Lovepreet Singh

Written by
The first few minutes after gaining access to a MacBook are critical — but where do we begin? Using tools built into macOS, we can develop an in-depth understanding of running background processes, detect antivirus software, locate sensitive files, and fingerprint other devices on the network. All of this can be done without installing additional software or modifying any files.

What Is Situational Awareness?

During most red team engagements, after compromising a target, pentester’s will often find they need to learn as much about the device and its network surroundings as possible. This is commonly referred to as “situational awareness.” This is the act of gathering hardware, software, and network information about the target. This information can be used to further compromise the target, their online accounts, and pivot to other devices and services within the network.

Our goal as penetration testers is to learn as much about our newly compromised macOS device as possible without alerting the target to our presence. Generally, using tools built into the operating system to perform information gathering will help us evade detection. There are many tools in macOS that we can use to fingerprint the device, the network, and Wi-Fi networks it’s connected to. The first (and possibly the most important) tool we’ll be talking about is system_profiler.

1Discover Hardware & Software Details

The system_profiler tool was designed to print system hardware and software configurations. It features the ability to export information in XML format and supports several degrees of output verbosity.

In most cases, system_profiler will produce over 55,000 lines of data pertaining to the target macOS device. This data includes very specific hardware details, firewall settings, Wi-Fi adapter details, startup items, and detailed application info, to name just a few.

READ ALSO  Heartbleed bug, How it works and how was it fixed?

System_profiler can be used without root privileges and is, therefore, an attacker’s greatest tool for quickly discovering hardware and software specifications.

The following system_profiler commands can be executed using a Terminal or from a Netcat backdoor. Use the –help argument to view the available options.

system_profiler --help

Usage: system_profiler [-listDataTypes]
       system_profiler [-xml] [-timeout n] [-detailLevel n]
       system_profiler [-xml] [-timeout n] [dataType1 ... dataTypeN]

  -detailLevel n    specifies the level of detail for the report
                      mini = short report (contains no identifying or personal information)
                      basic = basic hardware and network information
                      full = all available information

  -listDataTypes    lists all the available datatypes

  -xml              generates xml output instead of plain text
                    if redirected to a file with the extension ".spx"
                    the file can be opened in System Profiler.app

  -timeout          specifies the maximum time to spend gathering information
                    the default is 180 seconds, 0 means no timeout

  Redirect stderr to /dev/null to suppress progress and error messages.

 

The system_profiler “Datatypes” represent different components of the macOS system. For example, using the SPFirewallDataType argument will print the device’s firewall configuration.

system_profiler SPFirewallDataType

Firewall:

    Firewall Settings:

      Mode: Block all incoming connections
      Firewall Logging: Yes
      Stealth Mode: No/Yes (As Per Need)

We’ve now learned the device has the firewall enabled and is blocking all incoming connections. This small bit of information is critical to an attacker planning their next move and trying to establish persistence.

There’s a -listDataTypes argument that can be used to view all of the available Datatypes.

system_profiler -listDataTypes

Available Datatypes:
SPParallelATADataType
SPUniversalAccessDataType
SPApplicationsDataType
SPAudioDataType
SPBluetoothDataType
SPCameraDataType
SPCardReaderDataType
SPComponentDataType
SPiBridgeDataType
SPDeveloperToolsDataType
SPDiagnosticsDataType
SPDisabledSoftwareDataType
SPDiscBurningDataType
SPEthernetDataType
SPExtensionsDataType
SPFibreChannelDataType
SPFireWireDataType
SPFirewallDataType
SPFontsDataType
SPFrameworksDataType
SPDisplaysDataType
SPHardwareDataType
SPHardwareRAIDDataType
SPInstallHistoryDataType
SPNetworkLocationDataType
SPLogsDataType
SPManagedClientDataType
SPMemoryDataType
SPNVMeDataType
SPNetworkDataType
SPPCIDataType
SPParallelSCSIDataType
SPPowerDataType
SPPrefPaneDataType
SPPrintersSoftwareDataType
SPPrintersDataType
SPConfigurationProfileDataType
SPRawCameraDataType
SPSASDataType
SPSerialATADataType
SPSPIDataType
SPSmartCardsDataType
SPSoftwareDataType
SPStartupItemDataType
SPStorageDataType
SPSyncServicesDataType
SPThunderboltDataType
SPUSBDataType
SPNetworkVolumeDataType
SPWWANDataType
SPAirPortDataType

Multiple Datatypes can be used simultaneously. Below, I’m printing the MacBook’s OS version and network info.

system_profiler SPSoftwareDataType SPNetworkDataType

Software:

    System Software Overview:

      System Version: macOS 10.13.6 (17G65)
      Kernel Version: Darwin 17.7.0
      Boot Volume: macOS
      Boot Mode: Normal
      Computer Name: tokyoneon’s MacBook Air
      User Name: tokyoneon (tokyoneon)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 1:27

Network:

    Wi-Fi:

      Type: AirPort
      Hardware: AirPort
      BSD Device Name: en0
      IPv4 Addresses: 192.168.1.98
      IPv4:
          AdditionalRoutes:
              DestinationAddress: 192.168.1.98
              SubnetMask: 255.255.255.255
              DestinationAddress: 169.254.0.0
              SubnetMask: 255.255.0.0
          Addresses: 192.168.1.98
          ARPResolvedHardwareAddress: xx:xx:xx:xx:xx:xx
          ARPResolvedIPAddress: 192.168.1.1
          Configuration Method: DHCP
          ConfirmedInterfaceName: en0
          Interface Name: en0
          Network Signature: IPv4.Router=192.168.1.1;IPv4.RouterHardwareAddress=xx:xx:xx:xx:xx:xx
          Router: 192.168.1.1
          Subnet Masks: 255.255.255.0
      IPv6:
          Configuration Method: Automatic
      DNS:
          Server Addresses: 192.168.1.1
      DHCP Server Responses:
          Domain Name Servers: 192.168.1.1
          Lease Duration (seconds): 0
          DHCP Message Type: 0x05
          Routers: 192.168.1.1
          Server Identifier: 192.168.1.1
          Subnet Mask: 255.255.255.0
      Ethernet:
          MAC Address: xx:xx:xx:xx:xx:xx
          Media Options:
          Media Subtype: Auto Select
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 0

    Bluetooth PAN:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: en2
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 1

    Thunderbolt Bridge:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: bridge0
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 2

When using the system_profiler without any arguments, it will use all of the available Datatypes. This will produce an enormous amount of data and can take several minutes to complete.

READ ALSO  What is hairpinning? When should one use it on his network?

Identify Devices on the Network

The Address Resolution Protocol, known commonly as ARP, translates physical (MAC) addresses into IP addresses. Computers cache ARP information in “ARP tables,” which aid routers and devices on the network in quickly locating each other.

The arp command can be used to print the macOS device’s ARP table and discover devices on the network without performing a single Nmap scan.

arp -i en0 -l -a

Neighbor                  Linklayer Address  Expire(O) Expire(I)      Netif  Refs Prbs
192.168.1.1               xx:xx:xx:xx:xx:xx  1m36s     1m36s          en0    1
192.168.1.79              xx:xx:xx:xx:xx:xx  expired   1m18s          en0    1
192.168.1.102             xx:xx:xx:xx:xx:xx  expired   1m20s          en0    1
The -i argument is used to specifies the Wi-Fi interface while -l prints the output data in a more human-readable format. To print all of the ARP table entries, use the -a argument.We’ve discovered several devices on the network. The MAC addresses have been redacted but this information can be used to identify operating systems and hardware details.

Stay Tuned, More to Come …

There’s still so much that can be done to gain awareness of the compromised device and other devices on the network. Stay tuned for more on extracting sensitive information from a target’s Terminal history, locating interesting and recently edited documents on the device, enumerating external hard drives and USB-connected drives, and much more.

Tech Radio – Listen In Free Time To Gain Some Tech Knowledge With Enjoyment

 
Article Categories:
Hacking · Information · Master Hack
http://techandsecurity.net

CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Comments to How to Perform Situational Awareness Attacks, Part 1 (Using System_Profiler & ARP) – Special Methode By Lovepreet Singh

  • So many people have abandoned wasting other resources like natural
    gases but alternatively they exchange signal of electric
    heaters, electric stoves, to ensure my way through the house is not dependent of electricity.
    This is a major hobby of mine, and a good way to obtain a grasp on what much we
    throw away each day. Another positive side of employing the generator is its chance to power itself.

    perpetual motion motor November 28, 2018 1:02 am Reply
  • Sports Betting Sites

    I ended up looking YouTube yesterday for many sports betting
    advice useful in helping this year’s NBA season. I figured I might get this to year somewhat more exciting by placing a few
    wagers for the games I have a look at. I am not a super devoted fan but I favor the action and also I love to gamble,
    filter systems?
    It didn’t take very long to understand what number of videos you can find about
    the subject, all things from amateur sports pickers to pro sports gambling services.

    Right now there genuinely isn’t a general shortage inside subject and
    similarly a great deal to learn. Following even more searching I happened upon a YouTube video titled, “Sports Betting Tips and Tricks”.
    I figured okay why not? The video clip was simply a
    handful of testimonials for a certain expert sports betting product.

    Initially, investing in an individual to generate my picks for me personally
    did not cross my mind. Immediately after listening to the testimonials I began great deal of
    thought. This may genuinely operate to my benefit if your
    provider was genuine and did what it said hello would.
    After all, it’s almost like your own stock broking service nevertheless for sports.

    On the other hand, can somebody actually pick sports good enough to generate a service out of
    it?
    Off to Google for additional study. I performed a quick seek out Sports Gambling Products and Google returned one thing like 8 trillion sites of fabric.
    It required about 5 minutes in summary that indeed, people earn a
    living by way of sports picking. Not just that, nonetheless they get it done creating a rather high order of
    reliability which I find remarkable.
    Return towards the Sports Betting Clip
    So, I say hell by using it, Why don’t we give this a chance
    to see just what the results are. I am no bum, Ive got dinero.
    Not just that, I’m not really afraid to employ it.
    Hell, I have lost considerably more money in twenty minutes at Caesar’s Palace than many do their vacation. So what’s a couple hundred for the sports picking service?
    If the thing truly does exactly what it really states who’s does then Ive absolutely no problems
    with the gentleman generating the picks.
    Simply click on the submit button
    As a result, I just click the hyperlink within the description, land on the websites homepage.
    To my astonishment the web site is riddled with outright testimonials.
    Every thing from movies of prominent people, professional athletes,
    regular people, great people as i am and in addition the one option that convinced me to simply go through the go button,
    a money-back guarantee!! I had not even attempt to lose
    here.
    The Grass is Greener for the Other Side
    All right, therefore the strategy is fairly effortless, you receive around the guys email list, he connects you having a dependable sports bookie
    you could employ from your home and you look ahead to an e-mail.
    You receive your e-mail from your guy, take his pick, talk with the betting service, position the actual bet, take
    pleasure in the action as well as make some money.

    Absolutely no big whoop!!!
    Day 1
    I get an email that appears something that fit this description:
    Take Detroit/Sacramento Beneath 197 (Ten p.m. EST, Tuesday) Playing with the lineup has gave the impression to have zapped the
    Kings of just about any offensive explosiveness.
    They’ve averaged basically 92 PPG within their keep going for a quantity of contests also three
    of such were against three with the saddest defensive clubs inside National basketball association (The Suns, Warriors and Clippers).
    This evening they engage an excellent Detroit defense that’s
    rated inside the Top 10 in points permitted per game. This is also a Detroit
    team that sniffs One hundred points about numerous occasions every season because solar eclipse appears.
    This team has scored 100 in regulation just the once of their past thirty two games.
    We look at the Sacramento offense will most likely always struggle this evening
    understanding that Detroit probably will be their regular selves on the road (92 points per game average
    on the road this season). All of us believe this unique range were only available in a
    minimum of a number of points too high plus the under is giving the impression of a very secure option for dinner.

    The under is 7-2 within the Kings previous nine home games
    and 8-2 in Detroit’s past Ten as being a listed underdog.

    Make the bet:
    And so I call the Wagering Service and lay out some funds on Detroit.
    Why not? This really is a deliver game anyway, kings
    suck! Regardless of the sport, the pick is logical and
    in addition the commentary is spot on. I think I like this fella.

    I watch Detroit because they pound the kings into the ground, and
    wouldn’t you understand, I happen upon one
    thousand dollars in profit. Everything just
    paid for itself and then some.

    Soccer betting tips—> http://sports-betting.ml/

    best online casino sites December 20, 2018 3:47 am Reply
  • India Viagra Pills 100 Mg [url=http://lapizmoon.com]cialis overnight shipping from usa[/url] Is Cephalexin A Viral Infection Cialis 20 Mg Preis Levitra Generico Per Ragazze [url=http://deantxi.com]cialis canada[/url] Clobetasol Clobex Low Price Worldwide Levaquin In Internet Amoxicillin Severe Diaper Rash Cialis Wirkung Erfahrungen [url=http://buyviaa.com]viagra[/url] Dove Comprare Viagra Cvs Pharmacy Propecia Propecia Donde Comprar Farmacias

    JeaInorse December 24, 2018 2:24 am Reply
  • Canada Rx Customer Support [url=http://exdrugs.com]generic viagra[/url] Td Bank Overnite Lexapro Alli Diet On Amozon [url=http://genericcial.com]buy cialis online[/url] Brand Cialis Online Cheap Generic Dutasteride In Internet Cheter Baclofene En Ligne Little Blue Pill For Men Generic Viagra 50 Mg [url=http://mailordervia.com]viagra online[/url] Viagra Discount Sales Viagra Welche Dosierung Accutane Buy Online [url=http://cial40mg.com]buy generic cialis online[/url] Preis Viagra Cialis Propecia Pagina Oficial Priligy Approved By Fda No Precription Cialis [url=http://cialusa.com]buy cialis online[/url] Kamagra En Ligne En Suisse Cialis En Ligne Pas Cher Homeopathic Amoxicillin For Pets [url=http://antabusefast.com]antabuse online pay with paypal[/url] Want To Buy Amoxicilina Antibiotic Over Night Tennessee

    JeaInorse January 8, 2019 5:42 am Reply
  • Where To Purchase Clobetasol 30g From Canada Cash Delivery Low Cost Asthma Inhalers [url=http://genericcial.com]cialis 5 mg best price usa[/url] Vente Lioresal Healthy Men [url=http://sildenafdosage.com]viagra[/url] Alternativas Kamagra Viagra Pills Shipped In 1 Or 2 Days [url=http://erxbid.com]comprar cialis generico tadalafil[/url] Que Es La Viagra Femenina Cephalexin And Psoriasis Viagra Genericum Kaufen Viagra Pour Jeune [url=http://buycialonline.com]cialis cheapest online prices[/url] Buy Cialis Online With Prescription Carte Levitra Liquid Amoxicillin Expiration

    JeaInorse January 18, 2019 4:22 pm Reply
  • Viagra Rezeptfrei In Osterreich Cialis Legale Quebec Paypal Cialis Kamagra Bestellen [url=http://cheapcial40mg.com]online pharmacy[/url] Viagra Nuchternen Magen Calais Pills From Canada Amoxicillin Acid Nolvadex Vente Libre [url=http://kamagorder.com][/url] Effet Levitra Price Of Lasix Cialis Le Tadacip Propecia Donde Comprar Online [url=http://cpsmeds.com]cialis 5 mg best price usa[/url] Viagra Dog Rx

    JeaInorse January 24, 2019 10:41 am Reply
  • Cialis Kaufen In Hamburg [url=http://achetercialisfr.com]acheter cialis internet forum[/url] Cialis Diario Hpb Buy Kamagra Oral Jelly China Buy Doxycycline Online With Mastercard [url=http://abtsam.com]viagra[/url] El Cialis Decadron Mail Order Zithromax Children Dosage Levitra A Precios Baratos Generic Viagra 44 Cent A Pill [url=http://lowpricecial.com]п»їcialis[/url] Kamagra Oral Jelly Sachets Buy Generic Nexium No Prescription

    JeaInorse February 4, 2019 11:44 am Reply
  • Dutasteride Enlarged Prostate With Next Day Delivery Cure For Amoxicillin Allergies Priligy Venta En Venezuela [url=http://crdrugs.com]order cialis online[/url] Amoxicillin And Viagra Cialis Ohne Verpackung Viagra Pillen Kaufen

    JeaInorse February 17, 2019 4:20 am Reply
  • Cold Balm Cialis Funziona Depressione [url=http://bmpha.com]levitra generique 20mg en ligne[/url] Cialis Professional Kaufen Aldactone Amoxicillin Chlamydia Single Dose

    JeaInorse March 7, 2019 2:29 pm Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Share