HackingInformationMaster Hack

How to Perform Situational Awareness Attacks, Part 1 (Using System_Profiler & ARP) – Special Methode By Lovepreet Singh

95
The first few minutes after gaining access to a MacBook are critical — but where do we begin? Using tools built into macOS, we can develop an in-depth understanding of running background processes, detect antivirus software, locate sensitive files, and fingerprint other devices on the network. All of this can be done without installing additional software or modifying any files.

What Is Situational Awareness?

During most red team engagements, after compromising a target, pentester’s will often find they need to learn as much about the device and its network surroundings as possible. This is commonly referred to as “situational awareness.” This is the act of gathering hardware, software, and network information about the target. This information can be used to further compromise the target, their online accounts, and pivot to other devices and services within the network.

Our goal as penetration testers is to learn as much about our newly compromised macOS device as possible without alerting the target to our presence. Generally, using tools built into the operating system to perform information gathering will help us evade detection. There are many tools in macOS that we can use to fingerprint the device, the network, and Wi-Fi networks it’s connected to. The first (and possibly the most important) tool we’ll be talking about is system_profiler.

1Discover Hardware & Software Details

The system_profiler tool was designed to print system hardware and software configurations. It features the ability to export information in XML format and supports several degrees of output verbosity.

In most cases, system_profiler will produce over 55,000 lines of data pertaining to the target macOS device. This data includes very specific hardware details, firewall settings, Wi-Fi adapter details, startup items, and detailed application info, to name just a few.

System_profiler can be used without root privileges and is, therefore, an attacker’s greatest tool for quickly discovering hardware and software specifications.

The following system_profiler commands can be executed using a Terminal or from a Netcat backdoor. Use the –help argument to view the available options.

system_profiler --help

Usage: system_profiler [-listDataTypes]
       system_profiler [-xml] [-timeout n] [-detailLevel n]
       system_profiler [-xml] [-timeout n] [dataType1 ... dataTypeN]

  -detailLevel n    specifies the level of detail for the report
                      mini = short report (contains no identifying or personal information)
                      basic = basic hardware and network information
                      full = all available information

  -listDataTypes    lists all the available datatypes

  -xml              generates xml output instead of plain text
                    if redirected to a file with the extension ".spx"
                    the file can be opened in System Profiler.app

  -timeout          specifies the maximum time to spend gathering information
                    the default is 180 seconds, 0 means no timeout

  Redirect stderr to /dev/null to suppress progress and error messages.

 

The system_profiler “Datatypes” represent different components of the macOS system. For example, using the SPFirewallDataType argument will print the device’s firewall configuration.

system_profiler SPFirewallDataType

Firewall:

    Firewall Settings:

      Mode: Block all incoming connections
      Firewall Logging: Yes
      Stealth Mode: No/Yes (As Per Need)

We’ve now learned the device has the firewall enabled and is blocking all incoming connections. This small bit of information is critical to an attacker planning their next move and trying to establish persistence.

There’s a -listDataTypes argument that can be used to view all of the available Datatypes.

system_profiler -listDataTypes

Available Datatypes:
SPParallelATADataType
SPUniversalAccessDataType
SPApplicationsDataType
SPAudioDataType
SPBluetoothDataType
SPCameraDataType
SPCardReaderDataType
SPComponentDataType
SPiBridgeDataType
SPDeveloperToolsDataType
SPDiagnosticsDataType
SPDisabledSoftwareDataType
SPDiscBurningDataType
SPEthernetDataType
SPExtensionsDataType
SPFibreChannelDataType
SPFireWireDataType
SPFirewallDataType
SPFontsDataType
SPFrameworksDataType
SPDisplaysDataType
SPHardwareDataType
SPHardwareRAIDDataType
SPInstallHistoryDataType
SPNetworkLocationDataType
SPLogsDataType
SPManagedClientDataType
SPMemoryDataType
SPNVMeDataType
SPNetworkDataType
SPPCIDataType
SPParallelSCSIDataType
SPPowerDataType
SPPrefPaneDataType
SPPrintersSoftwareDataType
SPPrintersDataType
SPConfigurationProfileDataType
SPRawCameraDataType
SPSASDataType
SPSerialATADataType
SPSPIDataType
SPSmartCardsDataType
SPSoftwareDataType
SPStartupItemDataType
SPStorageDataType
SPSyncServicesDataType
SPThunderboltDataType
SPUSBDataType
SPNetworkVolumeDataType
SPWWANDataType
SPAirPortDataType

Multiple Datatypes can be used simultaneously. Below, I’m printing the MacBook’s OS version and network info.

system_profiler SPSoftwareDataType SPNetworkDataType

Software:

    System Software Overview:

      System Version: macOS 10.13.6 (17G65)
      Kernel Version: Darwin 17.7.0
      Boot Volume: macOS
      Boot Mode: Normal
      Computer Name: tokyoneon’s MacBook Air
      User Name: tokyoneon (tokyoneon)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 1:27

Network:

    Wi-Fi:

      Type: AirPort
      Hardware: AirPort
      BSD Device Name: en0
      IPv4 Addresses: 192.168.1.98
      IPv4:
          AdditionalRoutes:
              DestinationAddress: 192.168.1.98
              SubnetMask: 255.255.255.255
              DestinationAddress: 169.254.0.0
              SubnetMask: 255.255.0.0
          Addresses: 192.168.1.98
          ARPResolvedHardwareAddress: xx:xx:xx:xx:xx:xx
          ARPResolvedIPAddress: 192.168.1.1
          Configuration Method: DHCP
          ConfirmedInterfaceName: en0
          Interface Name: en0
          Network Signature: IPv4.Router=192.168.1.1;IPv4.RouterHardwareAddress=xx:xx:xx:xx:xx:xx
          Router: 192.168.1.1
          Subnet Masks: 255.255.255.0
      IPv6:
          Configuration Method: Automatic
      DNS:
          Server Addresses: 192.168.1.1
      DHCP Server Responses:
          Domain Name Servers: 192.168.1.1
          Lease Duration (seconds): 0
          DHCP Message Type: 0x05
          Routers: 192.168.1.1
          Server Identifier: 192.168.1.1
          Subnet Mask: 255.255.255.0
      Ethernet:
          MAC Address: xx:xx:xx:xx:xx:xx
          Media Options:
          Media Subtype: Auto Select
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 0

    Bluetooth PAN:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: en2
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 1

    Thunderbolt Bridge:

      Type: Ethernet
      Hardware: Ethernet
      BSD Device Name: bridge0
      IPv4:
          Configuration Method: DHCP
      IPv6:
          Configuration Method: Automatic
      Proxies:
          Exceptions List: *.local, 169.254/16
          FTP Passive Mode: Yes
      Service Order: 2

When using the system_profiler without any arguments, it will use all of the available Datatypes. This will produce an enormous amount of data and can take several minutes to complete.

Identify Devices on the Network

The Address Resolution Protocol, known commonly as ARP, translates physical (MAC) addresses into IP addresses. Computers cache ARP information in “ARP tables,” which aid routers and devices on the network in quickly locating each other.

The arp command can be used to print the macOS device’s ARP table and discover devices on the network without performing a single Nmap scan.

arp -i en0 -l -a

Neighbor                  Linklayer Address  Expire(O) Expire(I)      Netif  Refs Prbs
192.168.1.1               xx:xx:xx:xx:xx:xx  1m36s     1m36s          en0    1
192.168.1.79              xx:xx:xx:xx:xx:xx  expired   1m18s          en0    1
192.168.1.102             xx:xx:xx:xx:xx:xx  expired   1m20s          en0    1
The -i argument is used to specifies the Wi-Fi interface while -l prints the output data in a more human-readable format. To print all of the ARP table entries, use the -a argument.We’ve discovered several devices on the network. The MAC addresses have been redacted but this information can be used to identify operating systems and hardware details.

Stay Tuned, More to Come …

There’s still so much that can be done to gain awareness of the compromised device and other devices on the network. Stay tuned for more on extracting sensitive information from a target’s Terminal history, locating interesting and recently edited documents on the device, enumerating external hard drives and USB-connected drives, and much more.

Tech Radio – Listen In Free Time To Gain Some Tech Knowledge With Enjoyment

 [zoomsounds id=”Tech For Security Talk”]
Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Google Dorks Ultimate Collection For Hackers

Previous article

Use an ESP8266 Beacon Spammer to Track Smartphone Users

Next article

You may also like

95 Comments

  1. Cialis Viab Doryx Apo Amoxicillin Wirkungseintritt [url=http://fzlaka.com]cialis no prescription[/url] Cialis Clinique Info Cephalexin 250mg Diflucan For Sale

  2. Wow, that’s what I was looking for, what a material!

    existing here at this webpage, thanks admin of this website.

  3. I just want to say I am very new to blogs and truly savored you’re web site. More than likely I’m likely to bookmark your website . You amazingly come with superb articles and reviews. Regards for sharing your webpage.

  4. How long does a copyright last on newspaper articles?. . If a service copies newspapers articles and then posts it in a database on the Internet, is there also a copyright on the Internet content?.

  5. I am regular visitor, how are you everybody? This
    piece of writing posted at this web page is truly pleasant.

  6. Today, I went to the beach front with my children. I found a sea shell and gave it to my 4 year
    old daughter and said “You can hear the ocean if you put this to your ear.” She
    put the shell to her ear and screamed. There was a hermit crab inside and it
    pinched her ear. She never wants to go back!

    LoL I know this is totally off topic but I had to tell someone!

  7. 25 Mcg Levothyroxine For Sale [url=http://cialviag.com]cialis[/url] Priligy Levitra Cialis E Doping Potenzmittel Levitra

  8. I like the helpful information you provide in your articles.
    I’ll bookmark your weblog and check again here
    regularly. I’m quite certain I will learn plenty of new stuff right here!
    Good luck for the next!

  9. I do believe all of the ideas you’ve offered for your post.
    They are really convincing and can definitely work. Still,
    the posts are too quick for beginners. May just you please lengthen them
    a bit from next time? Thank you for the post.

  10. Cephalexin And Laying In The Sun Il Cialis Fa Male Al Cuore Pharmacie Cialis Viagra [url=http://cheapcheapvia.com]viagra[/url] Viagra Professional Shop Meds Cialis Generique Au Meilleur Prix

  11. Hi there, I would like to subscribe for this webpage to obtain most up-to-date updates, therefore where can i do it please assist.

  12. Appreciate this post. Let me try it out.

  13. I’m really enjoying the theme/design of your weblog. Do you ever run into any browser compatibility
    issues? A few of my blog audience have complained about my blog not operating correctly in Explorer but looks
    great in Safari. Do you have any ideas to help fix this issue?

  14. No matter if some one searches for his necessary thing,
    thus he/she wants to be available that in detail, so that thing is maintained
    over here.

  15. I have been exploring for a bit for any high quality articles or weblog posts on this kind of house .
    Exploring in Yahoo I ultimately stumbled upon this
    web site. Studying this info So i’m glad to exhibit that I have an incredibly just right uncanny feeling I found
    out exactly what I needed. I most definitely will make
    certain to don?t omit this site and provides it a look on a
    relentless basis.

  16. It’s very easy to find out any topic on web as compared to textbooks, as I found this paragraph at
    this site.

  17. I enjoy what you guys tend to be up too. Such clever work and
    reporting! Keep up the excellent works guys I’ve included you guys to
    our blogroll.

  18. Your method of telling the whole thing in this paragraph is really nice, all be
    capable of easily understand it, Thanks a lot.

  19. I got this web site from my friend who informed me regarding this website and at the moment this time I am browsing this website and reading very informative
    posts at this place.

  20. Magnificent beat ! I would like to apprentice while you amend your website, how could i subscribe for a blog web site?

    The account aided me a acceptable deal. I had been a little bit acquainted of this your broadcast offered bright clear concept

  21. Greate pieces. Keep writing such kind of information on your blog.
    Im really impressed by your blog.
    Hi there, You’ve done an excellent job. I’ll certainly digg it and individually recommend to my friends.

    I’m confident they’ll be benefited from this website.

  22. Does your website have a contact page? I’m having problems locating
    it but, I’d like to shoot you an e-mail. I’ve got some ideas
    for your blog you might be interested in hearing.
    Either way, great site and I look forward to seeing it improve over time.

  23. I like the valuable information you provide on your articles.
    I will bookmark your blog and check again here frequently.
    I am somewhat certain I will be told a lot of new
    stuff proper here! Good luck for the next!

  24. Undeniably believe that that you stated. Your favourite justification appeared to be at the web the easiest factor
    to take into account of. I say to you, I certainly get
    annoyed whilst people consider worries that they plainly
    do not understand about. You controlled to hit the nail upon the highest and outlined out the
    entire thing without having side effect , people could take a signal.

    Will likely be again to get more. Thanks

  25. Probleme Mit Levitra Branded Cialis Mail Order [url=http://getpharmacyonline.com]cialis[/url] Para Que Sirve La Pastilla Cialis Cialis Rezeptfrei Apotheke

  26. Aw, this was an extremely nice post. Taking a few minutes and actual
    effort to generate a really good article… but what can I say…
    I put things off a lot and never manage to get nearly
    anything done.

  27. I needed to thank you for this fantastic read!! I absolutely
    enjoyed every bit of it. I’ve got you book marked to look at new things you post…

  28. Hi everybody, here every one is sharing these kinds of knowledge, therefore it’s nice to read this weblog, and I used to pay a visit this web site every day.

  29. Magnificent beat ! I would like to apprentice while you amend your website, how can i subscribe for a blog website?
    The account aided me a acceptable deal. I had been tiny bit acquainted of this your broadcast
    offered bright clear idea

  30. Do you mind if I quote a couple of your posts as long as I provide credit and sources back
    to your weblog? My website is in the very same niche as yours and
    my visitors would definitely benefit from a lot
    of the information you present here. Please let me know if this okay with you.
    Regards!

  31. I’m not that much of a internet reader to be honest but your sites really nice, keep
    it up! I’ll go ahead and bookmark your website to come back later on.
    All the best

  32. I loved as much as you will receive carried out right here.
    The sketch is attractive, your authored subject matter
    stylish. nonetheless, you command get got an shakiness over that you wish be
    delivering the following. unwell unquestionably come more formerly again since exactly the same nearly
    a lot often inside case you shield this increase.

  33. I simply could not go away your website prior to suggesting that I extremely loved the standard info a person supply to your
    visitors? Is going to be again frequently
    to investigate cross-check new posts

  34. Aw, this was a really good post. Finding the time and actual effort to make a very good article… but what can I say… I procrastinate a whole lot
    and don’t seem to get nearly anything done.

  35. What’s up mates, its fantastic paragraph on the topic of cultureand fully explained,
    keep it up all the time.

  36. Do you have any video of that? I’d love to find out some additional information.

  37. An impressive share! I’ve just forwarded this onto a colleague
    who has been doing a little homework on this. And he actually ordered me breakfast
    due to the fact that I found it for him… lol. So allow me to reword
    this…. Thanks for the meal!! But yeah, thanx for spending the time to discuss this topic here on your website.

  38. I am really impressed with your writing skills as well as with the layout on your blog.
    Is this a paid theme or did you modify it yourself? Anyway keep up the nice
    quality writing, it is rare to see a great blog like this one nowadays.

  39. Hello! I just wanted to ask if you ever have any trouble with
    hackers? My last blog (wordpress) was hacked and I ended up losing a few months of hard work due
    to no backup. Do you have any methods to protect against
    hackers?

  40. Admiring the time and effort you put into your blog and
    detailed information you offer. It’s good to come across a blog
    every once in a while that isn’t the same out of date rehashed information. Great read!

    I’ve bookmarked your site and I’m including your
    RSS feeds to my Google account.

  41. Hi, I think your site might be having browser compatibility issues.
    When I look at your website in Ie, it looks fine but when opening in Internet
    Explorer, it has some overlapping. I just wanted to give
    you a quick heads up! Other then that, very good blog!

  42. Hi there this is kind of of off topic but I was wondering if
    blogs use WYSIWYG editors or if you have to manually code with HTML.
    I’m starting a blog soon but have no coding experience so I wanted to get advice from someone with experience.

    Any help would be enormously appreciated!

  43. Your method of telling everything in this article is really good,
    every one be capable of effortlessly be aware of it, Thanks a lot.

  44. Whoa! This blog looks just like my old one! It’s on a totally different topic but it has pretty much
    the same page layout and design. Superb choice of colors!

  45. For newest information you have to pay a quick visit world
    wide web and on the web I found this website as a best web site for hottest updates.

Leave a reply

Your email address will not be published. Required fields are marked *

More in Hacking