External Network Services
Some of the common TCP ports that may be open on a macOS system from the Sharing section in System Preferences:
| TCP Port | Description |
|---|---|
| 22 | OpenSSH Server (Remote Login option) |
| 445 | Samba (SMB shares) |
| 631 | Printer Sharing |
| 5900 | VNC Server (Screen Sharing option) |
| 7000 | File Server (File Sharing option) |
Network Scans
Basic TCP port discovery with versions and OS detection (adjust to fit your needs):
% sudo nmap -sS -sV -Pn -O <ip-address>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-31 14:40 EST
Nmap scan report for <ip-address>
Host is up (0.013s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.8 (protocol 2.0)
88/tcp open kerberos-sec Heimdal Kerberos
5000/tcp open rtsp
5900/tcp open vnc Apple remote desktop vnc
7000/tcp open rtsp
49152/tcp open unknown
MAC Address: 9A:XX:FA:XX:A7:0E (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 181.93 seconds
SSH Discovery
% sudo nmap -sS --script=ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance -p22 <ip-address>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-31 14:57 EST
Nmap scan report for <ip-address>
Host is up (0.12s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-publickey-acceptance:
|_ Accepted Public Keys: No public keys accepted
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| password
|_ keyboard-interactive
| ssh-hostkey:
| 256 10:df:4f:5f:3e:8d:cb:33:14:79:ff:51:0f:24:b8:46 (ECDSA)
|_ 256 c8:f8:6c:3c:0b:8f:ae:20:b0:ce:47:f7:02:55:32:28 (ED25519)
MAC Address: 9A:XX:FA:XX:A7:0E (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
VNC Discovery
% sudo nmap -sS --script=vnc-info,vnc-title -p5900 <ip-address>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-31 14:58 EST
Nmap scan report for <ip-address>
Host is up (0.046s latency).
PORT STATE SERVICE
5900/tcp open vnc
| vnc-info:
| Protocol version: 3.889
| Security types:
| Apple Remote Desktop (30)
| Unknown security type (33)
| Unknown security type (36)
|_ Mac OS X security type (35)
MAC Address: 9A:XX:FA:XX:A7:0E (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds
Apple File Server:
% sudo nmap -sS -p7000 <ip-address>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-31 15:01 EST
Nmap scan report for <ip-address>
Host is up (0.023s latency).
PORT STATE SERVICE
7000/tcp open afs3-fileserver
MAC Address: 9A:XX:FA:XX:A7:0E (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Things to Note
-
If SSH is available:
- Attempt to connect to the host from another computer. Use the presumed standard user account for the device. Try this when connected to VPN and again with the system not connected to VPN.
- See if you can connect from the host to other computers on the network for data exfiltration purposes.
- SSH can be restricted to certain users, such as the administrator. Review the
com.apple.access_sshgroup to determine if a user has access to use SSH.dscl . -read /Groups/com.apple.access_ssh GroupMembership. If there are no GroupMembership data, then all users have access. If there is GroupMembership data, then only the user's listed can use (inbound) SSH. - Outbound SSH is not affected by GroupMembership.
-
If VNC is available:
- Attempt to connect to the host from another computer. Use the presumed standard user account for the device. Try this when connected to the VPN or Corporate network, and again when not connected to it.
- This has similar restrictions to SSH. Check the GroupMembership of
com.apple.access_screensharing.
-
If File Sharing is available:
- You will need a computer capable of connecting to AFS such as another macOS system.
- Attempt connection to the host while both connected and not connected to the corporate network.
- Additionally, attempt to connect from the host to another computer to see if exfiltration is possible.