Skip to main content

On-Device Discovery

System Information

Obtain basic system information from the device under test:

# Hardware information
/usr/sbin/system_profiler SPHardwareDataType

# Software information
/usr/sbin/system_profiler SPSoftwareDataType

Software Discovery

/usr/sbin/system_profiler SPApplicationsDataType

Additionally, gather a list of the security related software that is installed on the host which may interfere with later activities.

  • CrowdStrike
  • McAfee Anti-Virus & DLP
  • GlobalProtect or other VPN providers
  • Endpoint Detection & Response (EDR)
  • others

Processes

ps aux
ps -ef

Network Discovery

Network Interface Configuration

ifconfig
netstat -iv | sort --version-sort

Bonjour-advertised services

dns-sd -B _services._dns-sd._udp

Network Shares

SMB Shares:

List SMB shares that are available on the local machine:

smbutil statshares -a

Check if SMB is advertising shares on the network:

dns-sd -B _smb._tcp

Enumerate SMB shares from the local machine:

smbutil view //username@<remote-ip>

Use nmap scripts to gather some information:

nmap -p 445 --script smb-enum-shares,smb-enum-users <remote-ip>

Interact with SMB shares manually:

smbclient -L //<remote-ip> -U <username>

Query SMB shares, users, and other resources:

rpcclient -U <username> <remote-ip>

Use Metasploit to enumerate SMB shares (if Metasploit is installed):

use auxiliary/scanner/smb/smb_enumshares
set RHOSTS <target-ip>
run

AFP (Apple File Protocol)

Check if AFP service is enabled on the system:

sudo launchctl list | grep AppleFileServer

List shares that are available on the local machine:

sharing -l

List AFP shares on a remote host:

mount_afp afp://username@<remote-ip>/<share-name> /Volumes/<mount-point>
ls /Volumes/<mount-point>

Network Monitoring

System Services

netstat -an | grep -w LISTEN | sort --version-sort
lsof -i -P | grep LISTEN

DNS Information

scutil --dns

Wireshark / tcpdump

sudo tcpdump -i en0 -w capture.pcap

Firewall Configuration

Check firewall status and configuration's:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

/usr/sbin/system_profiler SPFirewallDataType