Skip to main content

User & Group Enumeration

TLDR: Get your user in the admin group (GID 20) if possible. If not possible, attempt to gain sudo access.

Enumerating Users

  • List all users on the system:

    dscl . list /Users

  • Display detailed information for a specific user:

    dscl . read /Users/<username>

  • Check currently logged-in users:

    who

  • Identify the primary user (console session):

    whoami

  • List all logged-in sessions:

    w

  • Check for Special Users

    Identify if a user belongs to the admin group:

    dscl . read /Groups/admin GroupMembership

    Check if a user is part of the wheel group:

    dscl . read /Groups/wheel GroupMembership

Local Group Enumeration

  • List All Groups

    dscl . list /Groups

  • Display details of a specific group:

    dscl . read /Groups/<groupname>

  • Identify Special Groups

    admin: Users with administrative privileges.

    dscl . read /Groups/admin

    wheel: Typically used for superuser (root) access.

    dscl . read /Groups/wheel

    Enumerate all groups and their members:

    for group in $(dscl . list /Groups); do
        echo "Group: $group"
        dscl . read /Groups/$group GroupMembership
    done

    • NOTE: some interesting groups to check out:

      com.apple.access_disabled
      com.apple.access_ftp
      com.apple.access_remote_ae
      com.apple.access_screensharing
      com.apple.access_sessionkey
      com.apple.access_ssh
      com.apple.sharepoint.group.1

  • Enumerating Domain (Active Directory) Users and Groups

    Check if the system is bound to an Active Directory domain:

    dsconfigad -show

    Display all directory configurations:

    dscl . -readall /Config

Verify sudo privileges for a user:

Check for user's that have access to sudo:

sudo -l -U <username>

Find processes owned by a specific user:

ps -u <username>

Keychain and Passwords

  • List keychains and SSH keys that are accessible to the user.

    /usr/bin/security list-keychains | awk -F\" '{ print $2 }'

    find / -name "*.keychain" 2>/dev/null

  • Search for .ssh keys and configuration information:

    # SSH keys
    find /Users -name "id_*"

    # user config file (if present)
    [[ -f ${HOME}/.ssh/config ]] && cat ${HOME}/.ssh/config 

    # authorized users keys (if present)
    [[ -f ${HOME}/.ssh/authorized_keys ]] && cat ${HOME}/.ssh/authorized_keys