Table Of Contents
- MacOS Details
- MacOS Versions
- File System Structure
- MacOS System Enumeration
- Mac OS Situational Awareness
- User Plist File Enumeration
- User enumeration & Modification
- Create User & Make Administrator
- Create A Group
- Group enumeration & Modification
Mac OS Details
- Note: This section details Mac OS version information and general file system layout. There are many similarities between Mac OS and Linux, but there are also many key differences listed below.
Mac OS Versions
Here is the markdown table based on the provided data:
| ID | VERSION | DATE RELEASED |
|---|---|---|
| 10.0.4 | Mac OS X Cheetah | 2001-03-24 |
| 10.1.5 | Mac OS X Puma | 2001-09-25 |
| 10.2.8 | Mac OS X Jaguar | 2002-08-23 |
| 10.3.9 | Mac OS X Panther | 2003-10-24 |
| 10.4.11 | Mac OS X Tiger | 2005-04-29 |
| 10.5.8 | Mac OS X Leopard | 2007-10-26 |
| 10.6.8 | Mac OS X Snow Leopard | 2009-08-28 |
| 10.7.5 | OS X Lion | 2011-07-20 |
| 10.8.5 | OS X Mountain Lion | 2012-07-25 |
| 10.9.5 | OS X Mavericks | 2013-10-22 |
| 10.10.5 | OS X Yosemite | 2014-10-16 |
| 10.11.6 | OS X El Capitan | 2015-09-30 |
| 10.12.6 | macOS Sierra | 2016-09-20 |
| 10.13.6 | macOS High Sierra | 2017-09-25 |
| 10.14.6 | macOS Mojave | 2018-09-24 |
| 10.15.7 | macOS Catalina | 2019-10-07 |
| 11.6.7 | macOS Big Sur | 2020-11-12 |
| 12.4 | macOS Monterey | 2021-10-25 |
FILE SYSTEM STRUCTURE
Here is the markdown table with two columns, PATH and DESCRIPTION:
| PATH | DESCRIPTION |
|---|---|
| /Applications | Contains applications such as Mail, Calendar, Safari, and many others |
| /bin | User binaries |
| /dev | Interface for system devices |
| /cores | Hidden binary files which contain pieces of computer memory. Used for debugging purposes |
| /etc | System configuration files |
| /Users | Base directory for user files |
| /Library | Critical software libraries |
| /home | Not used for anything |
| /private | Stores essential system files and caches |
| /opt | Third party software |
| /sbin | System administrator binaries |
| /System | Contains operating system files |
| /tmp | Temporary files |
| /usr | Less critical files |
| /Volumes | Shows mounted volumes |
| /var | Variable system files |
MAC OS SYSTEM ENUMERATION
- Note: This section details system enumeration and user/group manipulation commands. It is worth noting user management and authentication in Mac OS is accomplished much differently than Linux. Shadow/Passwd files are not used and user information is stored in “.plist” files.
Display apps
ls /Applications
Display computer name
hostname
Current username
id
List logged on users
w
List previous user log in sessions
last
Disk usage
df -h
Kernel version & CPU information
uname -a
List mounted drives
mount
Display OS version information
sw_vers
Display shell type
echo $0
Enumerate user home directories
ls /Users
Network and IP information
ifconfig -a
Process enumeration
ps -ef
Kill process PID
kill -9 <PID>
Find specific process
ps -ef | grep -ia <STRING_TO_SEARCH>
Check for active TCP network connections
netstat -p tcp -van
Add another variable to the PATH
sudo nano /etc/paths
USER PLIST FILE ENUMERATION
- Note: As mentioned above, Mac OS stores user information (including user password hashes) in files called property lists (.plist). With administrative credentials, these can be directly enumerated, and user hashes can be collected.
Enumerate user plist information
sudo plutil -p /var/db/dslocal/nodes/Default/users/<USERNAME>.plist
Enumerate user password hash
sudo dscl . read Users/<USERNAME> ShadowHashData
USER ENUMERATION & MODIFICATION
Display all user and daemon accounts
dscl . list /Users
Display actual user accounts (No daemon accounts)
dscl . list /Users | grep -v '_'
Display verbose user information (shell type, gid, uid, full name, description, etc.)
dscacheutil -q user
Display very verbose user information (user hash included)
dscl . -read /Users/<USERNAME>
Enumerate a specific user's group assignments
dscacheutil -q group -a name <GROUP_NAME>
Delete user
dscl . -delete /Users/<USERNAME>
CREATE USER & MAKE ADMINISTRATOR
Create User
dscl . -create /Users/<USERNAME>
Set shell preferences for user
dscl . -create /Users/<USERNAME> UserShell /bin/bash
Set user full name
dscl . -create /Users/<USERNAME> RealName "<USER_FULL_NAME>"
List out ID’s and select an un-used ID
dscl . list /Users UniqueID
Set unique ID for user
dscl . -create /Users/<USERNAME> UniqueID "<NEWLY_SELECTED_ID>"
Give list of users that belong to a group.
dscl . -create /Users/<USERNAME> PrimaryGroupID 20
Make home directory
dscl . -create /Users/<USERNAME> NFSHomeDirectory /Users/<USERNAME>
mkdir /Users/<USERNAME>
Set user password
dscl . -passwd /Users/<USERNAME> <NEW_PASSWORD>
Add user to admin group
dscl . -append /Groups/admin GroupMembership <USERNAME>
CREATE A GROUP
Create group
sudo dscl . -create /Groups/<GROUPNAME>
Add longform name
sudo dscl . -create /Groups/<GROUPNAME> RealName "Service and Support"
Initialize group password
sudo dscl . -create /Groups/<GROUPNAME> passwd "*"
Find unused group ID
dscl . list /Groups PrimaryGroupID | tr -s ' ' | sort -n -t ' ' -k2,2
Assign group ID
sudo dscl . -create /Groups/<GROUPNAME> gid <NEWLY_SELECTED_ID>
Assign only ONE user to group (will overwrite with this ONE user)
sudo dscl . -create /Groups/<GROUPNAME> GroupMembership <USERNAME>
GROUP ENUMERATION & MODIFICATION
Enumerate all groups and their members
dscacheutil -q group
Append user to group
sudo dscl . -append /Groups/<GROUPNAME> GroupMembership <USERNAME>
Remove user from group
sudo dscl . -delete /Groups/<GROUPNAME> GroupMembership <USERNAME >
Delete group
dscl . -delete /Groups/<GROUPNAME>