Menu
admin
add-account
add-group
set-filevault
sudo fdesetup enable
set-syslogd
#
# 01 ### server-side # ensure the syslog daemon is running with networking enabled.
sudo /usr/sbin/syslogd -s # ‘-s’ enables network socket
#
# 02 ### client-side # edit /etc/syslog.conf
echo "*.* @loghost.example.com" | sudo tee -a /etc/syslog.conf # Replace 'loghost.example.com' with your remote log host
#
# 03 ### server-side # restart syslogd
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
#
# 04 ### server-side # validate the log collection
tail -f /var/log/syslog # Run this on the remote log host
#
set-krb
# list the DC
dig -type=srv _gc_.tcp.$zdom_fqdn
# fill /etc/hosts
sudo vi /etc/hosts
# install the krb5-user service
sudo port install krb5-user
# edit /etc/krb5.conf
sudo vi /etc/krb5.conf
# reconfigure krb5-user service
sudo dpkg-reconfigure krb5-config
# tshoot /etc/krb5.conf
kinit
net ads info
realm list
klist -k /etc/kr5.keytab
set-netconf
sudo vim /etc/netplan/01-netcfg.yaml
# set the DHCP option from true to false
sudo netplan apply
sudo systemctl restart networking
# change the MAC address
cat /usr/share/wireshark/manuf | grep -i Dell
sudo ifconfig eth0 down
sudo ifconfig eth0 hw ether E4:B9:7A:98:A1:12
sudo ifconfig eth0 up
set-sudoers
opsec: hackingarticles - sudo LPE
set-vpn
cd /etc/openvpn
# run the vpn
sudo openvpn --config xxx.opvn
# check the public ip while using the vpn
watch curl https://api.myip.com
set-rdp
unset-fw
clean-history
echo "" > ~/.zsh_history
echo "" > ~/.bash_history
enum
get-os
get-kb
# To list available updates
sudo softwareupdate --list
# To install all available updates
sudo softwareupdate --install --all
get-netconf
# network card
ip link
# arp table
arp -a
# listening socket
netstat -nap
lsof -nP -iTCP | grep LISTEN
# network connections
netstat -ntaupe
netstat -ant
watch ss -tt
# check if remote control is disabled
sudo systemsetup -getdisableremotecontrol
# dns
cat /etc/hosts
cat /etc/resolv.conf
get-shares
get-users
cat /etc/passwd
cat /etc/group
cat /etc/shadow
# dfir
grep :0: /etc/passwd
get-processes
ps –aux
lsof -p [pid]
ps -eo pid,tt,user,fname,rsz
get-scheduled-tasks
crontab -u root -l
cat /etc/crontab
ls –la /etc/cron.*
get-services
# List all services and their current states.
chkconfig --list
# Show status of all services.
service --status-all
# List running services (systemd)
systemctl list-units --type=service
get-periodic-scripts
# get periodic scripts
find /etc/periodic -type f -exec ls -l {} \;
# get periodic executions
grep "periodic" /var/log/system.log
# set back to default permissions
sudo chmod -R 755 /etc/periodic
sudo chown -R root:wheel /etc/periodic
# disable script
sudo chmod -x /etc/periodic/daily/500.daily
get-sessions
w
last-sessions
last | grep -v 00:
enum-sec
get-login-hook
# Login and Logout hooks are defined in the com.apple.loginwindow.plist file located in the ~/Library/Preferences/
# Ensure that only authorized users have write access to the com.apple.loginwindow.plist file.
sudo chmod 644 ~/Library/Preferences/com.apple.loginwindow.plist
sudo chown root:wheel ~/Library/Preferences/com.apple.loginwindow.plist
get-app-integrity
spctl -a -vvv -t install /Volumes/Install/Installer.app
codesign --verify --verbose /path/to/library.dylib
get-startup-items
ls /Library/StartupItems/
get-port-history
get-krb-config
- display the keytab file:
cat /etc/krb5.keytab echo $KRB5_KTNAME - display the service configuration file:
cat /etc/krb5.conf echo $KRB5_CLIENT_KTNAME - list valid tickets in memory:
klist -k -Ke
get-status-fw
iptables --list-rules
get-status-proxy
# https://www.shellhacks.com/linux-proxy-server-settings-set-proxy-command-line/
echo $HTTPS_PROXY
echo $HTTP_PROXY
echo $FTP_PROXY
get-sshd-logs
harden
get-security-logs
grep “SecurityAlert” /var/log/syslog
disable-llmnr
Configuring Audit Control:
Edit the /etc/security/audit_control file to specify the auditing policies.
sudo nano /etc/security/audit_control
Modify the file to include the desired flags and event classes.
Starting the Audit Daemon:
sudo audit -s
Verifying Audit Configuration:
sudo audit -l