Cheat sheet for Mac OS.
For pentesting Mac OS applications, see Desktop Applications / Thick Clients.
Basic commands
Calculate the checksum of a file with MD5 hash
md5 <file_name>
Calculate the checksum of a file with SHA hash
shasum -a 256 file_name
Check service status, only list open services
netstat -an | grep LISTEN
Gatekeeper
MacOS offers the Gatekeeper technology and runtime protection to help ensure that only trusted software runs on a user’s Mac. When a user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
By default, Gatekeeper helps ensure that all downloaded software has been signed by the App Store or signed by a registered developer and notarized by Apple. Both the App Store review process and the notarization pipeline are designed to ensure that apps contain no known malware. Therefore, by default all software in macOS is checked for known malicious content the first time it’s opened, regardless of how it arrived on the Mac.
.DS_Store Files
Read file content
Manually
xxd -p .DS_Store | sed 's/00//g' | tr -d '\n' | sed 's/\([0-9A-F]\{2\}\)/0x\1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
hexdump -C .DS_Store