Mac OS

Cheat sheet for Mac OS.

For pentesting Mac OS applications, see Desktop Applications / Thick Clients.

Basic commands

Calculate the checksum of a file with MD5 hash

md5 <file_name>

Calculate the checksum of a file with SHA hash

shasum -a 256 file_name

Check service status, only list open services

netstat -an | grep LISTEN

Gatekeeper

MacOS offers the Gatekeeper technology and runtime protection to help ensure that only trusted software runs on a user’s Mac. When a user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.

By default, Gatekeeper helps ensure that all downloaded software has been signed by the App Store or signed by a registered developer and notarized by Apple. Both the App Store review process and the notarization pipeline are designed to ensure that apps contain no known malware. Therefore, by default all software in macOS is checked for known malicious content the first time it’s opened, regardless of how it arrived on the Mac.

.DS_Store Files

Read file content

Manually

xxd -p .DS_Store | sed 's/00//g' | tr -d '\n' | sed 's/\([0-9A-F]\{2\}\)/0x\1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
hexdump -C .DS_Store

Online