Sometimes there is need to detect a Mac OS X in a LAN, or on any network. This could be post exploitation when you have gained access to a network, or just plain network scan, internet-wide scan, maybe you need to identify the OS's running in a subnet etc. Today I am going to show a couple of methods using nmap which will allow you to identify Mac OS X specifically, in a network.
1. AFP Server info
One of the surest methods to detect an Apple computer in your network is to look for the AFP service.
Command -
sudo nmap -p 548 -Pn -v --script "afp-serverinfo" < target(s) >
Output -
You can also use a little grep and awk magic to just extract the "Server Name" from the output. The actual server names have been <redacted> for no reason at all ;)
2. Apple Remote Desktop Service (vnc)
This method is a little less informative, but will serve the purpose of identifying an Apple computer. Unlike the AFP service, the vnc service does not provide the machine name or the OS version. It just identifies the Apple Mac OS.
Command -
sudo nmap -p 5900 -sV -Pn -v < target(s) >
Output -
As you can see, it will only identify Apple remote desktop vnc, or Mac OS X. No version info. But it serves the purpose of identifying an Apple computer in the network. I dont know why this is useful, but just posted it out there...
1. AFP Server info
One of the surest methods to detect an Apple computer in your network is to look for the AFP service.
Command -
sudo nmap -p 548 -Pn -v --script "afp-serverinfo" < target(s) >
Output -
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-23 20:25 IST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:25
Completed NSE at 20:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:25
Completed Parallel DNS resolution of 1 host. at 20:25, 0.01s elapsed
Initiating SYN Stealth Scan at 20:25
Scanning 192.168.0.100 [1 port]
Discovered open port 548/tcp on 192.168.0.100
Completed SYN Stealth Scan at 20:25, 0.01s elapsed (1 total ports)
NSE: Script scanning 192.168.0.100.
Initiating NSE at 20:25
Completed NSE at 20:25, 0.00s elapsed
Nmap scan report for 192.168.0.100
Host is up (0.00015s latency).
PORT STATE SERVICE
548/tcp open afp
| afp-serverinfo:
| Server Flags:
| Flags hex: 0x9ff3
| Super Client: true
| UUIDs: true
| UTF8 Server Name: true
| Open Directory: true
| Reconnect: true
| Server Notifications: true
| TCP/IP: true
| Server Signature: true
| Server Messages: false
| Password Saving Prohibited: false
| Password Changing: true
| Copy File: true
| Server Name: <redacted>-MacBook-Pro
| Machine Type: MacBookPro11,3
| AFP Versions: AFP3.4, AFP3.3, AFP3.2, AFP3.1, AFPX03
| UAMs: DHCAST128, DHX2, Recon1, Client Krb v2, GSS
| Server Signature: 39681c34a1005065b2759856ddffbcc7
| Directory Names:
| afpserver/<redacted>-macbook-pro.local@LOCAL
|_ UTF8 Server Name: <redacted>s-MacBook-Pro
NSE: Script Post-scanning.
Initiating NSE at 20:25
Completed NSE at 20:25, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
You can also use a little grep and awk magic to just extract the "Server Name" from the output. The actual server names have been <redacted> for no reason at all ;)
2. Apple Remote Desktop Service (vnc)
This method is a little less informative, but will serve the purpose of identifying an Apple computer. Unlike the AFP service, the vnc service does not provide the machine name or the OS version. It just identifies the Apple Mac OS.
Command -
sudo nmap -p 5900 -sV -Pn -v < target(s) >
Output -
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-23 20:37 IST
NSE: Loaded 41 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 20:37
Completed Parallel DNS resolution of 1 host. at 20:37, 0.04s elapsed
Initiating SYN Stealth Scan at 20:37
Scanning 192.168.0.100 [1 port]
Discovered open port 5900/tcp on 192.168.0.100
Completed SYN Stealth Scan at 20:37, 0.01s elapsed (1 total ports)
Initiating Service scan at 20:37
Scanning 1 service on 192.168.0.100
Completed Service scan at 20:37, 0.07s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.0.100.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Nmap scan report for 192.168.0.100
Host is up (0.00015s latency).
PORT STATE SERVICE VERSION
5900/tcp open vnc Apple remote desktop vnc
Service Info: OS: Mac OS X; CPE: cpe:/o:apple:mac_os_x
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
As you can see, it will only identify Apple remote desktop vnc, or Mac OS X. No version info. But it serves the purpose of identifying an Apple computer in the network. I dont know why this is useful, but just posted it out there...
No comments:
Post a Comment