Lateral movement on macOS can look very different than on Windows. There may not be a LAN you can pivot in. There is no concept of “pass-the-hash”, although you may be able to find Kerberos tickets, depending on the configuration. There are a few areas we can look for lateral movement opportunities.
macOS Devices
If there is a VPN or the device is connected to a company LAN, you may be able to pivot to other macOS systems. There are primarily three services that could allow remote control:
- SSH - TCP/22. Often granted “Full Disk Access” in TCC.
- VNC - TCP/5900. Will warn the user (Your screen is being observed).
- AppleEvent - TCP/3031. Less common. Example usage in ahhh/AppleScripts. You can also try MacHound to automate the discovery process, but I haven’t used it myself.
Another area of interest is Jamf remote management. If the environment uses Jamf, there is a management UI that allows administrators to install packages and change settings. All the Jamf management commands run as root and he management panel is usually public. You may be able to reuse credentials or password spray this endpoint. See macOS Credential Access for more details.
Active Directory Resources
If the environment uses Active Directory, we may be able to pivot to Windows resources and follow steps from our traditional assumed compromise methodology. For more details, see the “Kerberos Authentication” section of macOS Credential Access.
Cloud Resources
If the provided user account has cloud accounts, perform a quick triage for exposed credentials that you can try elsewhere. I’ve had good luck with the following in AWS:
EC2 User Data
# Get a list of EC2 instances and their IDs
aws ec2 describe-instances
# Replace <INSTANCE ID> with each returned value
aws ec2 describe-instance-attribute --instance-id <INSTANCE ID> --attribute userData | jq -r '.UserData.Value'Lambda Environment Variables
# List all environment variables
aws lambda list-functions | jq -r '.Functions[].Environment.Variables'CloudFormation Stack Parameters
# List all stack parameters
aws cloudformation describe-stacks | jq -r '.Stacks[].Parameters'As time permits, follow any remaining/relevant cloud recon methodologies: