Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OS X El Capitan #1

Open
mk2soldier opened this issue Oct 9, 2015 · 4 comments
Open

OS X El Capitan #1

mk2soldier opened this issue Oct 9, 2015 · 4 comments

Comments

@mk2soldier
Copy link

Hello, thank you very much for this great project!
I have a question though, are you interested in porting this project to OS X El Capitan?
Also, I would like to know (if possible) how did you find out all that kind of informations regarding the network services, in particular how did you captured and sniffed all the traffic from and to the OS.
Have you used Wireshark or similar tools on another connected machine on the same network?

Thank you very much!
@l1k
Copy link
Owner

l1k commented Oct 16, 2015

I have a question though, are you interested in porting this project to OS X El Capitan?

I'm holding out on Mavericks at the moment because "never change a running system" and it's still getting security updates from Apple. The first few minor versions of new OS X releases are often unstable, Yosemite suffered from network issues until mDNSResponder made a comeback in 10.10.4, just four months ago. El Capitan probably has its own issues.

However I don't want this to sound negative, I'll be happy to merge pull requests if anyone updates this information for new OS X releases. Chances are that there aren't many differences.

Also, I would like to know (if possible) how did you find out all that kind of informations regarding the network services, in particular how did you captured and sniffed all the traffic from and to the OS. Have you used Wireshark or similar tools on another connected machine on the same network?

I used tcpdump (which comes with the base installation of the OS), but only to verify that the machine stays quiet.

Using tcpdump to find services that phone home is futile because the network traffic is triggered by specific events or may only happen at a specific time or in specific intervals. So I grepped the entire base installation for regexes matching domain names, IPv4 and IPv6 addresses, filtered some false positives automatically and sifted through the remainder manually (which took several weeks but YOLO). Thus, the blacklisted domain names include stuff which your machine will never contact but it's interesting to document these nonetheless. Some of the domain names are clearly only reachable from within Apple, they don't have public DNS entries.

Thanks for your interest in this. I just did it to scratch my own itch because I found it a major annoyance that e.g. simply opening Help Center triggers Internet traffic.

@shatteringlass
Copy link

Any updates on this? Thanks.

@marcus-cr
Copy link

I'll link up with you @l1k if I can contribute in some manner

@hazcod
Copy link
Contributor

hazcod commented Jun 27, 2018

A better way might be installing Little Snitch and disallowing anything not related to your pentest.
This is how I do it. Be sure to remove the default Apple ruleset.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@l1k @hazcod @shatteringlass @mk2soldier @marcus-cr and others