net user
, net group
, net localgroup
commands, and now everybody is familiar with Will Shroeder’s PowerView project. Some red teamers still want to use something like dsquery
to do some custom LDAP queries like dsquery * -filter “(&(objectclass=group)(name=*admin*))” -limit 1
(this is also possible with PowerView). You can even run something like the BloodHound Project to quickly get an insane amount of Active Directory information if you have the ability to run PowerShell or C# code. What if you’re on a Mac though?dscl “/Active Directory/TEST/All Domains” read “/Groups/Domain Admins” member memberof
dscl
(/usr/bin/dscl) is MacOS’ directory service command line utility. It allows users to not only query different directory services, but configure them as well (with appropriate permissions). The general format for it is dscl [options] [datasource [command]]
. For our purposes, we’re going to be using two different data sources - local and the domain’s active directory. To query the local system, we use “.” and to query AD we use “/Active Directory” in place of the datasource.dscl
can be used interactively by simple running dscl
without any arguments. From here, you can use ls
and cd
to browse around the directory structure. Once you get down to a specific element, you will either read
it or cat
it (they alias to the same thing). In our example, TEST is the NETBIOS name for the current domain we’re in. When you get data back from dscl, it’s in the format of attribute:value.dscl “/Active Directory/TEST/All Domains” ls /
read
. This is stating that we’re going to read (or cat) the contents of the next one thing in the command. If we wanted to read a bunch of different objects, we would use the readall
command. It’s important to note that the dscl command does not support wildcards in its commands. Similarly, if we just want to list out what the possible things to read are, we use list
or just ls
. We are going to read the Active Directory data for the “/Groups/Domain Admins” object. Specifically, we’re interested in the member and memberof fields, so we will only request that information from the server. If you’re used to LDAP, this last field is selecting the specific attributes we’re interested in and only returning those.dscl . ls /Users
This command will list out the local user accounts. Two things will probably immediately jump out at you when you run this:read
or cat
commands:dscacheutil
and dsmemberutil
utilitiesdsmemberutil
(/usr/bin/dsmemberutil) and dscacheutil
(/usr/bin/dscacheutil). dsmemberutil “is a program that implements the membership API calls” and dscacheutil “does various operations against the Directory Service cache … replac[ing] most of the functionality of the lookup tool previously available” - macOS man pages. dsmemberutil is a pretty interesting tool actually - it allows us to do a lot of conversions between uuid, id, sid, and names of users and groups. It also allows us to check if users are members of a group. For example, what if you wanted to see what groups are nested within the com.apple.access_ssh NestedGroups? The GeneratedUID is a UUID when it comes to dsmemberutil, so that’s what we’ll be using. Our first step is to turn the UUID into an id:dscacheutil
can provide some sneaky access in thie regard. For example, assume you know that the RID of the local “Administrators” group should be 544. This group can technically be renamed, just like in Windows, but the SID needs to be the same. We can use dsmemberutil
and dscacheutil
to go back from this SID to the real name:dscl
offers the ability to search for key values with the search
action. Unfortunately, dscl only provides the ability to search for exact matches and does not provide support for wildcard searches. For example, if you want to search for all local groups that root belongs to:dscl . -search /Groups GroupMembership root
ldapsearch
binary (/usr/bin/ldapsearch). The format for ldapsearch is a little unintuitive, but not crazy:ldapsearch -H ldap://test.local -b dc=test,dc=local -z 1 “(&(objectclass=group)(name=*admin*))” samaccountname