Open anitsh opened 3 years ago
While checking open ports, found kdc running
sudo lsof -PiTCP -sTCP:LISTEN
kdc 131 root 5u IPv6 0x7be3789b8d14e157 0t0 TCP :88 (LISTEN) kdc 131 root 7u IPv4 0x7be3789b8d158207 0t0 TCP :88 (LISTEN)
Disabled it. SSH works fine.
The local Key Distribution Center (LKDC) feature, new to Mac OS X v10.5 and Mac OS X Server v10.5, facilitates single sign-on for Apple Filing Protocol (AFP) file sharing and screen sharing. Because the LKDC shows up when you look at various configuration files, you may want to understand how it fits in with the other authentication services. The bottom line is that once your computer running Mac OS X or Mac OS X Server joins a Kerberos realm, its services no longer use the LKDC, and it shouldn’t interfere with authentication.
Every computer running Mac OS X v10.5 and Mac OS X Server v10.5 has its own LKDC that facilitates access to the Kerberized services running locally.
Disable: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist Enable: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist Remove: sudo launchctl remove /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist
Restart your Mac without pressing any keys during startup.
Each serial device shows up twice in /dev, once as a tty. and once as a cu.. What is the cu. device? How does it differ from the tty. device?
http://lists.berlios.de/pipermail/gpsd-dev/2005-April/001288.html : The idea is to supplement software in sharing a line between incoming and outgoing calls. The callin device (typically /dev/tty) is used for incoming traffic. Any process trying to open it blocks within the open() call as long as DCD is not asserted by hardware (i.e. as long as the modem doesn't have a carrier). During this, the callout device (typically /dev/cu -- cu stands for "calling unit") can be freely used. Opening /dev/cu* doesn't require DCD to be asserted and succeeds immediately. Once succeeded, the blocked open() on the callin device will be suspended, and cannot even complete when DCD is raised, until the cu device is closed again.
That way, you can have a getty listening on /dev/tty*, and can still use /dev/cu* without restrictions.
The pfctl utility communicates with the packet filter device. It allows ruleset and parameter configuration and retrieval of status information from the packet filter.
Packet filtering restricts the types of packets that pass through network interfaces entering or leaving the host based on filter rules as described in pf.conf(5). The packet filter can also replace addresses and ports of packets. Replacing source addresses and ports of outgoing packets is called NAT (Network Address Translation) and is used to connect an internal network (usually reserved address space) to an external one (the Internet) by making all connections to external hosts appear to come from the gateway. Replacing destination addresses and ports of incoming packets is used to redirect connections to different hosts and/or ports. A combination of both translations, bidirectional NAT, is also supported.
Translation rules are described in pf.conf(5).
socketfilterfw is a daemon that gets launched on demand when the Application Firewall is enabled. There are also command-line options to change the Application Firewall behavior.
launchd manages processes, both for the system as a whole and for individual users.
The primary and preferred interface to launchd is via the launchctl(1) tool which (among other options) allows the user or administrator to load and unload jobs. Where possible, it is preferable for jobs to launch on demand based on criteria specified in their respective configuration files.
launchd also manages XPC services that are bundled within applications and frameworks on the system.
During boot launchd is invoked by the kernel to run as the first process on the system and to further bootstrap the rest of the system.
You cannot invoke launchd directly.
FILES ~/Library/LaunchAgents Per-user agents provided by the user. /Library/LaunchAgents Per-user agents provided by the administrator. /Library/LaunchDaemons System-wide daemons provided by the administrator. /System/Library/LaunchAgents Per-user agents provided by Apple. /System/Library/LaunchDaemons System-wide daemons provided by Apple.
launchctl allows for detailed examination of launchd's data structures. The fundamental structures are domains, services, and endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets.
Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:
system/[service-name] Targets the system domain or a service within the system domain. The system domain manages the root Mach boot- strap and is considered a privileged execution context. Anyone may read or query the system domain, but root privileges are required to make modifications.
user/
login/
gui/
pid/
For instance, when referring to a service with the identifier com.apple.example loaded into the GUI domain of a user with UID 501, domain-target is gui/501/, service-name is com.apple.example, and service-target is gui/501/com.apple.example.
This document details the parameters that can be given to an XML property list that can be loaded into launchd with launchctl.
Daemons or agents managed by launchd are expected to behave certain ways.
A daemon or agent launched by launchd MUST NOT do the following in the process directly launched by launchd: o Call daemon(3). o Do the moral equivalent of daemon(3) by calling fork(2) and have the parent process exit(3) or _exit(2).
A launchd daemon or agent should not perform the following as part of its initialization, as launchd will always implic- itly perform them on behalf of the process. o Redirect stdio(3) to /dev/null.
A launchd daemon or agent need not perform the following as part of its initialization, since launchd can perform them on
the process' behalf with the appropriate launchd.plist keys specified.
o Setup the user ID or group ID.
o Setup the working directory.
o chroot(2)
o setsid(2)
o Close "stray" file descriptors.
system_profiler reports on the hardware and software configuration of the system. It can generate plain text reports or XML reports which can be opened with System Information.app, or JSON reports.
Progress and error messages are printed to stderr while actual report data is printed to stdout. Redirect stderr to /dev/null to suppress progress and error messages.
Examples: system_profiler Generates a text report with the standard detail level.
system_profiler -detailLevel mini Generates a short report containing no personal information.
system_profiler -listDataTypes Shows a list of the available data types.
system_profiler SPSoftwareDataType SPNetworkDataType SPHardwareDataType Generates a text report containing only software and network data.
system_profiler -xml > MyReport.spx Creates a XML file which can be opened by System Profiler.app
The sysctl utility retrieves kernel state and allows processes with appropriate privilege to set kernel state. The state to be retrieved or set is described using a Management Information Base'' (
MIB'') style name, described as a dotted set of components.
https://resilience.sh/better-auditing-macos https://asl.readthedocs.io/en/latest
/usr/libexec/ApplicationFirewall/ https://krypted.com/mac-os-x/command-line-alf-on-mac-os-x
Find users hidden/lost: dscl . list /Users | grep -v '^_'
dscacheutil does various operations against the Directory Service cache including gathering statistics, initiating lookups, inspection, cache flush, etc. This tool replaces most of the functionality of the lookupd tool previously available in the OS.
dscacheutil -q user List all users.
The mdfind command consults the central metadata store and returns a list of files that match the given metadata query. The query can be a string or a query expression.
mdfind -name "adobe"
sudo log show --predicate '(eventMessage CONTAINS "Authentication")' --style syslog --last 1d | less
From top, 669 was being called constantly and consuming a lot of CPU.
669 PasswordBreachAg 0.0 00:09.15 5 4 59 3900K 0B 3392K 669 1 sleeping 0[0] 0.00000 0.00000 504 39551 158 39508+ 366 286402+ 157177+ 283430+ 475 37839+ 0.0 89865 457195 macmini N/A N/A N/A N/A N/A N/A
Details about the process:
sudo taskinfo 669
process: "PasswordBreachAgent" [669] [unique ID: 669]
architecture: x86_64
coalition (type 0) ID: 761
coalition (type 1) ID: 762
suspend count: 0
virtual bytes: 4.16 GB; phys_footprint bytes: 3.81 MB; phys_footprint lifetime maximum bytes: 3.82 MB
run time: 338679 s
user/system time (current threads): 3.033388 s / 6.122702 s
user/system time (terminated threads): 0.000368 s / 0.000474 s
interrupt wakeups: 39069 (37867 / 96.92% from platform idle)
default sched policy: POLICY_TIMESHARE
CPU usage monitor: 50% CPU over 180 seconds
CPU wakes monitor: 150 wakes per second (over system-default time period)
dirty tracking: tracked idle-exit clean
boosts: 0 (0 externalized)
requested policy
req apptype: TASK_APPTYPE_DAEMON_BACKGROUND
req role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT)
req qos clamp: THREAD_QOS_UNSPECIFIED
req base/override latency qos: LATENCY_QOS_TIER_UNSPECIFIED / LATENCY_QOS_TIER_UNSPECIFIED
req base/override thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED / THROUGHPUT_QOS_TIER_UNSPECIFIED
req darwin BG: NO
req internal/external iotier: THROTTLE_LEVEL_TIER0 (IMPORTANT) / THROTTLE_LEVEL_TIER0 (IMPORTANT)
req darwin BG iotier: THROTTLE_LEVEL_TIER2 (UTILITY)
req managed: NO
req other:
req suppression (App Nap) behaviors:
effective policy
eff role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT)
eff latency qos: LATENCY_QOS_TIER_UNSPECIFIED
eff thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED
eff darwin BG: YES
eff iotier: THROTTLE_LEVEL_TIER2 (UTILITY)
eff managed: NO
eff qos ceiling: THREAD_QOS_USER_INITIATED
eff qos clamp: THREAD_QOS_UNSPECIFIED
eff other: low-priority-cpu (4) bg-newsockets
imp_donor: NO
imp_receiver: NO
pid suspended: NO
adaptive daemon: NO (boosted: NO)
Checking which process started it
ps -p 669 -lx | less
UID PID PPID F CPU PRI NI SZ RSS WCHAN S ADDR TTY TIME CMD
504 669 1 4004 0 4 0 4364232 6920 - S 0 ?? 0:09.27 /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/PasswordBreachAgent
Changed terminal CLI env to bash
sudo chsh -s /bin/bash
Execution top was giving error: error opening terminal: xterm-256color
solved it by export TERM=xterm
Resource