OS X El Capitan

[mk2soldier]

Hello, thank you very much for this great project! I have a question though, are you interested in porting this project to OS X El Capitan? Also, I would like to know (if possible) how did you find out all that kind of informations regarding the network services, in particular how did you captured and sniffed all the traffic from and to the OS. Have you used Wireshark or similar tools on another connected machine on the same network?

Thank you very much!

[l1k]

I have a question though, are you interested in porting this project to OS X El Capitan?

I'm holding out on Mavericks at the moment because "never change a running system" and it's still getting security updates from Apple. The first few minor versions of new OS X releases are often unstable, Yosemite suffered from network issues until mDNSResponder made a comeback in 10.10.4, just four months ago. El Capitan probably has its own issues.

However I don't want this to sound negative, I'll be happy to merge pull requests if anyone updates this information for new OS X releases. Chances are that there aren't many differences.

Also, I would like to know (if possible) how did you find out all that kind of informations regarding the network services, in particular how did you captured and sniffed all the traffic from and to the OS. Have you used Wireshark or similar tools on another connected machine on the same network?

I used tcpdump (which comes with the base installation of the OS), but only to verify that the machine stays quiet.

Using tcpdump to find services that phone home is futile because the network traffic is triggered by specific events or may only happen at a specific time or in specific intervals. So I grepped the entire base installation for regexes matching domain names, IPv4 and IPv6 addresses, filtered some false positives automatically and sifted through the remainder manually (which took several weeks but YOLO). Thus, the blacklisted domain names include stuff which your machine will never contact but it's interesting to document these nonetheless. Some of the domain names are clearly only reachable from within Apple, they don't have public DNS entries.

Thanks for your interest in this. I just did it to scratch my own itch because I found it a major annoyance that e.g. simply opening Help Center triggers Internet traffic.

[shatteringlass]

Any updates on this? Thanks.

[marcus-cr]

I'll link up with you @l1k if I can contribute in some manner

[hazcod]

A better way might be installing Little Snitch and disallowing anything not related to your pentest. This is how I do it. Be sure to remove the default Apple ruleset.