dscl

Created by Jonathan Bar Or (@yo_yo_yo_jbo)

Description

An extensive tool for communicating with the Directory Services, useful for Discovery.

Created	Tactics	Tags
2023-04-25	Discovery Persistence	users network configuration groups shares password policy

Paths

/usr/bin/dscl

Use Cases

Local user enumeration

Enumerate all local users.

dscl . -list /Users
dscl . list /Users
dscl . ls /Users

Active Directory user enumeration

Enumerate all Active Directory users.

dscl "/Active Directory/TEST/All Domains" -list /Users
dscl "/Active Directory/TEST/All Domains" list /Users
dscl "/Active Directory/TEST/All Domains" ls /Users

Local user information gathering

Gain useful local user information such as when their password was last set, their keyboard layout, their avatar, their home directory, UID and default shell.

dscl . -read /Users/$USERNAME
dscl . read /Users/$USERNAME
dscl . cat /Users/$USERNAME

Active Directory user information gathering

Gain useful Active Directory user information such as when their password was last set, their keyboard layout, their avatar, their home directory, UID and default shell.

dscl "/Active Directory/TEST/All Domains" -read /Users/$USERNAME
dscl "/Active Directory/TEST/All Domains" read /Users/$USERNAME
dscl "/Active Directory/TEST/All Domains" cat /Users/$USERNAME

Local group enumeration

Enumerate all local groups.

dscl . -list /Groups
dscl . list /Groups
dscl . ls /Groups

Active Directory group enumeration

Enumerate all Active Directory groups.

dscl "/Active Directory/TEST/All Domains" -list /Groups
dscl "/Active Directory/TEST/All Domains" list /Groups
dscl "/Active Directory/TEST/All Domains" ls /Groups

Local group information gathering

Gain useful local group information such as which users belong to that group, SMB SIDs and group ID. Especially useful for the “admin” group.

dscl . -read /Groups/$GROUPNAME
dscl . read /Groups/$GROUPNAME
dscl . cat /Groups/$GROUPNAME

Active Directory group information gathering

Gain useful Active Directory group information such as which users belong to that group, SMB SIDs and group ID. Especially useful for the “admin” group.

dscl "/Active Directory/TEST/All Domains" -read /Groups/$GROUPNAME
dscl "/Active Directory/TEST/All Domains" read /Groups/$GROUPNAME
dscl "/Active Directory/TEST/All Domains" cat /Groups/$GROUPNAME

Computer enumration

Enumerate all computers in an Active Directory.

dscl  "/Active Directory/TEST/All Domains" -list /Computers
dscl  "/Active Directory/TEST/All Domains" list /Computers
dscl  "/Active Directory/TEST/All Domains" ls /Computers

Enumerate all shares.

dscl . -list /SharePoints
dscl . list /SharePoints
dscl . ls /SharePoints

Password policy discovery

Gain password policy information

dscl . -read /Config/shadowhash
dscl . read /Config/shadowhash
dscl . cat /Config/shadowhash

Change a user password

Change an existing user’s password.

dscl . passwd /Users/$USERNAME oldPassword newPassword

Detections

No detections at time of publishing

Resources

MacOS Red Teaming - HackTricks

dscl #

Description ##

Paths ##

Use Cases ##

Local user enumeration ##

Active Directory user enumeration ##

Local user information gathering ##

Active Directory user information gathering ##

Local group enumeration ##

Active Directory group enumeration ##

Local group information gathering ##

Active Directory group information gathering ##

Computer enumration ##

Share enumration ##

Password policy discovery ##

Change a user password ##

Detections ##

Resources ##